Join Log in
Score:0
avatar Server

Output iptables drooping 443 even when rule allows it

cn flag
Robby Ramirez

Output iptables drooping 443 even when rule allows it

This are my current rules

INPUT DROP [2:406]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:LOGGING - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.1.1/32 -p udp -m udp --sport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.1.1/32 -p tcp -m tcp --sport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -s 192.168.1.129/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j DROP
-A INPUT -i eno1 -p tcp -m tcp --dport 3306 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p udp -m udp --dport 443 -j ACCEPT
-A INPUT -p udp -m udp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25565 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25566 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 68 -j DROP
-A INPUT -p udp -m udp --dport 68 -j DROP
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-16c910ec1d5a -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-16c910ec1d5a -j DOCKER
-A FORWARD -i br-16c910ec1d5a ! -o br-16c910ec1d5a -j ACCEPT
-A FORWARD -i br-16c910ec1d5a -o br-16c910ec1d5a -j ACCEPT
-A FORWARD -d 192.168.1.0/24 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eno1 -p tcp -m tcp --sport 3306 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -d 192.168.1.1/32 -p udp -m udp --dport 53 -j ACCEPT
-A OUTPUT -d 192.168.1.1/32 -p tcp -m tcp --dport 53 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 443 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 8443 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 443 -j ACCEPT
-A OUTPUT -p udp -m udp --sport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 22 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 25566 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m tcp --sport 25565 -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A OUTPUT -j LOGGING
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-16c910ec1d5a ! -o br-16c910ec1d5a -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-16c910ec1d5a -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: "
-A LOGGING -j DROP

And this is the log for the output

Aug  2 00:03:59 saitgaming systemd[1]: Started Session 101 of user root.
Aug  2 00:04:14 saitgaming kernel: [84380.438512] IPTables-Dropped: IN= OUT=eno1 SRC=192.168.1.116 DST=143.204.163.105 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=37496 DF PROTO=TCP SPT=45294 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0 
Aug  2 00:04:15 saitgaming kernel: [84381.439683] IPTables-Dropped: IN= OUT=eno1 SRC=192.168.1.116 DST=143.204.163.105 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=37497 DF PROTO=TCP SPT=45294 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0 
Aug  2 00:04:17 saitgaming kernel: [84383.455730] IPTables-Dropped: IN= OUT=eno1 SRC=192.168.1.116 DST=143.204.163.105 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=37498 DF PROTO=TCP SPT=45294 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0 
Aug  2 00:04:21 saitgaming kernel: [84387.487679] IPTables-Dropped: IN= OUT=eno1 SRC=192.168.1.116 DST=143.204.163.105 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=37499 DF PROTO=TCP SPT=45294 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0

Its hard for me to make sense, mainly because I'm not experience enough with iptables so any help or advice will be very appreciated.

87
0 + 2
jp flag
Dom
-A OUTPUT -p tcp -m tcp --sport 443 -j ACCEPT -> Must be "dport" (not sport) : your computer will try to go on a server on port 443.
4
Reply
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
You have permitted this computer to run a server on port 443, and there is no rule permitting it to connect to servers to their port 443.
2
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.