Christian <syphdias+archlinuxml@gmail.com> wrote:
Hi David,
No, outbound was fine, it was the INPUT chain block from the 95.216 ranges that got me. […]
I might be wrong but this thread reads like there is a misunderstanding of what the difference is between "inbound" and "INPUT". The two phrases are not the same. At the risk of mansplaining the difference, I hope this clears up some confusion.
First let us define "inbound" and "outbound". "inbound" usually refers to packets to your computer/machine (e.g. internet). "outbound" usually refers to packets from your computer/machine to somewhere else (internet, NAS, etc.).
"INPUT" refers to an iptables chain [1]. Both inbound and outbound packets will go through this chain (for nftables this is very similar but the name of the chain might be different).
Referring to the figure at https://netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-6.html , are you saying A program running on the box can send network packets. These packets pass through the OUTPUT chain only if the INPUT chain allows it ? If you do, note my understanding of statement 4 at buttom of the link is different. Am I wrong? -- u34
This means that if you block everything related to a certain IP address in the INPUT chain, you will also block outbound traffic.
If you would drop all default rules from the net filter that make your firewall stateful [2]. You could end up with the following situation: You have something like `iptables -A INPUT -s $bad_source_ip -j DROP` dropping all packets from $bad_source_ip. 1. You try to establish a connection to the $bad_source_ip 2. You don't have a rule that makes your firewall stateful and accepts the reply packet before every other rule can take effect 3. The rule above takes effect and the reply packet from the $bad_source_ip will be dropped 4. (Due to TCP's behaviour there will be retries that will end up with the same result)
So my conclusion here would be that you did one of two things. 1. Make you firewall un-stateful by removing the default ruleset 2. You blocked the "bad ips" not just as source but also as destination
TL;DR: INPUT chain also takes effect for outbound traffic. So you need to allow related and established packets to get accepted.
If you want to check if you removed your statefulness from your firewall, you can do a `iptables -S |grep -e RELATED -e ESTABLISHED`. I would expect some lines to come up either in the INPUT chain or a chain that is very early jumped to in the INPUT chain.
If you do not want to get involved with iptables/nftables "wizardry", I would recommend something like ufw[3] which has some defaults and can easily be configured via the GUI with gufw.
Best, Chistian
[1]: https://en.wikipedia.org/wiki/Iptables#/media/File:Netfilter-packet-flow.svg [2]: https://wiki.archlinux.org/title/Simple_stateful_firewall [3]: https://wiki.archlinux.org/title/Uncomplicated_Firewall