Home / server / Questions / 1089365
In Process
sunknudsen
Asked: 2022-01-08 14:17:13 +0800 CST

Why does SSH hang when using following nftables rules?

  • 772
$ cat /etc/nftables.conf
#!/usr/sbin/nft -f

flush ruleset

table ip firewall {
  chain input {
    type filter hook input priority filter; policy drop;
    iif "lo" accept
    iif != "lo" ip daddr 127.0.0.0/8 drop
    tcp dport 22 accept
    ct state established,related accept
  }

  chain forward {
    type filter hook forward priority filter; policy drop;
  }

  chain output {
    type filter hook output priority filter; policy drop;
    iif "lo" accept
    udp dport { 53, 123 } accept
    tcp dport { 53, 80, 443 } accept
    ct state established,related accept
  }
}

Connection eventually works, but it takes much longer than anticipated.

Running journalctl -f, I see systemd[1]: Failed to start User Manager for UID 1000 before connections is finally established.

If I run nft flush ruleset, connection works immediately.

ssh nftables

2 Answers

  1. For incoming connections ALL external incoming packets match this rule:

    iif != "lo" ip daddr 127.0.0.0/8 drop

    as they come on interface which is not a local loopback and their destination address is definitely not in 127.0.0.0/8 network. I am surprised it goes through even after some timeout unless you also have IPv6 up and running.

    For all locally initiated outgoing connections which are not DNS, NTP, HTTP and HTTPS - they hit the output chain drop policy. Again - they should not work at all unless you also have IPv6 up and running.

    • 0

  2. Found the issue… typo in chain output. iif "lo" accept should be oif "lo" accept.

    • 0