nftables don´t allow ssh

Question

I have a ruleset in my server looking like this:

table inet firewall {
    chain INBOUND {
        type filter hook input priority filter; policy drop;
        ct state established,related accept
        ct state invalid drop
        iif "lo" counter packets 0 bytes 0 accept
        ip protocol icmp limit rate 4/second accept
        ip6 nexthdr ipv6-icmp limit rate 4/second accept
        ip protocol igmp limit rate 4/second accept
        tcp dport 22 accept
        log
    }

    chain FORWARD {
        type filter hook forward priority filter; policy drop;
    }

    chain OUTBOUND {
        type filter hook output priority filter; policy drop;
        oif "lo" counter packets 35 bytes 1946 accept
        tcp dport 22 accept
    }
}

I´m not be able to connect from ssh on port 22 even although should be opened. If I type:

$ nft flush ruleset, then, 22 port allows connection.

What I´m doing wrong?

Answer 1

It seems to me that the rules in the "OUTBOUND" chain are the problem.

You have tcp dport 22 accept but I think that should be tcp sport 22 accept because when the SSH packets are outbound from your server they will have a source port of 22, not a destination port of 22.

Answer 2

Change your OUTBOUND chain to:

chain OUTBOUND {
    type filter hook output priority filter; policy drop;

    # Allow traffic from established and related packets, drop invalid
    ct state vmap { established : accept, related : accept, invalid : drop }
    
    # Allow loopback
    oif "lo" accept

    # Accepted ports out (DNS / DHCP / TIME / WEB for package updates / SMTP)
    ct state new udp dport { 53, 67, 123, 547 } accept
    ct state new tcp dport { 53, 80, 443, 587 } accept 

    log prefix "DROP_output: " limit rate 3/second     
}

• Not accepting related outbound connections stopped sshd from responding.

• Always log dropped packets at the end of every default deny chain. Often when something is not working it is a firewall issue.