Christian <syphdias+archlinuxml@xxxxxxxxx> wrote: > Hi David, > > > No, outbound was fine, it was the INPUT chain block from the 95.216 ranges > > that got me. […] > > I might be wrong but this thread reads like there is a > misunderstanding of what the difference is between "inbound" and > "INPUT". > The two phrases are not the same. At the risk of mansplaining the > difference, I hope this clears up some confusion. > > First let us define "inbound" and "outbound". > "inbound" usually refers to packets to your computer/machine (e.g. internet). > "outbound" usually refers to packets from your computer/machine to > somewhere else (internet, NAS, etc.). > > "INPUT" refers to an iptables chain [1]. > Both inbound and outbound packets will go through this chain (for > nftables this is very similar but the name of the chain might be > different). Referring to the figure at https://netfilter.org/documentation/HOWTO/packet-filtering-HOWTO-6.html , are you saying A program running on the box can send network packets. These packets pass through the OUTPUT chain only if the INPUT chain allows it ? If you do, note my understanding of statement 4 at buttom of the link is different. Am I wrong? -- u34 > This means that if you block everything related to a certain IP > address in the INPUT chain, you will also block outbound traffic. > > If you would drop all default rules from the net filter that make your > firewall stateful [2]. You could end up with the following situation: > You have something like `iptables -A INPUT -s $bad_source_ip -j DROP` > dropping all packets from $bad_source_ip. > 1. You try to establish a connection to the $bad_source_ip > 2. You don't have a rule that makes your firewall stateful and accepts > the reply packet before every other rule can take effect > 3. The rule above takes effect and the reply packet from the > $bad_source_ip will be dropped > 4. (Due to TCP's behaviour there will be retries that will end up with > the same result) > > So my conclusion here would be that you did one of two things. > 1. Make you firewall un-stateful by removing the default ruleset > 2. You blocked the "bad ips" not just as source but also as destination > > TL;DR: INPUT chain also takes effect for outbound traffic. So you need > to allow related and established packets to get accepted. > > If you want to check if you removed your statefulness from your > firewall, you can do a `iptables -S |grep -e RELATED -e ESTABLISHED`. > I would expect some lines to come up either in the INPUT chain or a > chain that is very early jumped to in the INPUT chain. > > If you do not want to get involved with iptables/nftables "wizardry", > I would recommend something like ufw[3] which has some defaults and > can easily be configured via the GUI with gufw. > > Best, > Chistian > > [1]: https://en.wikipedia.org/wiki/Iptables#/media/File:Netfilter-packet-flow.svg > [2]: https://wiki.archlinux.org/title/Simple_stateful_firewall > [3]: https://wiki.archlinux.org/title/Uncomplicated_Firewall
