I need some help understanding the proper way to do conntrack
bidirectionally in a secure way. Could someone help validate my
understanding and indicate if the below ruleset and approach is
correct?
My goal is to allow incoming connections to tcp/80 (input hook) and
all response traffic (output hook) without blindly allowing more ports
than intended for this one service running on tcp/80.
table ip legacy {
chain root_out {
type filter hook output priority filter; policy drop;
tcp sport 80 ct state established,related accept
}
chain root_in {
type filter hook input priority filter; policy drop;
tcp dport 80 accept
}
}
I have seen other firewall examples where the input chain just blindly
allows all reply packets via 'ct state established,related accept'
like so :
chain root_in {
type filter hook input priority filter; policy drop;
ct state established,related
tcp dport 80 accept
}
I am not sure if my first example is correct and secure; should 'ct
state established,related accept' always be in the input hook for
response packets or only needs to be in the output hook?
Thanks in advance.
