Why pass traffic iptables-P OUTPUT DROP?

0 like 0 dislike
6 views
To ensure that the Internet only worked if VPN is enabled in iptables prescribe the following command:

iptables --flush iptables --delete-chain iptables-t nat --flush iptables-t nat --delete-chain iptables-P OUTPUT DROP iptables -A INPUT -j ACCEPT -i lo iptables -A OUTPUT-j ACCEPT -o lo iptables -A OUTPUT-j ACCEPT -d 123.45.67.89 (VPN server) iptables -A OUTPUT-j ACCEPT -o tun0


Then retain these rules with:

netfilter-persistent save

In the end, the output of the command iptables -L:

root@host:~# iptables-L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere 123.45.67.89 ACCEPT all -- anywhere anywhere


And the command cat /etc/iptables/rules.v4 gives this:

root@host:~# cat /etc/iptables/rules.v4 # Generated by iptables-save v1.6.0 on Wed Apr 25 12:57:29 2018 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT DROP [0:0] -A INPUT-i lo -j ACCEPT -A OUTPUT-o lo -j ACCEPT -A OUTPUT-d 123.45.67.89/32 -j ACCEPT -A OUTPUT-o tun0 -j ACCEPT COMMIT # Completed on Wed Apr 25 12:57:29 2018 # Generated by iptables-save v1.6.0 on Wed Apr 25 12:57:29 2018 *nat :PREROUTING POLICY ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [7:392] :POSTROUTING ACCEPT [0:0] COMMIT # Completed on Wed Apr 25 12:57:29 2018


Everything should work and has worked for years, but today for some reason stopped. The firewall started to let the traffic in the Internet even if VPN is turned off, under these rules of the firewall.

All I did today: updated virtualbox and added a new VPN server in network manager.

Whether I in an emphasis do not see anything, then I don't even know what to think... anyone Have ideas?

OS: Debian x64 9.4
by | 6 views

1 Answer

0 like 0 dislike
Solution:

Just. Need. Was. To change. Wi-Fi access.

When connecting to another router, the firewall began to correctly block the Internet. How is this possible?

Ie even if blocked all OUTPUT and FORWARD, the Internet still functioned. As if the firewall did not work. But as it turned out, this all happens only if you connect to a WIFI in a cafe. Nowhere else I have never watched.

As the router could affect the iptables (it is true that he was influenced by the work iptables I'm not sure)?
This may be some bug network-manager in Debian?
by
110,608 questions
257,186 answers
0 comments
33,652 users