Internet not working when iptables INPUT rule = DROP
I do not have an internet when I forbid all incoming traffic. Why? Here is the output from the terminal:
dev@dev-pc:~$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
dev@dev-pc:~$ ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=60 time=4.02 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=60 time=4.29 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=60 time=4.13 ms
^C
--- 1.1.1.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 4.016/4.145/4.292/0.113 ms
dev@dev-pc:~$ sudo iptables -P INPUT DROP
dev@dev-pc:~$ sudo iptables -S
-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
dev@dev-pc:~$ ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
^C
--- 1.1.1.1 ping statistics ---
7 packets transmitted, 0 received, 100% packet loss, time 6146ms
dev@dev-pc:~$ sudo iptables -P INPUT ACCEPT
dev@dev-pc:~$ ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=60 time=4.05 ms
^C
--- 1.1.1.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 4.050/4.050/4.050/0.000 ms
dev@dev-pc:~$ sudo ifconfig -a
enp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 109.108.244.148 netmask 255.255.255.0 broadcast 109.108.244.255 inet6 fe80::b40:30c2:cb8:9e22 prefixlen 64 scopeid 0x20<link> ether 00:08:22:b8:b5:fd txqueuelen 1000 (Ethernet) RX packets 124470 bytes 165771256 (165.7 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 66049 bytes 5942125 (5.9 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 132 bytes 11315 (11.3 KB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 132 bytes 11315 (11.3 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlp2s0: flags=4098<BROADCAST,MULTICAST> mtu 1500 ether ea:15:31:9c:86:67 txqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0How to fix it???
1 Answer
For your use case example, ping 1.1.1.1, 2 packets are involved per ping. An outgoing ICMP echo request packet and an incoming ICMP echo reply packet, at least if the destination does reply.
The succinct answer to your first question: "Why do I not have an internet when I forbid all incoming traffic?" is because you denied all incoming traffic, so nobody can respond.
Now, for your second question: "How to fix?":
iptables is capable of looking at a packet and determining if it is a reply or somehow RELATED to a previous outgoing, locally initiated, packet. Therefore you can make an iptables rule to allow this type of packet to get past the INPUT chain DROP default packet handler:
sudo iptables -A INPUT -i enp3s0 -d 109.108.244.148 -m state --state ESTABLISHED,RELATED -j ACCEPTNote: you should also allow the local network connection, as sometimes internal tasks communicate via this interface:
sudo iptables -A INPUT -i lo -j ACCEPTBelow is an example implementation of this answer, using your example pings:
doug@s18:~$ ping -c 2 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=60 time=24.6 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=60 time=25.9 ms
--- 1.1.1.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 24.597/25.260/25.923/0.663 ms
doug@s18:~$ sudo iptables -P INPUT DROP
doug@s18:~$ ping -c 2 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
--- 1.1.1.1 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1061ms
doug@s18:~$ sudo iptables -A INPUT -i enp3s0 -d 192.168.111.122 -m state --state ESTABLISHED,RELATED -j ACCEPT
doug@s18:~$ ping -c 2 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=60 time=25.1 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=60 time=24.9 ms
--- 1.1.1.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 24.911/25.012/25.113/0.101 ms
