iptables blocking all packets on boot

networking configuration firewall iptables

A bit of time ago, i had several problems with my ethernet card and had to completely reset my network configuration (i had to rewrite and reload a new netplan.yaml, which uses Network Manager)

Side effect to this (i think, it might've been caused by another fix i tried) is that i couldn't access internet anymore. A solution provided in How to completely reset ubuntu networking settings? is to flush iptables rules, which indeed works, but is a "temporary fix" as in I have, like user joe_inz in the original thread, have to do it on every startup (which is not convenient).

Here is the output of sudo iptables -L on every boot :

Chain INPUT (policy DROP)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere

As you can see, it basically blocks everything

After digging down a bit and understanding what iptables is (and, consequently, also understanding how having no rules at all is not a great idea), I took the "beginner" set of rules provided here https://doc.ubuntu-fr.org/iptables, installed iptables-persistent, and saved them up in /etc/iptables/rules.v4

Here is how the rules looks after the first importation (and how they should look like) :

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             PKTTYPE = multicast
DROP       tcp  --  anywhere             anywhere             ctstate INVALID tcp flags:FIN,PSH,URG/FIN,PSH,URG
DROP       tcp  --  anywhere             anywhere             ctstate INVALID tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
DROP       tcp  --  anywhere             anywhere             ctstate INVALID tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP       tcp  --  anywhere             anywhere             ctstate INVALID tcp flags:SYN,RST/SYN,RST
DROP       all  --  anywhere             anywhere             PKTTYPE = broadcast
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
LOG        all  --  anywhere             anywhere             LOG level warning

Chain FORWARD (policy DROP)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             LOG level warning

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ! ctstate INVALID

However, after rebooting, I had same as before no internet access, so i rechecked the rules and they looked like this :

Chain INPUT (policy DROP)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             PKTTYPE = multicast
DROP       tcp  --  anywhere             anywhere             ctstate INVALID tcp flags:FIN,PSH,URG/FIN,PSH,URG
DROP       tcp  --  anywhere             anywhere             ctstate INVALID tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
DROP       tcp  --  anywhere             anywhere             ctstate INVALID tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP       tcp  --  anywhere             anywhere             ctstate INVALID tcp flags:SYN,RST/SYN,RST
DROP       all  --  anywhere             anywhere             PKTTYPE = broadcast
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
LOG        all  --  anywhere             anywhere             LOG level warning

Chain FORWARD (policy DROP)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             LOG level warning

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ! ctstate INVALID

For no apparent reason, there were again rules that drop every single packet

iptables-restore does at least restore the set of rules i took online, which is way better than nothing (so i'll use that instead of a complete flush as i did before), but does anyone know why would my laptop drop everything by default and how to fix that ?

PS : Also if you'd have any tips on how i could fine-tune this set of rules it would be greatly welcomed, as having a solid firewall is not negligible.

PPS : I am on Ubuntu 20.04 if that makes any difference


Solution 1:

Well, the problem seems to have been fixed by itself by a recent iptables-persistent update, but I'm not even sure. I just wanted to say it returned to normal now

Related

set CapsLock as Esc, and Ctrl when pressed in combination
How do I set caps to BOTH control and escape in ubuntu/gnome?
Held broken packages in Ubuntu 20.04 [duplicate]
Plugged in ext4 to Windows, how to recover the data in Ubuntu?
Wine: How to use SAPI 5 voices for TTS application “Balabolka”?
single quote and double quotes in sed
Error while trying to start Virtual Linux Machine on Virtual Box
How change display scale from the command line in Ubuntu 18.04 (xorg)
Start vlc minimized from command line
Kazam save file at current time
cross compilation for ARM: error no such file or directory
Recovering a partition with no valid superblocks