I’m having issues upgrading my Rocky Linux machines from 9.4 to 9.5.
They are connected straight to the internet on a public IP and firewalled with nftables ().
It runs smooth on 9.4. But when I upgrade to 9.5 there is no remote connection possible to all the services on the machine except SSH.
Then I rebooted with the old kernel. And everything works as it should.
With the new kernel I also disabled nftables but it still has the issues.
Now I disabled in the yum config to upgrade the kernel, but this is far from ideal.
Issue with kernel 5.14.0-503.21.1.el9_5.x86_64 but also another machine later with (strange enough a earlier version: 5.14.0-503.19
works good with kernel 5.14.0-427.42.1.el9_4.x86_64
I would love to keep the kernel also up to date.
Is there a problem in the new kernel? Of something I can check / reconfigure?
Yes the rules are the same.
And indeed, when I checked on the console using wget it worked instanlty.
I could only check on IPv4 at that moment, because I don’t have an ISP around with IPv6. ( I can check but takes more effort)
I use a “table ip filter” for IPv4 and a “table ipv6 firewall” for IPv6 traffic.
This is the firewall script where I for this example replaced the actual IP-adresses with 99.99.99.99 fictive IP-adres;
It’s just a script to allow http/https public and to allow ssh/snmp/ping from a specific address.
#!/usr/sbin/nft -f
flush ruleset
table ip filter {
chain input {
type filter hook input priority 0;
policy drop;
# allow connection from loopback
iifname lo accept;
# established/related connections
ct state {established, related} accept;
# drop invalid connections
ct state invalid drop;
# allow connection for ping from specific IP-adresses.
ip saddr 99.99.99.99 icmp type echo-request accept; #my office
ip saddr 99.99.99.99 icmp type echo-request accept; #my monitoring
# allow connection from management for ssh
ip saddr 99.99.99.99 tcp dport ssh accept;
ip saddr 99.99.99.99 tcp dport ssh accept;
ip saddr 99.99.99.99 tcp dport 161 accept; #monitoring via SNMP
ip saddr 99.99.99.99 udp dport 161 accept; #monitoring via SNMP
# allow webserver
tcp dport http accept;
tcp dport https accept;
# everything else
reject with icmp type port-unreachable
}
chain forward {
type filter hook forward priority 0;
}
chain output {
type filter hook output priority 0;
}
}
table ip6 firewall {
chain incoming {
type filter hook input priority 0;
# established/related connections
ct state established,related accept;
# invalid connections
ct state invalid drop;
# loopback interface
iifname lo accept;
# icmp
icmpv6 type {echo-request,nd-neighbor-solicit,nd-neighbor-advert,nd-router-solicit,nd-router-advert,mld-listener-query,destination-unreachable,packet-too-big,time-exceeded,parameter-problem} accept;
# allow webserver
tcp dport http accept;
tcp dport https accept;
# open udp ports
# udp dport {...} accept;
# drop everything else
drop;
}
chain forward {
type filter hook forward priority 0;
}
chain output {
type filter hook output priority 0;
}
}
Can I re-check, when you say you “disabled nftables” in the original post, what exact command did you use?
In addition, where it says “straight to the internet”, do you mean the client (web browser), is making the request over the internet, if so, are you able to test connecting a second machine using a network cable? It seems odd that ssh still works.