Join Log in
Score:0
avatar Server

Cannot make outbound connections with iptables set to allow all

ba flag
mike

I cannot for the life of me figure out why the DROP winds up getting hit with outbound requests originating off my openvz based VPS.

I know it has to be something with how the packet isn't going directly outbound, or something, and I seem to be missing some basic thing here. I have tried various things, and the only way I can get it to work again is flushing the rules (iptables -F)

The goal is to block all incoming traffic, except from one IP (1.2.3.4) and port 53/113 to everyone, and allow all outbound.

Here's output of iptables -L -n -v - I can see DROP packet count go up when I try to curl outbound. (IPs slightly modified for privacy)

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  239 17668 ACCEPT     all  --  *      *       1.2.3.4              0.0.0.0/0           
  118 11175 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp spt:53
    3   174 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:53
   17  1176 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:113
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
 2238  119K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  889 56648 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0

this is from iptables-save (IPs slightly modified for privacy)

# Generated by iptables-save v1.8.4 on Thu Dec  2 02:42:40 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 1.2.3.4/32 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j DROP
-A OUTPUT -j ACCEPT
COMMIT
# Completed on Thu Dec  2 02:42:40 2021

these are the interfaces (IPs slightly modified for privacy)

venet0: flags=211<UP,BROADCAST,POINTOPOINT,RUNNING,NOARP>  mtu 1500
        inet 127.0.0.1  netmask 255.255.255.255  broadcast 0.0.0.0  destination 127.0.0.1
        inet6 2a00:d880:3:1::ad49:a3f2  prefixlen 128  scopeid 0x0<global>
        inet6 2a00:d880:3:1::a639:a610  prefixlen 128  scopeid 0x0<global>

venet0:0: flags=211<UP,BROADCAST,POINTOPOINT,RUNNING,NOARP>  mtu 1500
        inet 81.1.1.1  netmask 255.255.255.255  broadcast 81.1.1.1  destination 81.1.1.1
57
0 + 0
Score:0
Nikita Kipriyanov avatar Server
za flag
Nikita Kipriyanov

Your INPUT chain rejects valid expected replies to outbound packets. To allow them:

iptables -I INPUT 1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

It'll detect if the packet is the continuation of some prior connection (for example, the reply to some outgoing packet) and permit it.

Also, I suggest to change INPUT policy to DROP. The processing will not change (you have unconstrained DROP down in the ruleset), but the intention will be clear.

iptables -P INPUT DROP
0 + 0
ba flag
mike
so the issue why I don't have some of those extra -m's is because I get "iptables: No chain/target/match by that name." it's running a full kernel, it seems like (so I'd assume all the modules are there) `Linux foo 5.4.0 #1 SMP Thu Jun 27 15:10:55 MSK 2019 x86_64 x86_64 x86_64 GNU/Linux` however I'm in a guest openvz.
0
Reply
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
That's strange. Is your install complete? Try `-m state --state ESTABLISHED,RELATED` instead (however, that's an *obsolete* method of doing this and in the 5.x kernel it is certainly implemented internally via conntrack module).
0
Reply
ba flag
mike
didn't help. it seems to be focused on the host's kernel (I didn't even have one installed in the guest. I installed one, but it doesn't seem to boot it, probably because openvz...) I'm wondering if it's something on the host level, like if the host kernel has it enabled. I can control packets at my level but don't seem to be able to access conntrack or state modules.
0
Reply
Nikita Kipriyanov avatar
za flag
Nikita Kipriyanov
You have to either know all possible traffic a priori and permit it statically, or use a stateful firewall, which discovers it dynamically. "Enable selected inbound connections and all possible outboud connections" requres stateful firewall, so it seems what you are asking is impossible. Your last chance is to ask your hosting provider to load required modules for you. // P.S openvz? In the end of 2021? Serously?
0
Reply
ba flag
mike
it's using ramnode... there's a lot of "low end" cheap VPS providers out there still using it.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.