Should I modify it to the following:
:::
chain output {
type filter hook output priority 0; policy accept;
ip daddr 123.0.0.0/8 counter reject }
:::
and
:::
chain input {
type filter hook input priority 0; policy drop;
ip saddr 123.0.0.0/8 counter drop }
:::
Many thanks.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Friday, October 4, 2019 10:18 AM, Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote:
> Am 04.10.19 um 11:45 schrieb Jags:
>
> > @zrm thank you so much for the reply.
> > (1) Would it be something like this:
> > :::::
> > chain output {
> > type filter hook output priority 0; policy accept;
> >
> > ip daddr 123.0.0.0/8 ct state established,related,new,invalid,untracked counter reject
> > }
> >
> >
> > :::::
> > Because just last night I tried that, but I could still see IPs from the blocked range. Or am I missing something here.
> > Note: In this OUTPUT chain, if I change: "policy accept" to "policy drop", I lose the internet completely.
> > (2) In addition to the OUTPUT chain, I've added this into INPUT chain too:
> > :::::
> > chain input {
> > type filter hook input priority 0; policy drop;
> >
> > ip saddr 123.0.0.0/8 ct state established,related,new,invalid,untracked counter drop
> > }
> >
> >
> > :::::
> > So how should I modify the either or both of the above please... many thanks
>
> it's the same as with iptables
>
> "established,related" allows responses and so when your client made a
> connection to a peer data from this peer is allowed back
>
> order matters and there is no point to change the outbound policy to DROP
>
> the policy is applied after all rules and the first mathcing action
> wins, everywhere
