iptables prevents me from connecting

Question

I'm using Ubuntu 18.04 and my current iptables rules are from this question; iptables -L gives:

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain FORWARD (policy DROP)
target     prot opt source               destination         
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

and with these I can't connect anywhere. I have to flush the list and accept again (from scratch) to restore connectivity. Why are these not working?

You mean that you can't access Internet with these rules or your instance is not accessible from outside? Please post also the output of sudo iptables -S. — pa4080, Dec 12 '18 at 09:32
You need to allow the local interface: sudo iptables -A INPUT -i lo -j ACCEPT — Doug Smythies, Dec 12 '18 at 15:23
@DougSmythies please make it an answer :) also please explain why that is necessary if possible. Thanks for fixing it! — cahenepudi, Dec 12 '18 at 21:42
Related: https://unix.stackexchange.com/questions/81107/why-must-loopback-traffic-be-authorized-using-iptables-to-get-web-access — cahenepudi, Dec 12 '18 at 22:06

Doug Smythies · Accepted Answer · 2018-12-12T22:22:44.977

You need to allow the local loopback interface:

sudo iptables -A INPUT -i lo -j ACCEPT

Sometimes inter-process communications takes place over the loopback interface. See here for more information about the loopback interface.

EDIT: So I have exactly this on one of my test computers:

doug@s17:~$ sudo iptables -v -x -n -L

Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
      94     9843 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    5093  6056565 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
       8      613 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
       0        0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 3904 packets, 321224 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Now, if I wanted to gain further insight into the rejected packets, I could also log them:

sudo iptables --insert INPUT 3 --jump LOG --log-prefix "INPUT-REJECT:" --log-level info

And then (after some more rejects) look at /var/log/syslog:

Dec 12 14:18:42 s17 kernel: [2007598.577383] INPUT-REJECT:IN=ens5 OUT= MAC=ff:ff:ff:ff:ff:ff:00:21:9b:f9:21:26:08:00 SRC=192.168.111.101 DST=255.255.255.255 LEN=42 TOS=0x00 PREC=0x00 TTL=1 ID=4970 PROTO=UDP SPT=55705 DPT=3289 LEN=22
Dec 12 14:18:42 s17 kernel: [2007598.695347] INPUT-REJECT:IN=ens5 OUT= MAC=ff:ff:ff:ff:ff:ff:00:21:9b:f9:21:26:08:00 SRC=192.168.111.101 DST=255.255.255.255 LEN=42 TOS=0x00 PREC=0x00 TTL=1 ID=4971 PROTO=UDP SPT=55708 DPT=3289 LEN=22
Dec 12 14:18:43 s17 kernel: [2007599.014201] INPUT-REJECT:IN=ens5 OUT= MAC=ff:ff:ff:ff:ff:ff:00:21:9b:f9:21:26:08:00 SRC=192.168.111.101 DST=255.255.255.255 LEN=42 TOS=0x00 PREC=0x00 TTL=1 ID=4972 PROTO=UDP SPT=55712 DPT=3289 LEN=22

And I observe that they are just broadcast packets from this computer that I am typing on now.

Although it's a bit weird, I can browse websites such as this one, but not google.com (maybe because I was allowing everything before committing the rules above and this connection remained as established / related?) — cahenepudi, Dec 12 '18 at 21:56
I don't know what to say. I loaded the same rules on a test computer, and they work for me. I'll edit my question to show exactly what I have. — Doug Smythies, Dec 12 '18 at 22:14

iptables prevents me from connecting

1 Answers1