confusing INPUT,OUTPUT iptables rules

Posted on

Problem :

Following is my iptables rules in Ubuntu.

╰─$ sudo iptables -S              
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

Only for the INPUT, I have given rules and all outgoing traffic are in ACCEPT policy. But I can not browse internet or ping to any internet domain.

But, if I remove the last rule in INPUT chain -A INPUT -j DROP then I can browse and ping.

What chain exactly need to be opened for browsing internet? Why the INPUT chain policy is interfering with outgoing traffic. I am confused. Explanation please.

Solution :

The -A INPUT -j DROP negates your -P INPUT ACCEPT. -j is the jump option, which as far as I understand, means if a packet matches this rule, the firewall will ignore all the other rules about the packet, and do whatever this line says to do with the packet, which in this case, is DROP.

This is letting you send a ICMP signal out, or make an HTTP request, but it is dropping any responses you get. If there is some input you are trying to filter, you would need to add more specificity to the rule, or it will continue to drop everything your outgoing requests get back.

This is my favourite IPTables tutorial. It has several examples of filtering certain types of input, and also explains the distinction between NEW and ESTABLISHED traffic.

hope this helps.