Linux network configuration and firewall configuration example

The network topology is as follows: Hosta/B/C is in the same LAN:
Hosta:
Eth0: 192.168.0.2
----------------------
Hostb:
Eth0: 192.168.0.1
Eth1: 10.0.0.1
----------------------
Hostc:
Eth0: 192.168.0.3
Eth1: 10.0.0.3
----------------------
Hosta-route
10.0.0.0/24 (-Net) 192.168.0.1 (GW)
---------------------
Hostb-iptables
Forward (drop)
-A forward-D 10.0.0.3-J accept
---------------------
Ping 10.0.0.3 on Hosta is successful, which indicates that the hostb rule does not work? Or is there a problem with iptables? Actually, no. The data can be returned from 10.0.0.1 or hostb, but the response does not have to be returned in the original way. What's more, the three machines are inserted in a switch, so after the data arrives at hostc, in response, the route is searched based on the eth0 of the source address Hosta and found to be in the same network as yourself. Therefore, the route is directly sent out of eth0 instead of the original route. Therefore, ping the route, to make things more messy, you only need to configure a nat on hostb:
-A postrouting-O eth1-J Masquerade
In this way, the data cannot be returned without returning the original data. The Ping will fail, but the following rule will be followed:
-A input-M state -- State established-J accept
The above network topology is very bad. configuring different subnets in a shared-bandwidth local area network may cause many hidden problems. It is very difficult to query and you need to be very proficient in the network, therefore, it is best not to configure this configuration.
The established status connection is a two-way data connection, which is used to facilitate firewall configuration. Because the filter table in Linux iptables is based on packets rather than connections, if you only allow data to pass in one direction, the response data of the connection to which the data packet belongs will be blocked in the firewall, therefore, you need to configure a policy that is allowed in the opposite direction. As a result, the entire filter table will be doubled. You only need to configure the following policy:
-A input-M state -- State established-J accept
The principle is that the State is based on ip_conntrack, while conntrack takes effect before the filter table policy, and conntrack sets the connection status of the data packet to established as long as it sees the response packet, so that the above configuration takes effect. In short, the above configuration requires that the first forward data packet can pass through the firewall, and then the data packets in both directions will naturally pass.