[SOLVED] nftables help

[o5gmmob8]

I thought I had this sorted out, but I'm still having issues in particular with my chromecast and Vizio TV which has a chromecast built-in.

I originally migrated my ruleset from pf (FreeBSD) and I suppose the shortcut I did to make it work also let everything pass:

#iifname vmap {
# veth: accept,
# lan: accept,
# "bridge": accept
#}

I noticed in my rules that I specified oifname wan everywhere, so subsequent rules were not working because I only allowed traffic out through the wan, but not any of the intermediate interfaces. So, I think I sorted that out, but the only thing that remains appears to be the chromecast and Vizio TV.

This is my forward chain:

Code: Select all

chain forward {
  type filter hook forward priority 0; policy drop;

  ct state vmap { established : accept, related : accept, invalid : drop }

# without this, it seems the router itself cannot get to the Internet (via curl), ping still works
# correction, the router was unable to get to the Internet with this
#iifname vmap {
#       veth: accept,
#       lan: accept,
#       "bridge": accept
#}

  include "forward/communication/wechat.nft"
  include "forward/communication/google-voice.nft"
  include "forward/communication/whats-app.nft"
  include "forward/communication/apple-facetime.nft"
  include "forward/communication/gmail.nft"

  include "forward/web.nft"
  include "forward/westinghouse-vpn.nft"

  include "forward/whois.nft"

  include "forward/gaming/steam.nft"
  include "forward/gaming/fortnite.nft"
  include "forward/gaming/roblox.nft"

  include "forward/development/keyservers.nft"
  include "forward/development/vscode.nft"
  include "forward/development/github.nft"

  include "forward/amazon-echo.nft"
  include "forward/google-home.nft"

  include "forward/android-play-store.nft"

  include "forward/library-clients.nft"

  # Internet access is not required and may only be needed for the initial setup
  include "forward/tp-link-switch.nft"
  ###include "forward/ayi-robot-mower.nft"

  include "forward/gentoo-rsync.nft"

  log prefix "forward.dropped:"
}

chain postrouting {
        type nat hook postrouting priority 100; policy accept;
     ip saddr $LOCAL_NETWORK_CIDR oifname wan masquerade
}

chain prerouting {
        type nat hook prerouting priority 0;

#       ip daddr 8.8.8.8 tcp dport domain dnat to 192.168.72.1:53
#       ip daddr 8.8.8.8 udp dport domain dnat to 192.168.72.1:53

        ip daddr 0.0.0.0/0 tcp dport domain dnat to 192.168.72.1:53
        ip daddr 0.0.0.0/0 udp dport domain dnat to 192.168.72.1:53

        ip daddr 0.0.0.0/0 udp dport ntp dnat to 192.168.72.100:123
}

And my chromecast.nft

Code: Select all

define CHROMECAST_OUTBOUND_TCP_PORTS = { http, https, 5228 }
define GOOGLE_DNS_SERVERS = { 8.8.8.8, 8.8.4.4 }

ip saddr @group_chromecast ip daddr $GOOGLE_CIDR icmp accept
ip saddr @group_chromecast ip daddr $GOOGLE_CIDR tcp dport $CHROMECAST_OUTBOUND_TCP_PORTS accept

# PBS kids
ip saddr @group_chromecast ip daddr $GOOGLE_DNS_SERVERS icmp accept
ip saddr @group_chromecast ip daddr $GOOGLE_DNS_SERVERS tcp dport domain accept
ip saddr @group_chromecast ip daddr $GOOGLE_DNS_SERVERS udp dport domain accept

# Vizio
#ip saddr @group_chromecast ip daddr @dynamic_network_ntp_servers udp dport ntp accept
ip saddr @group_chromecast udp dport ntp accept

# web.nft

Code: Select all

ip saddr @group_web_client tcp dport { http, https } accept
ip saddr @group_web_client udp dport { http, https } accept

I update the group_chromecast and group_web_client sets via cron so that I can control when devices have network access. Part of that operation is a flushing of the connection tracking tables for the specific IP address(es). AFAIK, when the device is in the set, it can talk to the Internet, but I find myself struggling to identify what traffic is passing and what is not. With pf, I setup pseudo interfaces and could see exactly which rules were causing it to be dropped (I used a total of 8 psuedo interfaces so I could see if it was being dropped on the LAN-side, WAN-side, IP block filter, etc.

