I have a couple rules in place to allow traffic in from specific IPs. Right after these rules I have rules to block everything else, as this firewall is an “allow by default” type.
The problem I’m facing is that when I replace these two ports to match “Any” instead, those machines (matrix server and game server) are unable to perform apt-gets.
I had thought that this should still be allowed, because the egress rules for those two permit outbound traffic to http/s and once that’s established it’s a “stateful” connection which should allow the traffic to flow back the other way.
What am I doing wrong here, and what is the best way to ensure that traffic only hits these servers from the minimal number of ports.
When you make an outgoing connections, its source is a random local port in the 30000+ range or something like that, and when the remote server replies, it replies back on that port. But if your rules then treat the response to that port as a port forward rule, it won’t reach the NAT rule that would remangle the packet in the correct way to preserve the connection.
So, server wants to go out and uses port 33333, router NATs it and rewrites it as outgoing from your public IP from say, 44444, then the remote server replies back, and the router just sends the 44444 to your server as-is because port forward, and your server’s like, I don’t know anyone interested in port 44444 and drops it, while the client is waiting on port 33333 to hear back and never does, until it times out.
In iptables terms, that’s what
--cstate ESTABLISHED,RELATEDhandles and why you see it in NAT examples.