What is the nft rule to let SSH tunnel to work?

Question

I can make SSH connection with a "All IP is matched" rules in nft:

table ip filter {
    chain INPUT {
            type filter hook input priority 0; policy drop;
            iifname "eth0" ip saddr { 0.0.0.0-255.255.255.255 } accept
    }

    chain FORWARD {
            type filter hook forward priority 0; policy accept;
    }

    chain OUTPUT {
            type filter hook output priority 0; policy accept;
    }
}

SSH tunnel works without above ruleset, but not work when nft ruleset presents:

putty

Question: What is the minimal rule to make SSH tunnel works while keeping the input policy "drop"?

score 0 · Answer 1 · answered Apr 30 '19 at 03:14

Default policy "drop" applies to ALL interface. While the custom rules applies to "eth0" specifically. As a result, any traffic that rely on loopback interface, such as SSH tunnel, will be blocked by the default policy.

To answer the question, either remove the "eth0" interface:

...
chain INPUT {
        type filter hook input priority 0; policy drop;
        ip saddr { 0.0.0.0-255.255.255.255 } accept
}
...

Or add the loopback interface:

...
chain INPUT {
        type filter hook input priority 0; policy drop;
        iifname { "lo", "eth0" } ip saddr { 0.0.0.0-255.255.255.255 } accept
}
...

What is the nft rule to let SSH tunnel to work?

1 Answers1