Hi - Thanks for the response - I disabled iptables and everything works fine (on a hunch after I read another post about android clients trying to connect). I'm pretty certain this is related to why openssl debug upload isnt working (though I can curl an https address no issues from the pihole.)
Not really sure whats going on as I'm allowing DNS, http and rejecting https as per the instructions on the link. Here's my iptables:
root@pihole:/usr/local/bin# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp spt:ssh ctstate NEW,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-reply
ACCEPT udp -- anywhere anywhere udp dpt:isakmp
ACCEPT udp -- anywhere anywhere udp dpt:ipsec-nat-t
ACCEPT tcp -- anywhere anywhere tcp dpt:51107
ACCEPT tcp -- 192.168.1.0/24 anywhere tcp dpt:domain
ACCEPT tcp -- 192.168.1.0/24 anywhere tcp dpt:http
ACCEPT udp -- 192.168.1.0/24 anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:9000 ctstate NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:9000 ctstate NEW,RELATED,ESTABLISHED
REJECT tcp -- 192.168.1.0/24 anywhere tcp dpt:https reject-with tcp-reset
REJECT udp -- 192.168.1.0/24 anywhere udp dpt:80 reject-with icmp-port-unreachable
REJECT udp -- 192.168.1.0/24 anywhere udp dpt:443 reject-with icmp-port-unreachable
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT tcp -- 192.168.1.0/24 anywhere tcp dpt:ssh
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp echo-request
DROP tcp -- anywhere ROUTER tcp dpt:https
DROP tcp -- anywhere ROUTER tcp dpt:ssh
DROP tcp -- anywhere ROUTER tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp spt:ssh state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http ctstate NEW,ESTABLISHED
ACCEPT tcp -- 192.168.1.0/24 anywhere tcp spt:http ctstate NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:https ctstate NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:domain ctstate NEW,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:domain ctstate NEW,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp spt:domain ctstate NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:domain ctstate NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:51107 ctstate NEW,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp spt:ipsec-nat-t ctstate ESTABLISHED
ACCEPT udp -- anywhere anywhere udp spt:isakmp ctstate ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:9000 ctstate NEW,RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:9000 ctstate NEW,RELATED,ESTABLISHED
And specifically the input chain verbosely:
root@pihole:~# iptables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
216 17663 ACCEPT all -- lo any anywhere anywhere
475 40088 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spt:ssh ctstate NEW,ESTABLISHED
1134 105K ACCEPT all -- any any anywhere anywhere state NEW,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere icmp echo-reply
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:isakmp
0 0 ACCEPT udp -- any any anywhere anywhere udp dpt:ipsec-nat-t
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:51107
0 0 ACCEPT tcp -- any any 192.168.1.0/24 anywhere tcp dpt:domain
0 0 ACCEPT tcp -- any any 192.168.1.0/24 anywhere tcp dpt:http
0 0 ACCEPT udp -- any any 192.168.1.0/24 anywhere udp dpt:domain
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:9000 ctstate NEW,RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere anywhere tcp spt:9000 ctstate NEW,RELATED,ESTABLISHED
0 0 REJECT tcp -- any any 192.168.1.0/24 anywhere tcp dpt:https reject-with tcp-reset
0 0 REJECT udp -- any any 192.168.1.0/24 anywhere udp dpt:80 reject-with icmp-port-unreachable
0 0 REJECT udp -- any any 192.168.1.0/24 anywhere udp dpt:443 reject-with icmp-port-unreachable