Hello,
I need a firewall expert to get rid of this. I tried everything I could imagine but my apt-get update is still broken.
Here my rules:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [105:16224]
:fail2ban-nginx-404 - [0:0]
:fail2ban-nginx-badbots - [0:0]
:fail2ban-nginx-badrequests - [0:0]
:fail2ban-nginx-ddos - [0:0]
:fail2ban-owncloud - [0:0]
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 32400 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 32443 -j ACCEPT
-A INPUT -p tcp -m iprange --src-range 192.168.170.20-192.168.170.30 -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m iprange --src-range 192.168.170.1-192.168.170.30 -m tcp --dport 80 -j ACCEPT
-A INPUT -d 192.168.170.11/32 -p icmp -m iprange --src-range 192.168.170.1-192.168.170.30 -j ACCEPT
-A INPUT -s 192.168.170.0/24 -d 192.168.170.11/32 -p tcp -m tcp --dport 2049 -j ACCEPT
-A INPUT -s 192.168.170.0/24 -d 192.168.170.11/32 -p udp -m udp --dport 2049 -j ACCEPT
-A INPUT -s 192.168.170.0/24 -d 192.168.170.11/32 -p tcp -m tcp --dport 111 -j ACCEPT
-A INPUT -s 192.168.170.0/24 -d 192.168.170.11/32 -p udp -m udp --dport 111 -j ACCEPT
-A INPUT -s 192.168.170.0/24 -d 192.168.170.11/32 -p tcp -m tcp --dport 32764:32769 -j ACCEPT
-A INPUT -s 192.168.170.0/24 -d 192.168.170.11/32 -p udp -m udp --dport 32764:32769 -j ACCEPT
-A INPUT -s 192.168.170.0/24 -p tcp -m tcp --dport 548 -j ACCEPT
-A INPUT -s 192.168.170.0/24 -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -s 192.168.170.0/24 -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -s 192.168.170.0/24 -p tcp -m tcp --dport 139 -j ACCEPT
-A INPUT -s 192.168.170.0/24 -d 192.168.170.11/32 -p udp -m udp --dport 32410:32414 -j ACCEPT
-A INPUT -s 192.168.170.0/24 -d 192.168.170.11/32 -p tcp -m tcp --dport 32469 -j ACCEPT
-A INPUT -s 192.168.170.0/24 -d 192.168.170.11/32 -p udp -m udp --dport 1900 -j ACCEPT
-A INPUT -s 192.168.170.0/24 -d 192.168.170.11/32 -p udp -m udp --dport 5353 -j ACCEPT
-A INPUT -s 192.168.170.0/24 -d 192.168.170.11/32 -p tcp -m tcp --dport 9091 -j ACCEPT
-A INPUT -s 192.168.170.0/24 -d 192.168.170.11/32 -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
sudo apt-get update says
cornelius@omv:~$ sudo apt-get update
Ign file: Release.gpg
Ign file: Release
Ign file: Translation-de_DE
Ign file: Translation-de
Ign file: Translation-en
41% [Verbindung mit debian.ethz.ch (129.132.53.171)] [Verbindung mit security.debian.org (212.211.132.250)] [Verbindung mit ftp.debian.org (130.89.148.12)] [Verbindung mit packages.omv-extras.org (5.9.105.28)] [Verbindung mit dh2k.omv-ex^
If I remove the reject rule, it works again. What am I missing? The repo uses http, which is open. dns is also open.
No OUTPUT rules at the moment.