You are not logged in.
- Topics: Active | Unanswered
#1 2024-10-25 21:06:21
- tvidal
- Member
- Registered: 2020-06-18
- Posts: 22
[SOLVED] How to find source of the -P FORWARD DROP iptables rule
I am using nftables as the firewall for my home openvpn server, and all rules are defined and working correctly.
The problem is, every time I reboot the server, the vpn stops working and I have to change the default FORWARD policy to make it work with:
# iptables -P FORWARD ACCEPTiptables filter table
# iptables -vL
Chain INPUT (policy ACCEPT 1953 packets, 185K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER-USER all -- any any anywhere anywhere
0 0 DOCKER-ISOLATION-STAGE-1 all -- any any anywhere anywhere
0 0 ACCEPT all -- any docker0 anywhere anywhere ctstate RELATED,ESTABLISHED
0 0 DOCKER all -- any docker0 anywhere anywhere
0 0 ACCEPT all -- docker0 !docker0 anywhere anywhere
0 0 ACCEPT all -- docker0 docker0 anywhere anywhere
Chain OUTPUT (policy ACCEPT 1736 packets, 179K bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- !docker0 docker0 anywhere 172.17.0.2 tcp dpt:http
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION-STAGE-2 all -- docker0 !docker0 anywhere anywhere
0 0 RETURN all -- any any anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- any docker0 anywhere anywhere
0 0 RETURN all -- any any anywhere anywhere
Chain DOCKER-USER (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- any any anywhere anywhereiptables nat table
# iptables -vL -t nat
Chain PREROUTING (policy ACCEPT 261 packets, 34811 bytes)
pkts bytes target prot opt in out source destination
218 27489 DOCKER all -- any any anywhere anywhere ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 39 packets, 6623 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 9 packets, 548 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all -- any any anywhere !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 9 packets, 548 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- any !docker0 172.17.0.0/16 anywhere
0 0 MASQUERADE tcp -- any any 172.17.0.2 172.17.0.2 tcp dpt:http
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 any anywhere anywhere
0 0 DNAT tcp -- !docker0 any anywhere anywhere tcp dpt:sunproxyadmin to:172.17.0.2:80Problem:
I cannot find where this -P FORWARD DROP rule is coming from, here are the places I have looked:
/etc/iptables
# bat /etc/iptables/*
───────┬───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
│ File: /etc/iptables/empty.rules
───────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 │ # Empty iptables rule file
2 │ *filter
3 │ :INPUT ACCEPT [0:0]
4 │ :FORWARD ACCEPT [0:0]
5 │ :OUTPUT ACCEPT [0:0]
6 │ COMMIT
───────┴───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
───────┬───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
│ File: /etc/iptables/ip6tables.rules
───────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 │ # Empty iptables rule file
2 │ *filter
3 │ :INPUT ACCEPT [0:0]
4 │ :FORWARD ACCEPT [0:0]
5 │ :OUTPUT ACCEPT [0:0]
6 │ COMMIT
───────┴───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
───────┬───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
│ File: /etc/iptables/iptables.rules
───────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 │ # Empty iptables rule file
2 │ *filter
3 │ :INPUT ACCEPT [0:0]
4 │ :FORWARD ACCEPT [0:0]
5 │ :OUTPUT ACCEPT [0:0]
6 │ COMMIT
───────┴───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────systemd
# systemctl status iptables.service
○ iptables.service - IPv4 Packet Filtering Framework
Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled; preset: disabled)
Active: inactive (dead)I think I am missing something very very stupid, but I am humbly requesting help for this one as I could not find a solution to have this rule persist across restarts.
Thank you.
Last edited by tvidal (2024-10-28 13:33:51)
Offline
#2 2024-10-25 21:57:13
- edacval
- Member
- From: .LT
- Registered: 2008-10-23
- Posts: 98
Re: [SOLVED] How to find source of the -P FORWARD DROP iptables rule
Look at docker defaults
Last edited by edacval (2024-10-25 21:58:04)
Offline
#3 2024-10-28 11:09:58
- tvidal
- Member
- Registered: 2020-06-18
- Posts: 22
Re: [SOLVED] How to find source of the -P FORWARD DROP iptables rule
Hi,
I would never have guessed that.
Thank you!
Fixed by creating the following file:
───────┬───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
│ File: /etc/systemd/system/docker.service.d/override.conf
───────┼───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 │ [Service]
2 │ ExecStartPost=iptables -R DOCKER-USER 1 -j ACCEPT
───────┴───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────Last edited by tvidal (2024-10-28 13:31:20)
Offline
#4 2024-10-28 13:26:12
- seth
- Member
- From: Don't DM me only for attention
- Registered: 2012-09-03
- Posts: 69,592
Re: [SOLVED] How to find source of the -P FORWARD DROP iptables rule
\o/
Please always remember to mark resolved threads by editing your initial posts subject - so others will know that there's no task left, but maybe a solution to find.
Thanks.
Offline
#5 2024-10-28 13:30:39
- tvidal
- Member
- Registered: 2020-06-18
- Posts: 22
Re: [SOLVED] How to find source of the -P FORWARD DROP iptables rule
seth wrote:
\o/
Please always remember to mark resolved threads by editing your initial posts subject - so others will know that there's no task left, but maybe a solution to find.
Thanks.
So, I tried to edit the post and change the subject, but I can only add 3 more characters, which is not enough for the [SOLVED] prefix.
Is there anything else I should do?
Offline
#6 2024-10-28 13:33:07
- seth
- Member
- From: Don't DM me only for attention
- Registered: 2012-09-03
- Posts: 69,592
Re: [SOLVED] How to find source of the -P FORWARD DROP iptables rule
Be concise 
[SOLVED] How to find source of the -P FORWARD DROP iptables rule
Offline