If you have a default DROP INPUT policy, even the response packets from your outgoint connections will get dropped.
To accept those, add this input rule:
iptables -I INPUT 1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
As for your last question, in your c and d
example (assuming empty rules before those commands) you are setting a first rule drop everything
and a second rule that would accept traffic from a certain network. IPTABLES grabs a match as soon as it can, so the first rule always matches (no condition set) so every rule after that won't execute. Exceptions to a rule must be defined before the rule.
In the first example -P INPUT DROP
, you are setting a last rule that will catch whatever was not matched before, so any exception added will be executed before that default rule (-P
).
-I
inserts into a certain position (for example, in my previous command, I am setting the ESTABLISHED,RELATED rule to be the first so it matches no matter what you set after that.
-A
appends to the rule list, so if will be matched just before the default.
If you want to achieve the same as the first example with explicit rules (like c and d
), you should exchange possitions of those.
If you open Defender and click on Firewall and network protection
you will find separate settings for private and public networks with the same options, including one at the bottom to block all incoming connections, regardless of application permissions.
I can't easily test this, but it appears to do what you want. You will need to set it separately for both network classes.
Best Answer
Try this with root access :
Note that this will brutally cut all running connections - this includes things like the SSH connection you may use to administer the server. Only use this if you have access to a local console.
See Miphix' answer for how to add an exception for SSH.