Score:0

Server

iptables: why are outgoing connections working even though no rules allow it

DiDiev

5/16/23, 11:00 AM

The INPUT and OUTPUT chain policies are set to DROP. Very few rules allowing only specific traffic between directly cable-connected devices. However, if I temporarily add a cable that goes to the router, why can I initiate outgoing connections and receive answers, like do apt update, even though there are no rules allowing HTTP traffic in our out?

I have noticed that if I add iptables -P FORWARD DROP then those outgoing connections don't work anymore. Why does the FORWARD chain have any impact in this?

raspberrypi:~ $ sudo iptables -nvL
Chain INPUT (policy DROP 332 packets, 244K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
 1254 79084 ACCEPT     tcp  --  *      *       66.66.66.5           66.66.66.3           tcp dpt:21385 ctstate NEW,ESTABLISHED
 1453 2495K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy DROP 373 packets, 47731 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1715  162K ACCEPT     tcp  --  *      *       99.99.99.3           99.99.99.2           tcp dpt:5656
    6   456 ACCEPT     udp  --  *      *       99.99.99.3           99.99.99.2           udp dpt:123
  952  156K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED

Secondary question: Is there any risk in using those easy to recognize IP addresses between my internally and directly cable-connected devices? Could packets leak, because those are valid public addresses?

EDIT: adding requested info.

We are talking about the device "Raspi Client".

Output of iptables-save:

raspberrypi:~ $ sudo iptables-save
# Generated by xtables-save v1.8.2 on Wed Jan 19 10:42:58 2022
*nat
:PREROUTING ACCEPT [529:48304]
:INPUT ACCEPT [7:420]
:POSTROUTING ACCEPT [2465:187164]
:OUTPUT ACCEPT [2804:242065]
:DOCKER - [0:0]
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Wed Jan 19 10:42:58 2022
# Generated by xtables-save v1.8.2 on Wed Jan 19 10:42:58 2022
*filter
:INPUT DROP [607:267621]
:FORWARD ACCEPT [0:0]
:OUTPUT DROP [394:50896]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 66.66.66.5/32 -d 66.66.66.3/32 -p tcp -m tcp --dport 21385 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -s 99.99.99.3/32 -d 99.99.99.2/32 -p tcp -m tcp --dport 5656 -j ACCEPT
-A OUTPUT -s 99.99.99.3/32 -d 99.99.99.2/32 -p udp -m udp --dport 123 -j ACCEPT
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Wed Jan 19 10:42:58 2022

0 + 0

iptables

linux-networking

raspbian

Tero Kilkanen

5/17/23, 10:59 PM

Please add output of `iptables-save` to the question, and a network diagram.

Score:0

Server

Tero Kilkanen

5/16/23, 6:30 PM

INPUT and OUTPUT chains cover for communication where the source or destination of the traffic is the router itself.

FORWARD covers the traffic that the router forwards from one interface to another (from LAN port to WAN port and vice versa.

0 + 0

DiDiev

5/17/23, 9:01 AM

But they both use `ctstate RELATED,ESTABLISHED`, so `NEW` connections should no be allowed.

Tero Kilkanen

5/17/23, 4:20 PM

Sorry, my first answer was completely wrong. I have replaced the answer.

DiDiev

5/17/23, 5:06 PM

But the device that has these rules (it has the IPs `99.99.99.3` and `66.66.66.3`) is not supposed to do any routing. And it doesn't. Therefore I thought the `FORWARD` chain is irrelevant for my use. If I add another cable that connects to the internet, and gives the device another IP through DHCP that is not explicitly allowed in the rules, why can it even start a connection to the internet? In my mind, the device itself contacting an internet server is `OUTPUT` and not `FORWARD`? Several docs seem to confirm this.

Tero Kilkanen

5/17/23, 11:00 PM

Then it must be something else in your network that causes this, I have asked for more information.

DiDiev

5/19/23, 9:48 AM

I have added the info you requested. Thanks for trying to help!

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: iptables: why are outgoing connections working even though no rules allow it

TH: iptables: เหตุใดการเชื่อมต่อขาออกจึงใช้งานได้แม้ว่าจะไม่มีกฎใดอนุญาต

RO: iptables: de ce funcționează conexiunile de ieșire chiar dacă nicio regulă nu permite acest lucru

RU: iptables: почему исходящие соединения работают, хотя никакие правила это не разрешают

VI: iptables: tại sao các kết nối gửi đi vẫn hoạt động mặc dù không có quy tắc nào cho phép

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.