I have a ruleset in my server looking like this:
table inet firewall {
chain INBOUND {
type filter hook input priority filter; policy drop;
ct state established,related accept
ct state invalid drop
iif "lo" counter packets 0 bytes 0 accept
ip protocol icmp limit rate 4/second accept
ip6 nexthdr ipv6-icmp limit rate 4/second accept
ip protocol igmp limit rate 4/second accept
tcp dport 22 accept
log
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
}
chain OUTBOUND {
type filter hook output priority filter; policy drop;
oif "lo" counter packets 35 bytes 1946 accept
tcp dport 22 accept
}
}
I´m not be able to connect from ssh on port 22 even although should be opened. If I type:
$ nft flush ruleset, then, 22 port allows connection.
What I´m doing wrong?
It seems to me that the rules in the "OUTBOUND" chain are the problem.
You have tcp dport 22 accept but I think that should be tcp sport 22 accept because when the SSH packets are outbound from your server they will have a source port of 22, not a destination port of 22.