user3336503
Reputation: 33
What is the nft rule to let SSH tunnel to work?
I can make SSH connection with a "All IP is matched" rules in nft:
table ip filter {
chain INPUT {
type filter hook input priority 0; policy drop;
iifname "eth0" ip saddr { 0.0.0.0-255.255.255.255 } accept
}
chain FORWARD {
type filter hook forward priority 0; policy accept;
}
chain OUTPUT {
type filter hook output priority 0; policy accept;
}
}
SSH tunnel works without above ruleset, but not work when nft ruleset presents:
Question: What is the minimal rule to make SSH tunnel works while keeping the input policy "drop"?
Upvotes: 0
Views: 1385
Answers (1)
user3336503
Reputation: 33
Default policy "drop" applies to ALL interface. While the custom rules applies to "eth0" specifically. As a result, any traffic that rely on loopback interface, such as SSH tunnel, will be blocked by the default policy.
To answer the question, either remove the "eth0" interface:
...
chain INPUT {
type filter hook input priority 0; policy drop;
ip saddr { 0.0.0.0-255.255.255.255 } accept
}
...
Or add the loopback interface:
...
chain INPUT {
type filter hook input priority 0; policy drop;
iifname { "lo", "eth0" } ip saddr { 0.0.0.0-255.255.255.255 } accept
}
...
Upvotes: 0
Related Questions
- SSH tunnel not working - empty server response
- SSH multiple HOP
- SSH tunnel only works on loopback interface
- nftables don´t allow ssh
- SSH tunneling with ZeroTier network
- ssh tunneling with Nautilus using .ssh/config
- How to enable AllowTcpForwarding in Jelastic?
- SSH connection tunneling refused
- Using an SSH tunnel to accept incoming connections
- SSH Tunneling not working properly