A bit of time ago, i had several problems with my ethernet card and had to completely reset my network configuration (i had to rewrite and reload a new netplan.yaml, which uses Network Manager)
Side effect to this (i think, it might've been caused by another fix i tried) is that i couldn't access internet anymore. A solution provided in How to completely reset ubuntu networking settings? is to flush iptables rules, which indeed works, but is a "temporary fix" as in I have, like user joe_inz in the original thread, have to do it on every startup (which is not convenient).
Here is the output of sudo iptables -L on every boot :
Chain INPUT (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
As you can see, it basically blocks everything
After digging down a bit and understanding what iptables is (and, consequently, also understanding how having no rules at all is not a great idea), I took the "beginner" set of rules provided here https://doc.ubuntu-fr.org/iptables, installed iptables-persistent, and saved them up in /etc/iptables/rules.v4
Here is how the rules looks after the first importation (and how they should look like) :
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere PKTTYPE = multicast
DROP tcp -- anywhere anywhere ctstate INVALID tcp flags:FIN,PSH,URG/FIN,PSH,URG
DROP tcp -- anywhere anywhere ctstate INVALID tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
DROP tcp -- anywhere anywhere ctstate INVALID tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP tcp -- anywhere anywhere ctstate INVALID tcp flags:SYN,RST/SYN,RST
DROP all -- anywhere anywhere PKTTYPE = broadcast
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
LOG all -- anywhere anywhere LOG level warning
Chain FORWARD (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere ! ctstate INVALID
However, after rebooting, I had same as before no internet access, so i rechecked the rules and they looked like this :
Chain INPUT (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere PKTTYPE = multicast
DROP tcp -- anywhere anywhere ctstate INVALID tcp flags:FIN,PSH,URG/FIN,PSH,URG
DROP tcp -- anywhere anywhere ctstate INVALID tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
DROP tcp -- anywhere anywhere ctstate INVALID tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP tcp -- anywhere anywhere ctstate INVALID tcp flags:SYN,RST/SYN,RST
DROP all -- anywhere anywhere PKTTYPE = broadcast
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
LOG all -- anywhere anywhere LOG level warning
Chain FORWARD (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning
Chain OUTPUT (policy DROP)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ! ctstate INVALID
For no apparent reason, there were again rules that drop every single packet
iptables-restore does at least restore the set of rules i took online, which is way better than nothing (so i'll use that instead of a complete flush as i did before), but does anyone know why would my laptop drop everything by default and how to fix that ?
PS : Also if you'd have any tips on how i could fine-tune this set of rules it would be greatly welcomed, as having a solid firewall is not negligible.
PPS : I am on Ubuntu 20.04 if that makes any difference
