Make traffic go one-way by using iptables

Answers

Try the state or the conntrack module.

iptables -A FORWARD -o $IFACE -m state --state NEW -j REJECT

where $IFACE is the interface on R2 that connects it to C2.

This way, packets from C1 that would establish a new connection are rejected. Packets from C2 to C1 are unaffected by this rule.

EDIT: Since your FORWARD chain has policy DROP, you will also need rules that allow packets going in the opposite direction, such as:

iptables -A FORWARD -i $IFACE -j ACCEPT
iptables -A FORWARD -o $IFACE -m state ! --state NEW -j ACCEPT

user49740

Posted 2015-04-25T16:01:06.860

Reputation: 2 850

Hmm, I tried this one and I can't telnet C1 from C2. I can't even telnet R2 from C2. – Александр Гаращенко – 2015-04-25T16:26:06.943

Do you have any other rules? Adding the output of iptables -L -v to your question might help. – user49740 – 2015-04-25T16:27:40.977

I have no other rules. The question is updated with the output of iptables -L -v. – Александр Гаращенко – 2015-04-25T16:37:47.203

3When you say C1 needs to "connect" to C2, what do you mean exactly? Are you going to be using a protocol like TCP or UDP? TCP inherently needs to be able to send return traffic. – heavyd – 2015-04-25T16:16:09.833

All of your chains have policy DROP, therefore no packets are ever forwarded. You can either change the policies to ACCEPT or add allow rules. – user49740 – 2015-04-25T16:48:16.943