Why is iptables -F kicking me out of my ssh session?

Question

I wanted to add some rules to iptables from this question and answers to route traffic from torrent programm Transmission through a vpn (surfshark in my case).

At least two of the answers use iptables -F to flush the tables before adding the custom rules.

One of these answers specifically references a headless server (like mine). So I suspect this should work.

But if I use iptables -F I instantly get kicked out of my ssh-session to the server. I am unable to type any new command on the terminal and have to reboot the server to log in again.

I have a firewall running on the server that permitts port 22 to every IP.

For clarification I will add some output from before and after I applied the accepted answer:

Before (notice policy DROP):

     $ sudo iptables -xvnL
Chain INPUT (policy DROP 21 packets, 5628 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
     387    31969 f2b-sshd   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22
   27008 50413306 ufw-before-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   27008 50413306 ufw-before-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
     153    26176 ufw-after-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
      21     5628 ufw-after-logging-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
      21     5628 ufw-reject-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
      21     5628 ufw-track-input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

       0        0 ufw-before-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0

       0        0 ufw-before-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0

       0        0 ufw-after-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0

       0        0 ufw-after-logging-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0

       0        0 ufw-reject-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0

       0        0 ufw-track-forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
Chain OUTPUT (policy ACCEPT 7 packets, 324 bytes)
    pkts      bytes target     prot opt in     out     source               destination

    7130   870596 ufw-before-logging-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0

    7130   870596 ufw-before-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0

     997   113175 ufw-after-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0

     997   113175 ufw-after-logging-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0

     997   113175 ufw-reject-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0

     997   113175 ufw-track-output  all  --  *      *       0.0.0.0/0            0.0.0.0/0

After:

 $ sudo iptables -L -v
Chain INPUT (policy ACCEPT 12648 packets, 12M bytes)

This is after I set to policy ACCEPT, then flush, then add the rules for transmission-daemon from the other answer here, then made this setting persisten after reboot with sudo dpkg-reconfigure iptables-persistent, reboot and log into ssh. I now would like to policy DROP but this will kick me out again.

Maybe interesting: I deactivated the ufw firewall just to make sure. After I reactivated it, it also threw me out (while policy ACCEPT). Of course I had a allow 22 rule. I had to reboot and then I could log in again with working firewall.

I lack understanding of iptables and will definitely look into it. I don't know how activating the firewall can throw me out if main policy is ACCEPT and the firewall has an open 22.

 $ sudo iptables -xvnL
[sudo] Passwort für ben: 
Chain INPUT (policy ACCEPT 34981 packets, 9871660 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
     121    15110 f2b-sshd   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22
       0        0 ACCEPT     all  --  tun0   *       0.0.0.0/0            0.0.0.0/0           
       0        0 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
     134    12445 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination

       0        0            all  --  *      *       0.0.0.0/0            0.0.0.0/0
Chain OUTPUT (policy ACCEPT 19730 packets, 3108705 bytes)
    pkts      bytes target     prot opt in     out     source               destination

       0        0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            192.168.100.0/25     tcp spt:9091 owner GID match 136
       0        0 ACCEPT     udp  --  *      eth0    0.0.0.0/0            192.168.100.0/25     udp spt:9091 owner GID match 136
       0        0 ACCEPT     all  --  *      tun0    0.0.0.0/0            0.0.0.0/0            owner GID match 136
       0        0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0            owner GID match 136
       0        0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            owner GID match 136 reject-with icmp-port-unreachable
Chain f2b-sshd (1 references)
    pkts      bytes target     prot opt in     out     source               destination

     121    15110 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0
Chain ufw-after-forward (0 references)
    pkts      bytes target     prot opt in     out     source               destination
Chain ufw-after-input (0 references)
    pkts      bytes target     prot opt in     out     source               destination
Chain ufw-after-logging-forward (0 references)
    pkts      bytes target     prot opt in     out     source               destination
Chain ufw-after-logging-input (0 references)
    pkts      bytes target     prot opt in     out     source               destination
Chain ufw-after-logging-output (0 references)
    pkts      bytes target     prot opt in     out     source               destination
Chain ufw-after-output (0 references)
    pkts      bytes target     prot opt in     out     source               destination
Chain ufw-before-forward (0 references)
    pkts      bytes target     prot opt in     out     source               destination
Chain ufw-before-input (0 references)
    pkts      bytes target     prot opt in     out     source               destination
Chain ufw-before-logging-forward (0 references)
    pkts      bytes target     prot opt in     out     source               destination
Chain ufw-before-logging-input (0 references)
    pkts      bytes target     prot opt in     out     source               destination
Chain ufw-before-logging-output (0 references)
    pkts      bytes target     prot opt in     out     source               destination
Chain ufw-before-output (0 references)
    pkts      bytes target     prot opt in     out     source               destination
Chain ufw-logging-allow (0 references)
    pkts      bytes target     prot opt in     out     source               destination
Chain ufw-logging-deny (0 references)
    pkts      bytes target     prot opt in     out     source               destination
Chain ufw-not-local (0 references)
    pkts      bytes target     prot opt in     out     source               destination
Chain ufw-reject-forward (0 references)
    pkts      bytes target     prot opt in     out     source               destination
Chain ufw-reject-input (0 references)
    pkts      bytes target     prot opt in     out     source               destination
Chain ufw-reject-output (0 references)
    pkts      bytes target     prot opt in     out     source               destination
Chain ufw-skip-to-policy-forward (0 references)
    pkts      bytes target     prot opt in     out     source               destination
Chain ufw-skip-to-policy-input (0 references)
    pkts      bytes target     prot opt in     out     source               destination
Chain ufw-skip-to-policy-output (0 references)
    pkts      bytes target     prot opt in     out     source               destination
Chain ufw-track-forward (0 references)
    pkts      bytes target     prot opt in     out     source               destination
Chain ufw-track-input (0 references)
    pkts      bytes target     prot opt in     out     source               destination
Chain ufw-track-output (0 references)
    pkts      bytes target     prot opt in     out     source               destination
Chain ufw-user-forward (0 references)
    pkts      bytes target     prot opt in     out     source               destination
Chain ufw-user-input (0 references)
    pkts      bytes target     prot opt in     out     source               destination
Chain ufw-user-limit (0 references)
    pkts      bytes target     prot opt in     out     source               destination
Chain ufw-user-limit-accept (0 references)
    pkts      bytes target     prot opt in     out     source               destination
Chain ufw-user-logging-forward (0 references)
    pkts      bytes target     prot opt in     out     source               destination
Chain ufw-user-logging-input (0 references)
    pkts      bytes target     prot opt in     out     source               destination
Chain ufw-user-logging-output (0 references)
    pkts      bytes target     prot opt in     out     source               destination
Chain ufw-user-output (0 references)
    pkts      bytes target     prot opt in     out     source               destination

