iptables-persistent blocking any outbound connections

Question

I use iptables-persistent to set firewall rules.

This is my standard configuration:

*filter     
:INPUT DROP [0:0]     
:FORWARD ACCEPT [0:0]     
:OUTPUT ACCEPT [0:0]     
-A INPUT -p tcp --dport 2123 -m mac --mac-source XX:XX:XX:XX:XX:XX -j ACCEPT     
COMMIT

Problem is I can't download packages from debian servers and ping local and external IP addresses.

INPUT is only for 'incoming' connections, is this correct?

These are the rules for IPv6:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
COMMIT

score 2 · Accepted Answer · answered Sep 18 '16 at 19:04

2

The problem you've got is that you're not allowing any incoming packets. So if you try and reach out to an external server then you can't receive the replies!

This, typically, can be handled with an "established" rule

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

The idea, here, is that incoming packets that match an outgoing connection will be allowed back in.

Now with default DROP for input chains, you may see other problems (eg ICMP packets) so you may also need to allow them in depending on your requirements.

answered Sep 18 '16 at 19:04

Stephen Harris

42,369
5
94
123

Yes, exactly, I fount similar solution "iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT", but you was first :P (+4u). Basically I was confused, but thx for fast 'outbound' replay without lags :) – Nerus Sep 18 '16 at 19:16
That `OUTPUT` rule would be needed if you had a default `DROP` for out output chain, but because you have default `ACCEPT` then you don't need this. – Stephen Harris Sep 18 '16 at 19:37

Nerus · Answer 2 · 2016-09-18T20:44:26.213

0

Problem was solved.

new fixed rules:

*filter
:INPUT DROP [0:0] 
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A FORWARD -o lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p tcp --dport 2123 -m mac --mac-source XX:XX:XX:XX:XX:XX -j    ACCEPT
COMMIT

edited Sep 18 '16 at 20:44

answered Sep 18 '16 at 19:19

Nerus

23
4

score 0 · Answer 3 · answered Oct 10 '16 at 18:22

0

if you want a better control over iptables, use the conntrack "--ctstate" modules. It's better and newer than "--state"

For example:

iptables -A INPUT -p tcp -m tcp -m conntrack --ctstate ESTABLISHED -j ACCEPT

answered Oct 10 '16 at 18:22

Wagner

149
4

Better or just different? Some description of the differences might help a lot. – ilkkachu Oct 10 '16 at 21:50

score 0 · Answer 4 · edited Apr 13 '17 at 12:13

0

I don't claim to be an expert with iptables rules but the module conntrack is making use of the connection tracking extension (conntrack) while the second is making use of the state extension.According to this document the conntrack extension superseded state.

Obsolete extensions: • -m state: replaced by -m conntrack

more information here

edited Apr 13 '17 at 12:13

Community

1

answered Oct 11 '16 at 00:01

Wagner

149
4

Thx 4 info, I'll check it when i will have sec. – Nerus Oct 14 '16 at 13:14

iptables-persistent blocking any outbound connections

4 Answers4