I've got top rule:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
... other rules, non-involving tap777 ...
-A INPUT -i tap777 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i tap777 -p udp -m udp --dport 53 -j ACCEPT
And I'm seeing this in the logs:
Oct 25 04:09:43 ip-xxx-xx-xx-xxx 1 kernel: [ 1824.841222] iptables denied: IN=tap777 OUT= MAC=xx:xx:c6:93:91:bb:b8:ae:ed:7b:d1:83:08:xx SRC=10.20.1.141 DST=10.20.1.1 LEN=343 TOS=0x00 PREC=0x00 TTL=128 ID=4977 PROTO=UDP SPT=68 DPT=67 LEN=323
To me it seems the denial is explicitly the same as the rule. Same dport, same proto, same in interface. So I only wonder if it has something to do with it not being the right chain?
sudo iptables -L gives:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere 127.0.0.0/8 reject-with icmp-port-unreachable
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT icmp -- anywhere anywhere icmp echo-request
LOG all -- anywhere anywhere limit: avg 5/min burst 5 LOG level debug prefix "iptables denied: "
ACCEPT udp -- anywhere anywhere udp dpt:11900
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT udp -- anywhere anywhere udp dpt:domain
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Could someone give me some insight into why this may be? Or something to try? Thanks!
