Am 04.10.19 um 11:45 schrieb Jags:
> @zrm thank you so much for the reply.
>
>
> (1) Would it be something like this:
>
> :::::
> chain output {
> type filter hook output priority 0; policy accept;
>
> ip daddr 123.0.0.0/8 ct state established,related,new,invalid,untracked counter reject
> }
> :::::
>
> Because just last night I tried that, but I could still see IPs from the blocked range. Or am I missing something here.
>
> Note: In this OUTPUT chain, if I change: "policy accept" to "policy drop", I lose the internet completely.
>
>
> (2) In addition to the OUTPUT chain, I've added this into INPUT chain too:
>
> :::::
> chain input {
> type filter hook input priority 0; policy drop;
>
> ip saddr 123.0.0.0/8 ct state established,related,new,invalid,untracked counter drop
> }
> :::::
>
>
> So how should I modify the either or both of the above please... many thanks
it's the same as with iptables
"established,related" allows responses and so when your client made a
connection to a peer data from this peer is allowed back
order matters and there is no point to change the outbound policy to DROP
the policy is applied after all rules and the first mathcing action
wins, everywhere
