2025-03-20, 04:32 PM
(This post was last modified: 2025-03-20, 04:34 PM by ArbitraryRenaissance. Edited 1 time in total.)
I have solved the problem. It turns out my nftables were misconfigured. I ran
The rule
sudo nft list ruleset and the first entry was the inet filter:Code:
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
ct state invalid drop comment "early drop of invalid connections"
ct state { established, related } accept comment "allow tracked connections"
iif "lo" accept comment "allow from loopback"
ip protocol icmp accept comment "allow icmp"
meta l4proto ipv6-icmp accept comment "allow icmp v6"
tcp dport 22 accept comment "allow sshd"
meta pkttype host limit rate 5/second burst 5 packets counter packets 346 bytes 59136 reject with icmpx admin-prohibited
counter packets 1154 bytes 235090
tcp dport 8096 accept
}
chain forward {
type filter hook forward priority filter; policy drop;
}
}tcp dport 8096 accept comes at the very end of the list, after a rate limiting rule. This rule was intercepting my connection attempts, leaving me unable to reach the server remotely. (It didn't block the localhost connections because of the "allow from loopback" rule earlier in the stack.) To fix this, I just moved the 8096 accept rule higher up. This can either be done by editing the table directly in /etc/nftables.conf, or by lazily copying the rule to the top of the list with sudo nft insert rule inet filter input tcp dport 8096 accept (though this latter option won't be persistent).