iptables - Allow only incoming SSH from WAN and block outcoming traffic from LAN

I am trying to allow incoming SSH connexion from WAN to LAN ip on a router but block outcoming traffic from LAN to WAN. I let port 80 open on the router allowed for web admin access from the LAN.

The following is allowing incoming SSH connexion from WAN to LAN on a router and let port 80 open on the router allowed for web admin access from the LAN.

br0 is LAN

vlan1 is WAN

192.168.2.33 is the LAN ip with port 22 open

port 2222 is ssh port forwarding from the WAN

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t filter -A  INPUT -i br0 -p tcp -m tcp --dport 80 -j ACCEPT
iptables -t nat -I PREROUTING  -p tcp --dport 2222 -j DNAT --to  192.168.2.33:22
iptables -I FORWARD -p tcp -d 192.168.2.33 --dport 22 -j ACCEPT
iptables -A INPUT -j DROP

From WAN

ssp user@routerip -p 2222 works

But when I am trying to block outcoming traffic with the following

iptables -A FORWARD -i br0  -o vlan1 -j DROP

SSH access from the WAN fails.

What is wrong ? How do you block outcoming traffic in that case ?

Also how do I prevent forwarding from the WAN trough the router but allow incoming SSH to the LAN from the WAN? My WAN is behind another router..

Solution 1:

According to the rules you have posted in your question, the FORWARD chain will have the following rules:

-A FORWARD -p tcp -d 192.168.2.33 --dport 22 -j ACCEPT
-A FORWARD -i br0  -o vlan1 -j DROP

You are actually allowing traffic destined to IP 192.168.2.33 port 22, and you are denying traffic the reply traffic from LAN -i br0 interface to WAN -o vlan1. To solve this, you need to allow replies using a rule like:

iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

For the last point in your question, I did not fully understand your point.