0

I've got a VM at a hosting service and installed a basic firewall with nftables. However, when it is active, all outbound traffic seems to get blocked. For example, when trying to ping google.com, I get a No route to host error. This occurs for any host I try to ping.

Here's my (really basic) config:

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
  chain input {
    type filter hook input priority 0; policy drop;

    # allow connection from loopback
    iifname lo accept;

    # established/related connections
    ct state {established, related} accept;

    # drop invalid connections
    ct state invalid drop;
 
    # allow ping
    ip protocol icmp icmp type echo-request accept;
    icmpv6 type echo-request accept;
                             
    # allow ssh connection on port 22
    tcp dport 22 accept;
    
    log flags all;
  }
  chain forward {
    type filter hook forward priority 0;
  }
  chain output {
    type filter hook output priority 0; policy accept;
  }
}

I just cannot figure out where my problem lies.

EDIT: After a bit more of trying out stuff I've set up a second VM from a different provider with the same problem.

Furthermore, right after I enable the firewall, there is a brief time period when commands like mtr and ping take longer to execute. In the case of mtr, I first am able to get through to my target for about 10 seconds. Then, I start experiencing losses on the trace before getting the No route error after a little more time. Sometimes I also get a Temporary failure in name resolution error instead when trying to execute the command. I'm not sure what exactly is causing this.

Lithimlin
  • 101
  • 4
  • I do not think the issue is because of this firewall ruleset - I copy & pasted this ruleset to my linux host, and I am able to ping any host just fine! – Martin May 12 '22 at 13:03
  • That's what I thought too, but it works just fine when I disable the nftables. – Lithimlin May 12 '22 at 13:10
  • there must be other rules active somewhere... Please check if there are any `iptables-legacy` rules in place, or if the command `nft list ruleset` outputs any other rules than already posted ... – Martin May 12 '22 at 13:18
  • The `ip[6]tables[-legacy]` all have the `ACCEPT` policy. The only active ruleset is the one I posted. – Lithimlin May 12 '22 at 13:34
  • okay, a `No route to host` error can have two causes: 1) firewall - in this case, there MUST be a rule somewhere with the target `REJECT` - or 2) real routing issues - there really is no route to the host. There is no option 3 (if anybody is able to prove me wrong - be my guest!)! Maybe you have a network cable with a loose contact, and the "it works when I disable nftables" has been a coincidence - I do not know, but I am 100% certain - these rules you have posted did not cause an `No route to host` error. – Martin May 12 '22 at 14:08
  • A loose network cable isn't something I'd be able to influence as this is a netcup VM. I've also tried this on another VM with it working, this time from another provider. – Lithimlin May 12 '22 at 14:18
  • Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/136251/discussion-between-lithimlin-and-martin). – Lithimlin May 12 '22 at 14:24

0 Answers0