Re: Any though of having archlinux-keyring-wkd-sync check for iptables and recommend rule?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

Hi David,

> No, outbound was fine, it was the INPUT chain block from the 95.216 ranges
> that got me. […]

I might be wrong but this thread reads like there is a
misunderstanding of what the difference is between "inbound" and
"INPUT".
The two phrases are not the same. At the risk of mansplaining the
difference, I hope this clears up some confusion.

First let us define "inbound" and "outbound".
"inbound" usually refers to packets to your computer/machine (e.g. internet).
"outbound" usually refers to packets from your computer/machine to
somewhere else (internet, NAS, etc.).

"INPUT" refers to an iptables chain [1].
Both inbound and outbound packets will go through this chain (for
nftables this is very similar but the name of the chain might be
different).
This means that if you block everything related to a certain IP
address in the INPUT chain, you will also block outbound traffic.

If you would drop all default rules from the net filter that make your
firewall stateful [2]. You could end up with the following situation:
You have something like `iptables -A INPUT -s $bad_source_ip -j DROP`
dropping all packets from $bad_source_ip.
1. You try to establish a connection to the $bad_source_ip
2. You don't have a rule that makes your firewall stateful and accepts
the reply packet before every other rule can take effect
3. The rule above takes effect and the reply packet from the
$bad_source_ip will be dropped
4. (Due to TCP's behaviour there will be retries that will end up with
the same result)

So my conclusion here would be that you did one of two things.
1. Make you firewall un-stateful by removing the default ruleset
2. You blocked the "bad ips" not just as source but also as destination

TL;DR: INPUT chain also takes effect for outbound traffic. So you need
to allow related and established packets to get accepted.

If you want to check if you removed your statefulness from your
firewall, you can do a `iptables -S |grep -e RELATED -e ESTABLISHED`.
I would expect some lines to come up either in the INPUT chain or a
chain that is very early jumped to in the INPUT chain.

If you do not want to get involved with iptables/nftables "wizardry",
I would recommend something like ufw[3] which has some defaults and
can easily be configured via the GUI with gufw.

Best,
Chistian

[1]: https://en.wikipedia.org/wiki/Iptables#/media/File:Netfilter-packet-flow.svg
[2]: https://wiki.archlinux.org/title/Simple_stateful_firewall
[3]: https://wiki.archlinux.org/title/Uncomplicated_Firewall
[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux