Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
nftables rules syntax error
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 3690
Location: Dallas area

PostPosted: Mon Oct 01, 2018 1:36 pm    Post subject: Reply with quote

josephg wrote:
Anon-E-moose wrote:
as far as it being because of both iptables and nftables, I wouldn't think so, unless you're mixing the two together at the same time.

i did mix the two together at times, and wondered if that perhaps contributed to my issues.
nftables wiki wrote:
Beware of using both the nft and the legacy tools at the same time. That means using both x_tables and nf_tables kernel subsystems at the same time, and could lead to unexpected results.

Apparently you can run both together. The result is an AND of both their rulesets.
http://wiki.nftables.org/wiki-nftables/index.php/Troubleshooting#Question_4._How_do_nftables_and_iptables_interact_when_used_on_the_same_system.3F

But that is not my intention. I like how nfttables is so much more cleaner than iptables.


I think what they meant by both is the rules being written either way will work (with the correct kernel settings and modules),
but I'm not sure them mean run ip_tables and nf_tables modules at the same time, especially if they're both trying to work on the same packet.
That would probably cause conflict, 2 different modules trying to handle a single incoming packet, I would think that would be a bad idea.
IPtables could be built along with nftables, but you might blacklist the iptables modules
or if you've run iptables, before running nftables, make sure that the iptables modules are unloaded first.
In other words don't have /etc/init.d/iptables and /etc/init.d/nftables active at the same time.

Edit to add: This seems like a reasonable intro https://linux-audit.com/nftables-beginners-guide-to-traffic-filtering/
and this https://linux-audit.com/differences-between-iptables-and-nftables-explained/
_________________
Asus m5a99fx, FX 8320 - nouveau & radeon, oss4
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
4.14.62 kernel, profile 17.0 (no-pie) amd64-no-multilib
gcc 7.3.0, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
josephg
l33t
l33t


Joined: 10 Jan 2016
Posts: 782
Location: usually offline

PostPosted: Fri Oct 05, 2018 8:36 pm    Post subject: Reply with quote

thanks folks for your kind encouragement. i have persevered and i think i have got nftables working now. i stopped iptables, and ensured none of those modules were loaded. nftables is working with these modules loaded:
Code:
$ lsmod | egrep "table|nf"
nf_log_ipv4            16384  3
nf_log_common          16384  1 nf_log_ipv4
nft_log                16384  3
nf_conntrack_ipv4      16384  5
nf_defrag_ipv4         16384  1 nf_conntrack_ipv4
nft_counter            16384  15
nft_meta               16384  8
nft_ct                 16384  5
nf_conntrack           53248  2 nft_ct,nf_conntrack_ipv4
nf_tables_ipv4         16384  4
nf_tables              69632  63 nft_ct,nf_tables_ipv4,nft_meta,nft_counter,nft_log
nfnetlink              16384  1 nf_tables

now i can focus on getting my rules right.
_________________
"Growth for the sake of growth is the ideology of the cancer cell." Edward Abbey
Back to top
View user's profile Send private message
josephg
l33t
l33t


Joined: 10 Jan 2016
Posts: 782
Location: usually offline

PostPosted: Fri Oct 05, 2018 8:43 pm    Post subject: Reply with quote

i do have a slight problem though. i can't seem to use sets in my ruleset.

for example, this works
Code:
udp dport 137 counter drop
udp dport 57621 counter drop


but this doesn't work
Code:
udp dport {137,57621} counter drop

giving errors like so
Code:
nftables.rules:16:27-37: Error: Could not process rule: Operation not supported
                udp dport {137,57621} counter drop
                          ^^^^^^^^^^^
nftables.rules:16:27-37: Error: Could not process rule: No such file or directory
                udp dport {137,57621} counter drop
                          ^^^^^^^^^^P

is there some kernel module for sets?
Back to top
View user's profile Send private message
josephg
l33t
l33t


Joined: 10 Jan 2016
Posts: 782
Location: usually offline

PostPosted: Fri Oct 05, 2018 8:47 pm    Post subject: Reply with quote

similarly, this works
Code:
tcp dport 57621 counter drop
udp dport 57621 counter drop


but this doesn't work
Code:
{tcp,udp} dport 57621 counter drop

gives error
Code:
nftables.rules.jgv:18:27-31: Error: syntax error, unexpected dport
                {tcp,udp} dport 57621 counter drop

_________________
"Growth for the sake of growth is the ideology of the cancer cell." Edward Abbey
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 3690
Location: Dallas area

PostPosted: Fri Oct 05, 2018 8:53 pm    Post subject: Reply with quote

Code:
iptables -A INPUT -p tcp -m multiport --dports 0:18,26:52,54:66,69:79,81:442,444:1024 -j LOG --log-prefix="IPTABLES:deny-tcp " --log-tcp-options --log-ip-options

nft add rule ip filter INPUT ip protocol tcp tcp dport { 0-18,26-52,54-66,69-79,81-442,444-1024} counter log prefix \"IPTABLES:deny-tcp \" flags tcp options flags ip options


This is what iptables-translate shows me *shrugs*

Edit to add: all the examples seem to show a space after the opening curly brace, you might put them in and see if they work.
_________________
Asus m5a99fx, FX 8320 - nouveau & radeon, oss4
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
4.14.62 kernel, profile 17.0 (no-pie) amd64-no-multilib
gcc 7.3.0, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
josephg
l33t
l33t


Joined: 10 Jan 2016
Posts: 782
Location: usually offline

PostPosted: Fri Oct 05, 2018 9:44 pm    Post subject: Reply with quote

Anon-E-moose wrote:
all the examples seem to show a space after the opening curly brace, you might put them in and see if they work.

i don't think that space matters, but i'm still learning. i have seen all sorts of combinations with and without spaces in various examples. i have tried with spaces between curly braces and after commas, etc. and without.. they all give me the same error :(

fyi http://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes#Simple_IP.2FIPv6_Firewall
_________________
"Growth for the sake of growth is the ideology of the cancer cell." Edward Abbey
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 3690
Location: Dallas area

PostPosted: Fri Oct 05, 2018 10:00 pm    Post subject: Reply with quote

Under iptables you would need the xt_multiport modules, but I don't know what the equivalent is under nftables, if there is one.

Edit to add: You might need the nft_set* modules whatever they're called.

You need them set in the kernel configuration

CONFIG_NFT_SET_RBTREE=m
CONFIG_NFT_SET_HASH=m
CONFIG_NFT_SET_BITMAP=m
_________________
Asus m5a99fx, FX 8320 - nouveau & radeon, oss4
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
4.14.62 kernel, profile 17.0 (no-pie) amd64-no-multilib
gcc 7.3.0, eudev, openrc, openbox, palemoon


Last edited by Anon-E-moose on Fri Oct 05, 2018 10:14 pm; edited 1 time in total
Back to top
View user's profile Send private message
josephg
l33t
l33t


Joined: 10 Jan 2016
Posts: 782
Location: usually offline

PostPosted: Fri Oct 05, 2018 10:12 pm    Post subject: Reply with quote

Anon-E-moose wrote:
Under iptables you would need the xt_multiport modules, but I don't know what the equivalent is under nftables, if there is one.

yes iptables needs multiport module. that's why i wondered if the something similar with nftables. all the docs i've read seem to suggest that this is nftables advantage over iptables and an integral part of nftables.

also, the nftables sets are not just for ports. you can combine just about everything, like protocols, flags, etc.
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 3690
Location: Dallas area

PostPosted: Fri Oct 05, 2018 10:15 pm    Post subject: Reply with quote

See My above post, I was adding as you responded :oops:

When I get ready to go to nftables I'll do the same as iptables, I will set all options in kernel, even if I don't think I need them
_________________
Asus m5a99fx, FX 8320 - nouveau & radeon, oss4
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
4.14.62 kernel, profile 17.0 (no-pie) amd64-no-multilib
gcc 7.3.0, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
josephg
l33t
l33t


Joined: 10 Jan 2016
Posts: 782
Location: usually offline

PostPosted: Fri Oct 05, 2018 10:48 pm    Post subject: Reply with quote

i went through each nft module many times over and still missed that keyword. compiling my kernel now. thanks.
Back to top
View user's profile Send private message
josephg
l33t
l33t


Joined: 10 Jan 2016
Posts: 782
Location: usually offline

PostPosted: Fri Oct 05, 2018 11:27 pm    Post subject: Reply with quote

Anon-E-moose, Thank you! It is CONFIG_NFT_SET_HASH that I was missing :oops: I was clearly looking for set or something like that and went over many times over..
_________________
"Growth for the sake of growth is the ideology of the cancer cell." Edward Abbey
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 3690
Location: Dallas area

PostPosted: Fri Oct 05, 2018 11:32 pm    Post subject: Reply with quote

So it's all working now? Sweet, if so.

I wasn't sure which set was needed, and unless you select help it doesn't show the name,
but I looked at what was set in .config (I've set them but haven't compiled them yet)
_________________
Asus m5a99fx, FX 8320 - nouveau & radeon, oss4
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
4.14.62 kernel, profile 17.0 (no-pie) amd64-no-multilib
gcc 7.3.0, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
josephg
l33t
l33t


Joined: 10 Jan 2016
Posts: 782
Location: usually offline

PostPosted: Sat Oct 06, 2018 12:00 am    Post subject: Reply with quote

Anon-E-moose wrote:
So it's all working now? Sweet, if so.

yes thanks all working now.. i need to refine my rules some more.

Anon-E-moose wrote:
I wasn't sure which set was needed, and unless you select help it doesn't show the name,
but I looked at what was set in .config (I've set them but haven't compiled them yet)

i was pretty sure i had looked at the help for each module.. now obvious i hadn't or didn't quite understand then
_________________
"Growth for the sake of growth is the ideology of the cancer cell." Edward Abbey
Back to top
View user's profile Send private message
spidark
Tux's lil' helper
Tux's lil' helper


Joined: 01 Sep 2011
Posts: 142

PostPosted: Sun Oct 07, 2018 9:31 am    Post subject: Reply with quote

Sorry Guys, been busy, have a new adventure libressl / btrfs :D
But i read that all worked out :wink:
Code:

CONFIG_NFT_EXTHDR=m
CONFIG_NFT_META=m
CONFIG_NFT_RT=m
# CONFIG_NFT_NUMGEN is not set
CONFIG_NFT_CT=m
CONFIG_NFT_SET_RBTREE=m
CONFIG_NFT_SET_HASH=m
CONFIG_NFT_SET_BITMAP=m
CONFIG_NFT_COUNTER=m
CONFIG_NFT_LOG=m
CONFIG_NFT_LIMIT=m
CONFIG_NFT_MASQ=m
CONFIG_NFT_REDIR=m
CONFIG_NFT_NAT=m
CONFIG_NFT_OBJREF=m
CONFIG_NFT_QUOTA=m
CONFIG_NFT_REJECT=m
CONFIG_NFT_REJECT_INET=m
CONFIG_NFT_COMPAT=m
CONFIG_NFT_HASH=m
# CONFIG_NFT_DUP_NETDEV is not set
# CONFIG_NFT_FWD_NETDEV is not set
# CONFIG_NFT_CHAIN_ROUTE_IPV4 is not set
CONFIG_NFT_REJECT_IPV4=m
# CONFIG_NFT_DUP_IPV4 is not set
# CONFIG_NFT_FIB_IPV4 is not set
# CONFIG_NFT_CHAIN_NAT_IPV4 is not set
# CONFIG_NFT_MASQ_IPV4 is not set
# CONFIG_NFT_REDIR_IPV4 is not set
# CONFIG_NFT_CHAIN_ROUTE_IPV6 is not set
CONFIG_NFT_REJECT_IPV6=m
# CONFIG_NFT_DUP_IPV6 is not set
# CONFIG_NFT_FIB_IPV6 is not set
# CONFIG_NFTL is not set

_________________
Laptop HP Pavilion G6 2310-SD Intel(R) Core(TM) i7-3632QM CPU @ 2.20GHz
Back to top
View user's profile Send private message
josephg
l33t
l33t


Joined: 10 Jan 2016
Posts: 782
Location: usually offline

PostPosted: Sun Oct 07, 2018 11:43 pm    Post subject: Reply with quote

spidark wrote:
Sorry Guys, been busy, have a new adventure libressl / btrfs :D

i love btrfs :) using it solely for the past few years.. no problems ever, except this one time with gentoo kernel 4.12 fiasco. now i stick with lts kernels only. currently my most stable is 4.9, and 4.14 is not stable enough. all these recent kernel problems that i've had is with 4.14 since i switched. i'm back to 4.9 now and no problems with nftables or oops.

spidark wrote:
But i read that all worked out :wink:

yes thank you. i had all but given up if not for you :roll:

i've removed iptables from my kernel, and i'm solely running nftables. still getting my head around, and need to fine tune my ruleset. so i'll keep this thread open for now. i still have some rule issues.

spidark wrote:
Code:

CONFIG_NFT_EXTHDR=m
CONFIG_NFT_META=m
CONFIG_NFT_RT=m
# CONFIG_NFT_NUMGEN is not set
CONFIG_NFT_CT=m
CONFIG_NFT_SET_RBTREE=m
CONFIG_NFT_SET_HASH=m
CONFIG_NFT_SET_BITMAP=m
CONFIG_NFT_COUNTER=m
CONFIG_NFT_LOG=m
CONFIG_NFT_LIMIT=m
CONFIG_NFT_MASQ=m
CONFIG_NFT_REDIR=m
CONFIG_NFT_NAT=m
CONFIG_NFT_OBJREF=m
CONFIG_NFT_QUOTA=m
CONFIG_NFT_REJECT=m
CONFIG_NFT_REJECT_INET=m
CONFIG_NFT_COMPAT=m
CONFIG_NFT_HASH=m
# CONFIG_NFT_DUP_NETDEV is not set
# CONFIG_NFT_FWD_NETDEV is not set
# CONFIG_NFT_CHAIN_ROUTE_IPV4 is not set
CONFIG_NFT_REJECT_IPV4=m
# CONFIG_NFT_DUP_IPV4 is not set
# CONFIG_NFT_FIB_IPV4 is not set
# CONFIG_NFT_CHAIN_NAT_IPV4 is not set
# CONFIG_NFT_MASQ_IPV4 is not set
# CONFIG_NFT_REDIR_IPV4 is not set
# CONFIG_NFT_CHAIN_ROUTE_IPV6 is not set
CONFIG_NFT_REJECT_IPV6=m
# CONFIG_NFT_DUP_IPV6 is not set
# CONFIG_NFT_FIB_IPV6 is not set
# CONFIG_NFTL is not set


you know, not everything above is needed. i like to keep my kernel trim and remove what i don't use. i don't need routing, nat, ip6, etc. on this laptop and my current kernel is gentoo-sources-4.9.122. i think the number shows how many times i call them in my ruleset. i don't have any rbtree rules and nft_set_rbtree is not used. i can remove it, but it keeps getting loaded at boot. the ones in use can't be removed. you can see mine here.
Code:
$ lsmod | egrep "table|nf|xt_"
nf_log_ipv4            12288  3
nf_log_common          12288  1 nf_log_ipv4
nft_log                12288  3
nf_conntrack_ipv4      12288  6
nf_defrag_ipv4         12288  1 nf_conntrack_ipv4
nft_ct                 12288  6
nf_conntrack           45056  2 nft_ct,nf_conntrack_ipv4
nft_counter            12288  17
nft_meta               12288  14
nft_set_hash           16384  2
nft_set_rbtree         12288  0
nf_tables_ipv4         12288  5
nf_tables              53248  85 nft_ct,nft_set_hash,nf_tables_ipv4,nft_meta,nft_set_rbtree,nft_counter,nft_log
nfnetlink              12288  1 nf_tables

can you show me yours?
_________________
"Growth for the sake of growth is the ideology of the cancer cell." Edward Abbey
Back to top
View user's profile Send private message
josephg
l33t
l33t


Joined: 10 Jan 2016
Posts: 782
Location: usually offline

PostPosted: Mon Oct 08, 2018 12:24 am    Post subject: Reply with quote

spidark wrote:
Can't remember where i got it from :( Sorry original author, and thanks )
However it does timeout my eix-sync and dhclient complains about ipv6 not permitted because of the drop state ( working on that )
Maybe you can figure it out.

Code:
#==== TO LIST sudo nft list ruleset
#==== TO DISCRIBE PORTS do sudo nft describe tcp dport

flush ruleset

table inet filter {
    set tcp_accepted {
        type inet_service; flags interval;
        elements = {
            http, https,rsync,
                   }
    }
    set udp_accepted {
        type inet_service; flags interval;
        elements = {
            domain,
        }
    }

    chain base_checks {
        # allow established/related connections
        ct state {established, related} accept

        # early drop of invalid connections
        ct state invalid log prefix "Invalid Input Connection: " drop
    }
    chain input {
        type filter hook input priority 0; policy drop;

        jump base_checks

        # allow from loopback
        iifname lo accept

        # allow icmp
        ip protocol icmp icmp type { echo-request, echo-reply, time-exceeded, parameter-problem, destination-unreachable } accept
        ip6 nexthdr icmpv6 icmpv6 type { echo-request, echo-reply, time-exceeded, parameter-problem, destination-unreachable, packet-too-big, nd-router-advert, nd-router-solicit, nd-neighbor-solicit, nd-neighbor-advert, mld-listener-query } accept

        # allow ports
        #tcp dport @tcp_accepted accept
        #udp dport @udp_accepted accept

        # everything else
        reject with icmpx type port-unreachable
    }
    chain forward {
        type filter hook forward priority 0; policy drop;
        log prefix "Dropped Forward Connection: "
    }

    chain output {
        type filter hook output priority 0; policy drop;
        jump base_checks
        # allow ports
        tcp dport @tcp_accepted accept
        udp dport @udp_accepted accept
        #log prefix "Invalid Output Connection: " Warning : This floods logs
    }
}



i have a few suggestions. i'd write all your rules inline, and make everything work first before making lots of chains. good thing you don't have a big ruleset.

you could combine your ip and ip6 rules to make them simpler, unless you want to do different things. i can't understand what you're trying to do with your icmp rules. perhaps this might help. http://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes#Icmp

the logic is the same as iptables. remove "ct state {established,related} accept" from base_checks and add it in input. add "ct state {established,new} accept" in output. unless this is a web/rsync serverremove the tcp_aacepted and udp_aacepted. your ruleset should work now.
_________________
"Growth for the sake of growth is the ideology of the cancer cell." Edward Abbey
Back to top
View user's profile Send private message
josephg
l33t
l33t


Joined: 10 Jan 2016
Posts: 782
Location: usually offline

PostPosted: Mon Oct 08, 2018 12:39 am    Post subject: Reply with quote

on second thoughts, i've just re-written your rules as per my above suggestion. easier to write than explain. perhaps you can compare and understand. i have removed all spurious lines including comments etc.. so you can see the clean rules and perhaps follow the logic. hope this helps.
Code:
flush ruleset
table inet filter {
    chain input {
        type filter hook input priority 0; policy drop;
        ct state invalid log prefix "Invalid Input Connection: " drop
        ct state {established,related} accept
        iif lo accept
        log prefix "Dropped Input Connection: " drop
    }
    chain output {
        type filter hook output priority 0; policy drop;
        ct state invalid log prefix "Invalid Output Connection: " drop
        ct state {established,new} accept
        oif lo accept
        log prefix "Dropped Output Connection: " drop
    }
    chain forward {
        type filter hook forward priority 0; policy drop;
        log prefix "Dropped Forward Connection: " drop
    }
}

_________________
"Growth for the sake of growth is the ideology of the cancer cell." Edward Abbey


Last edited by josephg on Tue Oct 09, 2018 8:32 am; edited 1 time in total
Back to top
View user's profile Send private message
spidark
Tux's lil' helper
Tux's lil' helper


Joined: 01 Sep 2011
Posts: 142

PostPosted: Mon Oct 08, 2018 5:15 pm    Post subject: Reply with quote

josephg wrote:
i love btrfs :) using it solely for the past few years.. no problems ever, except this one time with gentoo kernel 4.12 fiasco. now i stick with lts kernels only. currently my most stable is 4.9, and 4.14 is not stable enough. all these recent kernel problems that i've had is with 4.14 since i switched. i'm back to 4.9 now and no problems with nftables or oops.

Hi Josephg,

So that's what it was, IO /freezing issues, Yep i'm on 4.14.65-gentoo, did not dig deeper into it yet, but i'm back on ext2/4 for the meantime :)

Code:
you know, not everything above is needed. i like to keep my kernel trim and remove what i don't use. i don't need routing, nat, ip6, etc. on this laptop and my current kernel is gentoo-sources-4.9.122. i think the number shows how many times i call them in my ruleset. i don't have any rbtree rules and nft_set_rbtree is not used. i can remove it, but it keeps getting loaded at boot. the ones in use can't be removed. you can see mine here.


I reinstalled from scratch (libressl jeej :lol: ) , and trimmed lot of stuff i don't use or don't need, Next on the list nftables unneeded modules trimming session :lol:
I think i'm there already, but not sure.

There's mine.
Code:


lsmod | egrep "table|nf|xt_"
nf_log_ipv6            16384  2
nf_log_ipv4            16384  2
nf_log_common          16384  2 nf_log_ipv4,nf_log_ipv6
nft_reject_inet        16384  1
nft_reject             16384  1 nft_reject_inet
nft_meta               16384  7
nft_log                16384  2
nft_ct                 16384  2
nft_set_bitmap         16384  2
nft_set_hash           20480  1
nft_set_rbtree         16384  2
nf_tables_inet         16384  4
nf_tables_ipv6         16384  1 nf_tables_inet
nf_tables_ipv4         16384  1 nf_tables_inet

_________________
Laptop HP Pavilion G6 2310-SD Intel(R) Core(TM) i7-3632QM CPU @ 2.20GHz
Back to top
View user's profile Send private message
spidark
Tux's lil' helper
Tux's lil' helper


Joined: 01 Sep 2011
Posts: 142

PostPosted: Tue Oct 09, 2018 7:10 pm    Post subject: Reply with quote

My Latest Toy :lol:
Used Anon-E-moose iptables-translate tip
Getting Better at it, and starting to understand those cryptic errors.


Code:
#! /bin/bash
#4TESTING j.i.c i need theInterface name, but its Laptop not a server.
#My_Wifi=`ip addr | grep ^3 | cut -c 3-8 | cut -d ' ' -f 2`

#FLUSH RULESET
nft flush ruleset

# CREATE FILTER TABLE
nft add table ip filter

# CHAIN POLICIES ! EVERY TRAFFIC DROPPED !
nft add chain ip filter input {' type filter hook input priority 0 ; policy drop;' }
nft add chain ip filter forward {' type filter hook forward priority 0 ; policy drop; '  }
nft add chain ip filter output {' type filter hook output priority 0 ; policy drop; ' }

nft add rule  ip filter input ip protocol tcp tcp flags \& \(fin\|syn\|rst\|ack\) == syn ct state new counter reject with tcp reset

#DROP INVALIDS AND LOG
nft add rule ip filter input ct state invalid log prefix \"Invalid Input Connection: \" counter drop

#ACCEPT RELATED ESTABLISHED
nft add rule ip filter input ct state related,established counter accept


#nft add rule ip filter input  udp dport 5060 notrack NEED FIX!!!

#DROP lo SPOOFED PACKAGES
nft add rule ip filter input oif != "lo" ip daddr 127.0.0.0/8 counter packets 0 log prefix \" Spoofed ! Lo Packets: \" drop

#ACCEPT LO
nft add rule ip filter input iifname lo counter accept

nft add rule ip filter input icmp type destination-unreachable counter accept
nft add rule ip filter input icmp type time-exceeded counter accept
nft add rule ip filter input icmp type parameter-problem counter accept

#DROP INVALID OUTGOING CONNECTIONS
nft add rule ip filter output  ct state invalid log prefix \"Invalid Output Connection:  \" counter drop


#DEBUG TRACE OPTION COOL NEW OPTION !!
#nft add rule ip filter output  tcp dport { domain, http, https, rsync, git } meta nftrace set 1 counter accept


#ALLOW TCP / DNS HTTP(s) SYNC and GIT
nft add rule ip filter output  tcp dport { domain, http, https, rsync, git } counter accept
nft add rule ip filter output  udp dport { domain } accept
#nft add rule ip filter output  udp dport 5060 notrack

#------------------------------------------------------------
#IPV6 RULES
#------------------------------------------------------------

#CREATE IPV6 FILTER TABLE
nft add table ip6 filter

#IPV6 CHAIN POLICIES ! EVERY TRAFFIC BLOCKED !
nft add chain ip6 filter input {' type filter hook input priority 0; policy drop;' }
nft add chain ip6 filter forward {' type filter hook forward priority 0; policy drop;' }
nft add chain ip6 filter output {' type filter hook output priority 0; policy accept;' }

#ACCEPT lo
nft add rule ip6 filter input iifname lo accept

#DROP INVALIDS AND LOG
nft add rule ip6 filter input ct state invalid log prefix \" IPV6 INVALID INPUT DROPPED: \" counter drop

nft add rule ip6 filter   input iifname != lo ip6 daddr ::1/128 counter drop
nft add rule ip6 filter input tcp  flags \& \(fin\|syn\|rst\|ack\) == syn ct state new counter reject with tcp reset
nft add rule ip6 filter input ct state {'established, related'} counter accept
nft add rule ip6 filter input ip6 nexthdr icmpv6 counter accept

# ALLOW IPV6 OUTGOING TRAFFIC ON Lo
nft add rule ip6 filter output iifname lo counter accept

#LET ME SEE THE RULESET
nft list ruleset

#SAVE THE RULESET j.i.c. I save it to the root Directory ( Root Has Guns )
nft list ruleset > /root/RULES_NFTABLES.txt

#SAVE THE DOT RULES FILE  IN /VAR/LIB SOMETHING?
rc-service nftables save


Off topic maybe, not sure, if it is, my bad. :oops:
I'm missing something in the rules above.
Did not have this with iptables only with nftables rules.
It hangs for a while, shutting down nftables, it runs ok without the warnings.
I'm guessing a rule here?
Do you Have this issue ?

Code:
* Running emerge --sync
>>> Syncing repository 'gentoo' into '/usr/portage'...
 * Using keys from /usr/share/openpgp-keys/gentoo-release.asc
 * Refreshing keys from keyserver ...OpenPGP keyring refresh failed:
gpg: connecting dirmngr at '/run/user/0/gnupg/d.x7a4zbgncn4uyt8r4qcfw3ub/S.dirmngr' failed: IPC connect call failed
gpg: keyserver refresh failed: No dirmngr

_________________
Laptop HP Pavilion G6 2310-SD Intel(R) Core(TM) i7-3632QM CPU @ 2.20GHz
Back to top
View user's profile Send private message
josephg
l33t
l33t


Joined: 10 Jan 2016
Posts: 782
Location: usually offline

PostPosted: Tue Oct 09, 2018 9:37 pm    Post subject: Reply with quote

spidark wrote:
My Latest Toy :lol:

mine too :) and i'm loving playing with it
i've migrated from iptables, except for minor niggles.

spidark wrote:
#DEBUG TRACE OPTION COOL NEW OPTION !!

cool, i haven't used it yet.

spidark wrote:
I'm missing something in the rules above.

it might be better looking at the nftables rules than these commands above. i had to rewrite them substantially, because i could combine multiple rules.

Looking at your translated iptables, i can see what you're missing from your initial rules you posted earlier in this thread. you need to add git to your @tcp_accepted set. that's why your sync wasn't working.

spidark wrote:
Did not have this with iptables only with nftables rules.
It hangs for a while, shutting down nftables, it runs ok without the warnings.
I'm guessing a rule here?
Do you Have this issue ?

no i have not had this issue with iptables or nftables. if it didn't spit any errors while feeding the ruleset, i have no issues during runtime.

spidark wrote:
Code:
* Running emerge --sync
>>> Syncing repository 'gentoo' into '/usr/portage'...
 * Using keys from /usr/share/openpgp-keys/gentoo-release.asc
 * Refreshing keys from keyserver ...OpenPGP keyring refresh failed:
gpg: connecting dirmngr at '/run/user/0/gnupg/d.x7a4zbgncn4uyt8r4qcfw3ub/S.dirmngr' failed: IPC connect call failed
gpg: keyserver refresh failed: No dirmngr

i don't remember seeing the openpgp messages during sync. i just did one to check. nope nothing.
i also do not have /usr/share/openpgp-keys directory.
do you have some special configuration?
_________________
"Growth for the sake of growth is the ideology of the cancer cell." Edward Abbey
Back to top
View user's profile Send private message
spidark
Tux's lil' helper
Tux's lil' helper


Joined: 01 Sep 2011
Posts: 142

PostPosted: Tue Oct 09, 2018 11:18 pm    Post subject: Reply with quote

josephg wrote:

ido you have some special configuration?

Hi Josephg,
No nothing special there,
Maybe it has something to do with portage news, not sure.
Code:

[15]     2018-01-30  Portage rsync tree verification
[16]     2018-03-13  Portage rsync tree verification unstable


But it has been fixed
I changed my output policy from drop to accept and remove all of the output rules.
Code:

# CHAIN POLICIES ! EVERY TRAFFIC DROPPED !
nft add chain ip filter input {' type filter hook input priority 0 ; policy drop;' }
nft add chain ip filter forward {' type filter hook forward priority 0 ; policy drop; '  }
nft add chain ip filter output {' type filter hook output priority 0 ; policy accept; ' }

If i keep the drop policy , i need to change the ct state to new,related,established counter accept
which also fixes the IPC connect hang / error (emerge-sync).
Code:

nft add rule ip filter output  ct state new,related,established counter accept

Enjoying nftables so far :)
_________________
Laptop HP Pavilion G6 2310-SD Intel(R) Core(TM) i7-3632QM CPU @ 2.20GHz
Back to top
View user's profile Send private message
josephg
l33t
l33t


Joined: 10 Jan 2016
Posts: 782
Location: usually offline

PostPosted: Tue Oct 09, 2018 11:53 pm    Post subject: Reply with quote

spidark wrote:
If i keep the drop policy , i need to change the ct state to new,related,established counter accept
which also fixes the IPC connect hang / error (emerge-sync).

you don't need related for output chain. "ct state established,new accept" should be sufficient, which is what i do. i keep the drop policy on all chains. oh and i don't use counter on every rule unless i want to see the stats for that particular rule. probably lessen some overload.
as i mentioned yesterday, you can't use the same rules for input and output. i also attempted to rewrite your ruleset for you. did you see?
_________________
"Growth for the sake of growth is the ideology of the cancer cell." Edward Abbey
Back to top
View user's profile Send private message
spidark
Tux's lil' helper
Tux's lil' helper


Joined: 01 Sep 2011
Posts: 142

PostPosted: Wed Oct 10, 2018 5:57 pm    Post subject: Reply with quote

josephg wrote:

you don't need related for output chain.

Fixed it. :lol:

josephg wrote:

oh and i don't use counter on every rule unless i want to see the stats for that particular rule.

Yes this i knew, but left it in for testing and stats purposes.

josephg wrote:

i also attempted to rewrite your ruleset for you. did you see?

Yes i did, and experimented with it, thanks for that Josephg.
_________________
Laptop HP Pavilion G6 2310-SD Intel(R) Core(TM) i7-3632QM CPU @ 2.20GHz
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page Previous  1, 2
Page 2 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum