Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: problems with iptables

  1. #1
    Join Date
    Feb 2022
    Beans
    6

    problems with iptables

    Hello all,

    According to my understanding the following rule should allow me to continue surfing the web, because the answer from the webserver is a response to an already established connection. Therefore the 2nd command should allow the response to get through.
    sudo iptables -P INPUT DROP
    sudo iptables -A INPUT -m conntrack -ctstate ESTABLISHED,RELATED -J ACCEPT

    However, it doesn't it. Firefox does not show any website.

    Strangely enough, doing exactly the same in Kali Linux works as I had imagined.
    sudo iptables -P INPUT DROP => no surfing possible
    sudo iptables -A INPUT -m conntrack -ctstate ESTABLISHED,RELATED -J ACCEPT => surfing possible again.

    It seems to be problem with the DNS resolution.
    ping google.com works on Kali but not on Ubuntu. Ubuntu shows the following error message: "ping: google.com: Temporary failure in name resolution"
    But why? The answer to the DNS query should get through, because it is a response and not a new connection.

    I would be really grateful for any explanation.

    Georg

    P.S. I am using Ubuntu 20.04 LTS
    Last edited by georgschmidt; February 11th, 2022 at 07:32 AM.

  2. #2
    Join Date
    Nov 2007
    Location
    London, England
    Beans
    7,714

    Re: problems with iptables

    Can the DNS request get out? I don't see any mention of outgoing rules.
    Another possible hiccup: Can the PC talk to itself? Ubuntu often runs an internal DNS resolver on 127.0.0.53 on interface lo. It is normal to allow any protocol from lo to lo so that local applications and services can talk to each other.


    When posting iptables rules for people to help with, please always post the output from sudo iptables-save. Other ways of showing the rules generally leave information out, but this command gives complete information.

  3. #3
    Join Date
    Feb 2022
    Beans
    6

    Re: problems with iptables

    The Cog, thank you for your answer.
    I haven't set any other rules, so everything else uses the default values (OUTPUT: ACCEPT, FORWARD: ACCEPT)

    # Generated by iptables-save v1.8.4 on Fri Feb 11 21:18:16 2022
    *filter
    :INPUT DROP [12:876]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [19:1345]
    -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    COMMIT
    # Completed on Fri Feb 11 21:18:16 2022

  4. #4
    Join Date
    Nov 2008
    Location
    Boston MetroWest
    Beans
    16,326

    Re: problems with iptables

    First, try changing the INPUT policy from DROP to ACCEPT. Does it work then?

    Are you running this on a local workstation, or on a network gateway? I don't see any value to using rules like this on a normal workstation if it's behind a firewall router. If you're using a network gateway, make sure you've enabled packet forwarding in /etc/sysctl.conf.
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  5. #5
    Join Date
    Feb 2022
    Beans
    6

    Re: problems with iptables

    Thank you SeijiSensei. Yes, when changing the INPUT Policy to ACCEPT, it works. This is actually the default, INPUT, OUTPUT and FOWARD all set to ACCEPT, no other rules. It is running on a desktop computer (VirtualBox). I was reading about IPTABLES and was playing around with it, to see whether I understood it correctly. It just didn't behave as I has imagined and I got curious. When I asked a friend, he tried it on his Kali and it behaved as expected. This made me even more curious

  6. #6
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    3,526
    Distro
    Ubuntu Development Release

    Re: problems with iptables

    Please try an ACCEPT rule for the local interface, as The Cog mentioned. I think this:

    Code:
    sudo iptables -A INPUT -i lo -J ACCEPT
    Any follow-up information on your issue would be appreciated. Please have the courtesy to report back.

  7. #7
    Join Date
    Feb 2022
    Beans
    6

    Re: problems with iptables

    Yes, that works. But why? I thought that with "-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT" I allow incoming traffic if it is a response to an outgoing one. Since I don't specify an interface, isn't that rule also valid for the lo interface. So the local host can send the response back.
    Or is it, because the local host is basically my machine as well, it doesn't receive the first request, because it is blocked by the INPUT rule. Is my understanding correct that if I send sth to local host, I basically send it to myself and it goes through the OUTPUT (because it comes from my machine) and INPUT channel (because my machine also receives it). So for anything to LO, both INPUT AND OUTPUT policy / rules are valid?
    Thank you very much

  8. #8
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    3,526
    Distro
    Ubuntu Development Release

    Re: problems with iptables

    Quote Originally Posted by georgschmidt View Post
    Yes, that works. But why? I thought that with "-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT" I allow incoming traffic if it is a response to an outgoing one. Since I don't specify an interface, isn't that rule also valid for the lo interface. So the local host can send the response back.
    I don't know the answer because I have always had lo interface ACCEPT rules in my chains and never thought about it beyond that.

    I wonder if the connection tracking table doesn't track lo interface connections. I tried to find the answer, but didn't with the time I had available. One could also watch the lo interface with tcpdump or wireshark, but I didn' try it.
    Any follow-up information on your issue would be appreciated. Please have the courtesy to report back.

  9. #9
    Join Date
    Nov 2008
    Location
    Boston MetroWest
    Beans
    16,326

    Re: problems with iptables

    I'm still waiting to hear what role this machine plays in your network -- workstation, router, server, something else?

    I'll just reiterate that I don't see any need for iptables rules on machines behind a firewall router. If you're setting up this machine as a router, that's one thing. But it doesn't seem like that what's you're trying to do.
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  10. #10
    Join Date
    Feb 2022
    Beans
    6

    Re: problems with iptables

    Hello SeijiSenesei,
    Thank you for your response. I thought I had answered that in my first response. It is a workstation. I tried this was because I was reading about iptables and wanted to check my understanding. I was surprised by the behaviour and wanted to understand why. The question was more for my understanding rather than for a concrete setting.

    You are right, normally this PC is behind a router firewall. However, I guess I a firewall would be useful if connected to a public wifi, so in that case the above settings might actually have some use after all.

Page 1 of 2 12 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •