Make traffic go one-way by using iptables

Question

I have a network topology:

[C1] - [R1] - [R2] - [C2]

C1-R1 network is 192.168.100.0/24
R1-R2 network is 10.9.8.0/30
R2-C2 network is 192.168.200.0/24

What I need to do is to make C2 be able to connect with C1 by applying some iptables rules to R2. At the same time I don't want C1 to connect to C2. I tried coining some FORWARD chain rules but I just can't get it working.

Is there a simple way to get it working?

---

Here what iptables -L -v says:

Chain INPUT (policy DROP 5 packets, 372 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy DROP 4 packets, 240 bytes)
pkts bytes target prot opt in out source destination

5 420 REJECT all -- any enp0s3 anywhere anywhere
state NEW reject-with icmp-port-unreachable

Chain OUTPUT (policy DROP 5 packets, 560 bytes)
pkts bytes target prot opt in out source destination

Answer 1

Try the state or the conntrack module.

iptables -A FORWARD -o $IFACE -m state --state NEW -j REJECT

where $IFACE is the interface on R2 that connects it to C2.

This way, packets from C1 that would establish a new connection are rejected. Packets from C2 to C1 are unaffected by this rule.

EDIT: Since your FORWARD chain has policy DROP, you will also need rules that allow packets going in the opposite direction, such as:

iptables -A FORWARD -i $IFACE -j ACCEPT
iptables -A FORWARD -o $IFACE -m state ! --state NEW -j ACCEPT