[Solved] Allow apt in nftables

[SpongeB0B]

Hi everyone,

I'm trying to do a apt --update but I get ->

Could not connect to deb.devuan.org:80 (185.38.15.81), connection timed out
Could not connect to deb.devuan.org:80 (185.183.113.131), connection timed out
Could not connect to deb.devuan.org:80 (131.188.12.211), connection timed out
....

So the DNS resolution is passing but not to connection to deb.devuan.org:80

It's my nftables that block it but I don't what to open to allow the connection

Here my nftables

table ip6 Tip6 {
    chain chPR {
        type filter hook prerouting priority 0; policy drop;
    }
}

table ip Tip {

    chain chIN {
        type filter hook input priority 0; policy drop;
        ct state established,related accept
        iifname lo accept       
    }
    chain chFW {
        type filter hook forward priority 0; policy drop;
    }
    chain chOUT {
        type filter hook output priority 0; policy drop;
        udp dport 53 accept
        ct state established,related accept
    }
}

 

[f33dm3bits]

You will probably need to add an exception for port 80 and 443 in "chain chOUT"

 

[SpongeB0B]

Thank you @f33dm3bits !
I was writing an exception for 80. so I added 443 to (thanks it seem working )

tcp dport { 80, 443 } ip daddr { 185.38.15.81, 185.183.113.131, 131.188.12.211 } accept

 

[f33dm3bits]

Why are you blocking outgoing connections by default unless whitelisted?

 

[SpongeB0B]

To control what get out...
Our machines talk too much...