I am using tcpdump and writing that to a file and then using wireshark to make it easier to follow streams. My best estimate is that it is thinking it is not connected because it appears NTP traffic is not being answered by my NTP server running locally.

I should also note that for the Vizio, a significant part of the problem is that it seems reluctant to perform a DHCPREQUEST.

[o5gmmob8]

So, it seems the chromecasts work, the problem was they both were not added to either set. Now, they're both in my crontab, but it appears only the Vizio was added, but it still hasn't 'asked' for an IP address.

/etc/crontab [dcron]:

Code: Select all

PATH=/bin:/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/local/sbin:/opt/bin
# for dcron
# dcron:
# This is NOT the system crontab! dcron does not support a system crontab.
# to get /etc/cron.{hourly|daily|weekly|montly} working with dcron run
# crontab /etc/crontab
# as root.
# NOTE: This will REPLACE root's current crontab!!
# check scripts in cron.hourly, cron.daily, cron.weekly and cron.monthly
59   *  * * *  rm -f /var/spool/cron/lastrun/cron.hourly
9    3  * * *  rm -f /var/spool/cron/lastrun/cron.daily
19   4  * * 6  rm -f /var/spool/cron/lastrun/cron.weekly
29   5  1 * *  rm -f /var/spool/cron/lastrun/cron.monthly
*/10 *  * * *  test -x /usr/sbin/run-crons && /usr/sbin/run-crons

# snippet of set modification
25 18 * * 1-5 nft add element ip global group_fortnite_client '{ 192.168.72.10 }' >/dev/null 2&>1
35 20 * * 0-4 nft delete element ip global group_fortnite_client '{ 192.168.72.10 }' >/dev/null 2&>1
35 20 * * 0-4 conntrack -D -s 192.168.72.10 >/dev/null 2&>1
35 20 * * 0-4 conntrack -D -d 192.168.72.10 >/dev/null 2&>1

I think at least part of this issue is dcron. Why would 1 thing run and another not? Is it not possible to have multiple entries at the same time?

[RumpletonBongworth]

I update the group_chromecast and group_web_client sets via cron so that I can control when devices have network access. Part of that operation is a flushing of the connection tracking tables for the specific IP address(es). AFAIK, when the device is in the set, it can talk to the Internet, but I find myself struggling to identify what traffic is passing and what is not. With pf, I setup pseudo interfaces and could see exactly which rules were causing it to be dropped (I used a total of 8 psuedo interfaces so I could see if it was being dropped on the LAN-side, WAN-side, IP block filter, etc.

There are various means by which a ruleset may be debugged. In roughly ascending order of sophistication:

• Printing the ruleset with nft list ruleset so as to read and assess it
• Adding counter directives to rules so as to determine whether they are matched
• Adding log directives to rules to log messages upon the conditions to its left being matched
• Using meta nftrace directives to mark a packet for realtime tracing with nft monitor trace, up to and including its ultimate fate

[RumpletonBongworth]

Your crontab is chock full of erroneous shell redirections. To wit:

Code: Select all

# If not bash, executes true in the background with a single argument of "2"; opens STDOUT on /dev/null then on a file named "1".
# If bash, executes true in the foreground with a single argument of "2"; opens STDOUT on /dev/null then STDOUT and STDERR on a file named "1".
true >/dev/null 2&>1


# How it ought to be done.
true >/dev/null 2>&1

Small wonder then that your conntrack commands won't work (and also an example of why throwing STDERR away is not necessarily a good idea).

EDIT: For that matter, I'm not sure what the effect of incorporating "2" as a conntrack(8) argument is. Regardless, you should not be doing it.

[o5gmmob8]

Thanks for the detailed responses.

I did not see that, that is a good catch. Ah, yes, that is a major, major typo.

[o5gmmob8]

It appears that was it, I've had my rules running for a few days and it is working as expected. I glossed over that typo which now sticks out like a sore thumb.

Thanks,

[grknight]

For cron jobs, I like to use the chronic tool from sys-apps/moreutils.

This only outputs when the command run gives a failure status (non-zero) and otherwise swallows all other output (aka >/dev/null 2>&1)
No need for syntax issues here.

[o5gmmob8]

Thanks, I will have to check that out.

EDIT:
It appears at least another issue preventing chromecast from working was NTP traffic wasn't working. I set up a local NTP server to reduce outbound traffic; however, that doesn't appear to be functioning due to a misconfiguration or a firewall misconfiguration.