asked 2020-06-16 21:01:43 +0200
Long story short. During VPN connection I lost internet connection and restart didn't help. After short investigation I have found that in my output rules there is no rule allowing for output connections. There is no such firewall rule in delivered connman-configs-sailfish default package rules. If default policy is DROP, there should be a rule in connman-OUTPUT chain for allowing output traffic. How is it done? What am I missing?
answered 2020-06-17 08:02:24 +0200
There is no default policy drop for the output chain. It is filtering the input, which is also correct.
[root@Sailfish nemo]# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
connman-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
connman-OUTPUT all -- anywhere anywhere
Chain connman-INPUT (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT icmp -- anywhere anywhere icmp !type 8 code 0
ACCEPT dccp -- anywhere anywhere multiport dports 1024:65535
ACCEPT sctp -- anywhere anywhere multiport dports 1024:65535
ACCEPT tcp -- anywhere anywhere multiport dports 1024:65535
ACCEPT udplite-- anywhere anywhere multiport dports 1024:65535
ACCEPT udp -- anywhere anywhere multiport dports 1024:65535
ACCEPT gre -- anywhere anywhere
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
Chain connman-OUTPUT (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp !type 0 code 0
Perhaps you are missing some routing that gets pushed via VPN or reset to normal routes after VPN.
answered 2020-06-17 17:34:25 +0200
Thank you for the answer and hint. My OUTPUT policy is DROP
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
connman-OUTPUT all -- anywhere anywhere
and I wonder why. So next question, where default policy is set?
Do you know about:
/etc/connman/firewall.conf
/etc/connman/firewall.d/
https://github.com/sailfishos/sailfish-connman-plugin-iptables/blob/master/README.md
https://git.merproject.org/mer-core/connman/blob/master/connman/doc/firewall-config-format.txt
Checked 3 devices (all 3.3.0.16), default OUTPUT is ACCEPT....
A.Maretzek ( 2020-06-19 20:02:50 +0200 )editI believe that default OUTPUT is ACCEPT but my OUTPUT policy switch to DROP after connman restart and I try to track down the culprit. In /etc/connman/firewall.conf there are rules for INPUT only.
[General]
# IPv4 rules and policies.
IPv4.INPUT.RULES = -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT; -i lo -j ACCEPT
IPv4.INPUT.POLICY = DROP
# IPv6 rules and policies.
IPv6.INPUT.RULES = -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT; -i lo -j ACCEPT
IPv6.INPUT.POLICY = DROP
answered 2020-06-20 17:41:04 +0200
After some debugging I have found that there are *.v4 files in /home/.system/var/lib/connman/iptables with saved iptables rules and being restored after connman start. The rule for OUTPUT there was in filter.v4. I deleted all *.v4 files and the problem is solved. Odd is that only raw.v4 and security.v4 has been recreated.
While you are at it, can you correlate the file creation time with apps you started? Or boot time?
A.Maretzek ( 2020-06-20 17:51:16 +0200 )editAsked: 2020-06-16 21:01:43 +0200
Seen: 596 times
Last updated: Jun 20 '20