0
$ cat /etc/nftables.conf
#!/usr/sbin/nft -f

flush ruleset

table ip firewall {
  chain input {
    type filter hook input priority filter; policy drop;
    iif "lo" accept
    iif != "lo" ip daddr 127.0.0.0/8 drop
    tcp dport 22 accept
    ct state established,related accept
  }

  chain forward {
    type filter hook forward priority filter; policy drop;
  }

  chain output {
    type filter hook output priority filter; policy drop;
    iif "lo" accept
    udp dport { 53, 123 } accept
    tcp dport { 53, 80, 443 } accept
    ct state established,related accept
  }
}

Connection eventually works, but it takes much longer than anticipated.

Running journalctl -f, I see systemd[1]: Failed to start User Manager for UID 1000 before connections is finally established.

If I run nft flush ruleset, connection works immediately.

sunknudsen
  • 701
  • 3
  • 14
  • 28

2 Answers2

0

For incoming connections ALL external incoming packets match this rule:

iif != "lo" ip daddr 127.0.0.0/8 drop

as they come on interface which is not a local loopback and their destination address is definitely not in 127.0.0.0/8 network. I am surprised it goes through even after some timeout unless you also have IPv6 up and running.

For all locally initiated outgoing connections which are not DNS, NTP, HTTP and HTTPS - they hit the output chain drop policy. Again - they should not work at all unless you also have IPv6 up and running.

Tomek
  • 3,390
  • 1
  • 16
  • 10
0

Found the issue… typo in chain output. iif "lo" accept should be oif "lo" accept.

sunknudsen
  • 701
  • 3
  • 14
  • 28