How to do forward only filter
Hello
I set up a router between two networks (with two interaces) using awall.
"zone": {
"WAN": { "iface": "eth0" },
"LAN": { "iface": "eth1" }
}
I'm using dnat rule (NOT the dnat attribute of filter rule) because I need both IPv4 and IPv6.
Let's say I want dest nat SSH port:
"dnat": [
{
"in": "WAN",
"service": "ssh",
"to-addr": "some.hostname.tld.",
"family": [ "inet", "inet6" ]
}
]
this will create a PREROUTING rule
-A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -j DNAT --to-destination A.B.C.D
However as I'm leaving the host I need a FORWARD rule, but of course if I put in this filter
"filter": [
{
"in": "WAN",
"service": "dns",
"action": "accept"
}
]
or this filter
"filter": [
{
"out": "LAN",
"service": "dns",
"action": "accept"
}
]
this will create an additional
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
or
-A OUTPUT -o eth1 -p tcp -m tcp --dport 22 -j ACCEPT
and theses rules are irrelevant in my case (DNATed request from WAN to another host are not handle neither by INPUT nor OUTPUT)
am I missing something ? Is there a way to do forward rule ? I don't want to handle this with global policy.