Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
K
K
kizijo2018-04-26 02:22:19
linux
kizijo, 2018-04-26 02:22:19

Why does iptables drop traffic on -P OUTPUT DROP?

In order for the Internet to work only if VPN is enabled in iptables, I prescribe the following commands:

iptables --flush
iptables --delete-chain
iptables -t nat --flush
iptables -t nat --delete-chain

iptables -P OUTPUT DROP

iptables -A INPUT -j ACCEPT -i lo
iptables -A OUTPUT -j ACCEPT -o lo

iptables -A OUTPUT -j ACCEPT -d 123.45.67.89 (VPN server)

iptables -A OUTPUT -j ACCEPT -o tun0

Then I save these rules with:
netfilter-persistent save
As a result, the output of the iptables -L command is:
[email protected]:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             123.45.67.89
ACCEPT     all  --  anywhere             anywhere

And the cat /etc/iptables/rules.v4 command gives the following:
[email protected]:~# cat /etc/iptables/rules.v4
# Generated by iptables-save v1.6.0 on Wed Apr 25 12:57:29 2018
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -d 123.45.67.89/32 -j ACCEPT
-A OUTPUT -o tun0 -j ACCEPT
COMMIT
# Completed on Wed Apr 25 12:57:29 2018
# Generated by iptables-save v1.6.0 on Wed Apr 25 12:57:29 2018
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [7:392]
:POSTROUTING ACCEPT [0:0]
COMMIT
# Completed on Wed Apr 25 12:57:29 2018

Everything should work and worked for a year, but today for some reason it stopped. The firewall started to let traffic to the Internet even if the VPN is turned off with such firewall rules.
All I did today was update virtualbox and add a new VPN server to network manager.
Either I don't see something point-blank, or I don't even know where to think... Does anyone have any ideas?
OS: Debian 9.4 x64

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
K
kizijo, 2018-04-26
@kizijo

Solution:
Simple. Need. It was. Change. WiFi.
When connected to another router, the firewall began to block the Internet correctly. How is this possible?
Those. even if he blocked all OUTPUT and FORWARD in general, the Internet still functioned. It's like the firewall didn't work at all. But, as it turned out, all this only happens if you connect to a certain WIFI in a certain cafe. Nowhere else have I seen this.
How could the router affect the work of iptables (however, I'm not sure that it affected the work of iptables)?
Could it be some network-manager glitch in Debian?

Similar questions
N
Nikita Reshetnyak2019-10-07 07:26:25
Why can't you hear the interlocutor in the absence of a tunnel between offices? 2Reply
Q
quaker20122016-04-26 23:13:00
Sound card vps hetzner? 1Reply
X
Xoseo2016-04-27 10:26:39
How to make iptables restore rules after reboot? 5Reply
S
silvanesti2018-09-26 08:59:08
How to save the values ​​from the log for the last two days? 1Reply
W
Wizzi82021-12-02 22:48:33
Which architecture to choose for Linux (AMD Ryzen 3 4300U)? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question