Firewall blocks apt-get update

Hello,

I need a firewall expert to get rid of this. I tried everything I could imagine but my apt-get update is still broken.

Here my rules:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [105:16224]
:fail2ban-nginx-404 - [0:0]
:fail2ban-nginx-badbots - [0:0]
:fail2ban-nginx-badrequests - [0:0]
:fail2ban-nginx-ddos - [0:0]
:fail2ban-owncloud - [0:0]
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 32400 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 32443 -j ACCEPT
-A INPUT -p tcp -m iprange --src-range 192.168.170.20-192.168.170.30 -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m iprange --src-range 192.168.170.1-192.168.170.30 -m tcp --dport 80 -j ACCEPT
-A INPUT -d 192.168.170.11/32 -p icmp -m iprange --src-range 192.168.170.1-192.168.170.30 -j ACCEPT
-A INPUT -s 192.168.170.0/24 -d 192.168.170.11/32 -p tcp -m tcp --dport 2049 -j ACCEPT
-A INPUT -s 192.168.170.0/24 -d 192.168.170.11/32 -p udp -m udp --dport 2049 -j ACCEPT
-A INPUT -s 192.168.170.0/24 -d 192.168.170.11/32 -p tcp -m tcp --dport 111 -j ACCEPT
-A INPUT -s 192.168.170.0/24 -d 192.168.170.11/32 -p udp -m udp --dport 111 -j ACCEPT
-A INPUT -s 192.168.170.0/24 -d 192.168.170.11/32 -p tcp -m tcp --dport 32764:32769 -j ACCEPT
-A INPUT -s 192.168.170.0/24 -d 192.168.170.11/32 -p udp -m udp --dport 32764:32769 -j ACCEPT
-A INPUT -s 192.168.170.0/24 -p tcp -m tcp --dport 548 -j ACCEPT
-A INPUT -s 192.168.170.0/24 -p tcp -m tcp --dport 3306 -j ACCEPT
-A INPUT -s 192.168.170.0/24 -p tcp -m tcp --dport 445 -j ACCEPT
-A INPUT -s 192.168.170.0/24 -p tcp -m tcp --dport 139 -j ACCEPT
-A INPUT -s 192.168.170.0/24 -d 192.168.170.11/32 -p udp -m udp --dport 32410:32414 -j ACCEPT
-A INPUT -s 192.168.170.0/24 -d 192.168.170.11/32 -p tcp -m tcp --dport 32469 -j ACCEPT
-A INPUT -s 192.168.170.0/24 -d 192.168.170.11/32 -p udp -m udp --dport 1900 -j ACCEPT
-A INPUT -s 192.168.170.0/24 -d 192.168.170.11/32 -p udp -m udp --dport 5353 -j ACCEPT
-A INPUT -s 192.168.170.0/24 -d 192.168.170.11/32 -p tcp -m tcp --dport 9091 -j ACCEPT
-A INPUT -s 192.168.170.0/24 -d 192.168.170.11/32 -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT

sudo apt-get update says

cornelius@omv:~$ sudo apt-get update
Ign file: Release.gpg
Ign file: Release
Ign file: Translation-de_DE
Ign file: Translation-de
Ign file: Translation-en
41% [Verbindung mit debian.ethz.ch (129.132.53.171)] [Verbindung mit security.debian.org (212.211.132.250)] [Verbindung mit ftp.debian.org (130.89.148.12)] [Verbindung mit packages.omv-extras.org (5.9.105.28)] [Verbindung mit dh2k.omv-ex^

If I remove the reject rule, it works again. What am I missing? The repo uses http, which is open. dns is also open.

No OUTPUT rules at the moment.

Solved, I missed the rule for accepting returning traffig.

This can be added via additional options field.

INPUT, ACCEPT
Protocol: ALL
Additional Options: -m conntrack --ctstate ESTABLISHED,RELATED

Okay, maybe it works only with TCP because the others do not have a connection state.

I got this from here: Help setting up firewall (iptables)

That Thread was linked in another firewall discussion.