Iptables blocking apt-get on debian server

Question

I'm configuring iptables on a new web dedicated server. The rules are really simple :

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:4567
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http

Chain FORWARD (policy ACCEPT)

Chain OUTPUT (policy ACCEPT)

The port 4567 is for SSH. The first INPUT line is for localhost with loopback interface. I cannot use apt-get install, update or anything related.

I tried every rule I could find on google to solve this, but none of them worked, I tried to accept port 53, FTP, I messed with ESTABLISHED RELATED and stuff, I cannot seem to make it works.

If you have any idea on what rules to apply...

Answer 1

It's likely you're going to need to open access to DNS in order to have a functional server. Those would be port 53 both for TCP and UDP. Without that, you're not going to be able to resolve hostnames (unless you have a local DNS server forwarding over DNS-over-HTTPS).

You will also want to use the conntrack module to allow existing connections, since the port on your local side will be different than the port on the remote side and won't otherwise match.

My general policy on servers, and the policy I've seen at current and former employers, is to restrict incoming traffic but not outgoing traffic, unless there is some compelling reason (for example, blocking port 25 on a NAT box). You'd achieve that by writing rules that only apply to the input interface that's on the WAN. You'll still need to set up the proper conntrack handling, though.