Here the firewall rules:

$ sudo ufw status
Status: Aktiv
Zu                         Aktion      Von

22                         ALLOW       192.168.100.0/24

5900                       ALLOW       192.168.100.0/24           # vnc
1900                       ALLOW       192.168.100.0/24           # minidlna
8200                       ALLOW       192.168.100.0/24           # minidlna
445                        ALLOW       192.168.100.0/24           # cifs
5901                       ALLOW       192.168.100.0/24           # vnc
5902                       ALLOW       192.168.100.0/24           # vnc

One additional thing: Do I have a eth0 interface? My ZOTAC mini PC has two ethernet connections and I just was confused that eth0 does not come up. The script for setting the rules uses IFACE_INTERNAL=eth0. Could that be an issue?

$ ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 00:01:2e:4d:52:96 brd ff:ff:ff:ff:ff:ff
3: enp4s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN mode DEFAULT group default qlen 1000
    link/ether 00:01:2e:4d:52:9b brd ff:ff:ff:ff:ff:ff
4: wlp2s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ether 0c:d2:92:57:c2:53 brd ff:ff:ff:ff:ff:ff

You do not appear to have an eth0. you need to change the related rules to use the proper interface, which I do not know which is which. ip addr would help to know ip addresses. — Doug Smythies, Dec 14 '20 at 19:11
Thanks a lot! I was reading on parallel and just waited for your confirmation. My ethernet ports are called enp3s0 and enp4s0 which seems to be because I have two of them. After chaning the script I was able to set policy DROP without beeing thrown out. Thanks again, you where very helpful! — bomben, Dec 14 '20 at 19:34

score 3 · Accepted Answer · answered Nov 20 '20 at 16:14

3

Yes, The iptables -F chain will flush all of the iptables rules for that chain, and therefore only the default policy rule will be used.

It seems likely that the default policy for your references was ACCEPT, while the default policy on your computer is DROP.

Check via sudo iptables -xvnL. If you want to delete all of your rules in a chain, but maintain your ssh session, change the default policy to ACCEPT first. You can change it back to DROP after you have the rules you want in place, and you confirm your ssh packets are no longer relying on the default policy to get through.

sudo iptables -P INPUT ACCEPT

You might need it on the OUTPUT chain also.

answered Nov 20 '20 at 16:14

Doug Smythies

15,448
5
44
61

After sudo iptables -P INPUT DROP I am again thrown out of the ssh session. How can I flush, then apply the script from https://askubuntu.com/questions/37412/how-can-i-ensure-transmission-traffic-uses-a-vpn and then get the original rules for SSH and all the others back that I flushed? – bomben Dec 14 '20 at 10:39
1

Please edit your question adding your entire iptables rule set just prior to attempt to add the DROP default policy. I guess you are mixing ufw and iptables.ufw rules generated rules are difficult to follow. – Doug Smythies Dec 14 '20 at 15:32
I added information on iptable rule set prior to DROP, my firewall settings and some issue with the eth0 but I am not sure if it is relevant. – bomben Dec 14 '20 at 16:49
Just wanted to confirm that I had a ufw issue! The rules from ufw did not appear in the iptables any more even though they should have been there. I reset ufw, deleted all special chains and setup the iptables for the transmission-daemon, then added the ufw stuff again and now it works like it should. https://askubuntu.com/questions/1300342/is-it-correct-that-a-torrent-gets-downloaded-via-enp3s0-eth0-even-if-outgoing/1300505#1300505 – bomben Dec 16 '20 at 13:19

Why is iptables -F kicking me out of my ssh session?

1 Answers1

Linked