Why does SSH hang when using following nftables rules?

sunknudsen

5/7/23, 10:17 PM

$ cat /etc/nftables.conf
#!/usr/sbin/nft -f

flush ruleset

table ip firewall {
  chain input {
    type filter hook input priority filter; policy drop;
    iif "lo" accept
    iif != "lo" ip daddr 127.0.0.0/8 drop
    tcp dport 22 accept
    ct state established,related accept
  }

  chain forward {
    type filter hook forward priority filter; policy drop;
  }

  chain output {
    type filter hook output priority filter; policy drop;
    iif "lo" accept
    udp dport { 53, 123 } accept
    tcp dport { 53, 80, 443 } accept
    ct state established,related accept
  }
}

Connection eventually works, but it takes much longer than anticipated.

Running journalctl -f, I see systemd[1]: Failed to start User Manager for UID 1000 before connections is finally established.

If I run nft flush ruleset, connection works immediately.

234

0 + 0

ssh

nftables

sunknudsen

5/8/23, 11:59 AM

Found the issue… typo in `chain output`. `iif "lo" accept` should be `oif "lo" accept`.

djdomi

5/8/23, 12:21 PM

if you only accept ssh for localhost, meaning locally, ehy you dont just bind ssh to localhost?

Score:0

Server

sunknudsen

5/8/23, 12:18 PM

Found the issue… typo in chain output. iif "lo" accept should be oif "lo" accept.

0 + 0

Score:0

Server

Tomek

5/8/23, 11:52 AM

For incoming connections ALL external incoming packets match this rule:

iif != "lo" ip daddr 127.0.0.0/8 drop

as they come on interface which is not a local loopback and their destination address is definitely not in 127.0.0.0/8 network. I am surprised it goes through even after some timeout unless you also have IPv6 up and running.

For all locally initiated outgoing connections which are not DNS, NTP, HTTP and HTTPS - they hit the output chain drop policy. Again - they should not work at all unless you also have IPv6 up and running.

0 + 0

sunknudsen

5/8/23, 12:00 PM

Thanks for helping out. Found issue, see comments.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Why does SSH hang when using following nftables rules?

TH: เหตุใด SSH จึงหยุดทำงานเมื่อใช้กฎ nftables ต่อไปนี้

RO: De ce se blochează SSH când utilizați următoarele reguli nftables?

RU: Почему SSH зависает при использовании следующих правил nftables?

VI: Tại sao SSH bị treo khi sử dụng các quy tắc nftables sau?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.