How do I set an nft rule so an SSH tunnel works?

Isaac31 · February 28, 2025, 3:48am

Below is a sample nft configuration. I can make SSH connections with a broad match rule. However, SSH tunneling fails when these rules are active. What is the minimal rule change needed?

table ip secureZone {
    chain inFilter {
        type filter hook input priority 0; policy drop;
        tcp dport 22 accept
    }
}

Ethan_Witty · March 9, 2025, 7:55pm

you need to add a established/related state rule. put a rule like ‘ct state established, related accept’ just before the drop so tunnel packets are allowed