confusing INPUT,OUTPUT iptables rules

1

Following is my iptables rules in Ubuntu.

╰─$ sudo iptables -S              
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -j DROP

Only for the INPUT, I have given rules and all outgoing traffic are in ACCEPT policy. But I can not browse internet or ping to any internet domain.

But, if I remove the last rule in INPUT chain -A INPUT -j DROP then I can browse and ping.

What chain exactly need to be opened for browsing internet? Why the INPUT chain policy is interfering with outgoing traffic. I am confused. Explanation please.

Muneer

Posted 2014-08-26T05:31:24.637

Reputation: 113

Answers

1

The -A INPUT -j DROP negates your -P INPUT ACCEPT. -j is the jump option, which as far as I understand, means if a packet matches this rule, the firewall will ignore all the other rules about the packet, and do whatever this line says to do with the packet, which in this case, is DROP.

This is letting you send a ICMP signal out, or make an HTTP request, but it is dropping any responses you get. If there is some input you are trying to filter, you would need to add more specificity to the rule, or it will continue to drop everything your outgoing requests get back.

This is my favourite IPTables tutorial. It has several examples of filtering certain types of input, and also explains the distinction between NEW and ESTABLISHED traffic.

http://www.thegeekstuff.com/2011/06/iptables-rules-examples/

hope this helps.

blanket_cat

Posted 2014-08-26T05:31:24.637

Reputation: 136

I added another rule to accept ESTABLISHED,RELATED connections. Now it works. – Muneer – 2014-08-26T08:16:33.543

-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT – Muneer – 2014-08-26T08:16:51.920

Asked: 2014-08-26T05:31:24.637

Viewed: 642 times

Active: 2014-08-26T06:04:22.467