overriding traffic DROP:P'd in /conntrack. when/where to ACCEPT?
2014-08-20 15:05:43 GMT
I use IPSETs in SW for mass access blocking. The block's in /conntrack /conntrack ?FORMAT 3 NOTRACK +IPBLACKLIST_IP - NOTRACK +IPBLACKLIST_NET - DROP:P +IPPESTS_IP - DROP:P +IPPESTS_NET - ... Those blacklists are populated by exernal feeds. I do not edit/modify individual elements; simply retrieve the data and load the IPSETs. It works as expected. I want to punch a specific hole for accessing webcontent, from my LAN, <at> a specific IP range that's been blanket-included in the above blacklist. I create a hash:ip & hash:ip IPSETs containing the ip range to be whitelisted, and allow the traffic in /rules /rules ... ACCEPT $FW net:+IPWHITELIST_IP,+IPWHITELIST_NET tcp ACCEPT lan net:+IPWHITELIST_IP,+IPWHITELIST_NET tcp ... This does NOT open the access; it remains blocked. I suspect it's because the DROP:P is in pre-routing chain, and I'm not ACCEPTing early enough.(Continue reading)