Thank you Paulo for your response.
ah yes my input rules did not properly allow established/related packets.
Best,
Lihua
On Tue, May 3, 2022 at 10:02 AM Paulo Ricardo Bruck
<pauloric@xxxxxxxxxxxxxxxx> wrote:
>
> remember that is a pair. Output + Input...
>
> You only let output as accept. What about input?
>
> best regards
>
> ----- Mensagem original -----
> De: "Linux Scoop" <linuxscoop@xxxxxxxxx>
> Para: netfilter@xxxxxxxxxxxxxxx
> Enviadas: Terça-feira, 3 de maio de 2022 10:59:00
> Assunto: cannot allow outbound ping traffic
>
> Hello netfilter community,
>
>
> I am running into a problem where I cannot ping other hosts if I have
> nftables service turned on.
>
> I have the following rule for outgoing traffic (basically allows all
> outgoing traffic)
>
>
>
> chain OUTBOUND {
>
> type filter hook output priority 0; policy accept;
>
> }
>
>
>
> But I cannot ping any inside or outside IPs, eg.
>
>
>
> [root@lxdvfs1a nftables]# ping -vv 172.29.28.1
>
> ping: socket: Permission denied, attempting raw socket...
>
> PING 172.29.28.1 (172.29.28.1) 56(84) bytes of data.
>
> 153 packets transmitted, 0 received, 100% packet loss, time 151999ms
>
>
>
> If I turn off nftables service, I can ping any IPs normally.
>
> [root@lxdvfs1a nftables]# ping 172.29.28.1
>
> PING 172.29.28.1 (172.29.28.1) 56(84) bytes of data.
>
> 64 bytes from 172.29.28.1: icmp_seq=1 ttl=64 time=1.64 ms
>
> 64 bytes from 172.29.28.1: icmp_seq=2 ttl=64 time=0.446 ms
>
> 64 bytes from 172.29.28.1: icmp_seq=3 ttl=64 time=0.488 ms
>
>
>
> I also tried adding the following to explicitly allow outgoing ping,
> but it did not work either.
>
>
>
> icmp type echo-request ct state new,established accept
>
>
>
> Any insight/help would be appreciated.
>
>
>
> Thanks,
>
> Lihua Wang
>
> Sysadmin at CUNY Graduate Center
> --
> Pau lo Ricardo Bruck consultor
> tel 011 3596-4882
> cel 98140-9184(TIM/Whats)
> [ http://www.contatogs.com.br/ | http ] [ http://www.contatogs.com.br/ | s://www.contatoglobal.com.br ]
>
>
> Domou arigatou gozaimasu
