I recently learned about IPTables and IP routing in order to configure a single-board computer to isolate a particular machine from the rest of my network, while still permitting it to access the internet, among a few other rules.
I decided to use this new knowledge to enhance the security of my embedded media devices (and maybe prevent them from displaying ads and reporting telemetry). I had an old ASUS router with Merlin firmware in the closet, so I set that up and got SSH working.
Unlike my previous SBC-based firewall, which had a fresh install of Ubuntu and a blank slate in iptables, the ASUS router comes with several rules defined out of the box, and the FORWARD table has me a bit confused:
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere state INVALID
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate DNAT
ACCEPT all -- anywhere anywhere
From my understanding, this would prevent the router from working as it does. If the TV wanted initiate a request to Netflix, for example, the router should see that the packet came from NIC #2 and is destined for the WAN NIC - not for any internal process - and therefore should be put through the FORWARD table. The first rule shouldn't apply because the packet is new - there haven't been any replies yet to give it RELATED or ESTABLISHED status. The next rule... should drop it. So the packet doesn't reach Netflix and nothing happens.
In fact, this seems to me that it should prevent anything and everything that isn't a direct communication between the router itself (e.g. the admin interface). But that certainly isn't the case, as the attached devices are accessing the internet without issue. So, clearly there is something I'm missing. Do ASUS routers not use the FORWARD table? Or are the rules not evaluated top-to-bottom? Why doesn't the above FORWARD table prevent my router from functioning properly as a switch?
