iptables + ipset to nftables ?

Message

jhon987 · Post by **jhon987** » Sat Nov 20, 2021 10:13 am

Can someone please direct me how can I create a match-set to certain ports in nftables?
in iptables i use the following:

Code: Select all

-A INPUT -p tcp -m multiport --dports 25,143,465,587,993 -m set --match-set mail src -j DROP

and then i have an ipset list for all the ips I want to drop...

how can I achieve the same result with nftables?
P.S. I've created a netdev table called filter in nftables as I understand that it's the fastest way to filter large amounts of ips (https://blog.cloudflare.com/how-to-drop ... n-packets/), as I understand, it should support both ipv4 and ipv6.

pa4wdh · Post by **pa4wdh** » Sat Nov 20, 2021 11:57 am

Hi jhon987,

I think this does what you want:

Code: Select all

table inet firewall {
        set mail_ipv4 {
                type ipv4_addr
                flags dynamic
        }

        set mail_ipv6 {
                type ipv6_addr
                flags dynamic
        }

        chain input {
                type filter hook input priority 0; policy accept;
                tcp dport { 25, 143, 465, 587, 993 } ip saddr @mail_ipv4 counter drop
                tcp dport { 25, 143, 465, 587, 993 } ip6 saddr @mail_ipv6 counter drop
        }
}

You can save this in a file and use nft -f to load it.
This first defines two sets, one for IPv4 and one for IPv6. The rules in the input chain check for source addresses in those sets. Because the table type is inet you can mix IPv4 and IPv6 there.

To add addresses to the sets use:

Code: Select all

nft add element inet firewall mail_ipv4 { x.x.x.x }
nft add element inet firewall mail_ipv6 { xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx }

jhon987 · Post by **jhon987** » Sat Nov 20, 2021 3:14 pm

pa4wdh wrote:Hi jhon987,

thank U very much. thanks to you i figured how to do it with netdev as well...
for reference:
I placed a file under /etc/nftables/mail.conf

Code: Select all

#! /sbin/nft -f

table netdev filter {
        set mail_ipv4 {
                type ipv4_addr
                flags dynamic
        }

        set mail_ipv6 {
                type ipv6_addr
                flags dynamic
        }

        chain ingress {
                type filter hook ingress device enp0s3 priority -500; policy accept;
                tcp dport { 25, 143, 465, 587, 993 } ip saddr @mail_ipv4 counter drop
                tcp dport { 25, 143, 465, 587, 993 } ip6 saddr @mail_ipv6 counter drop
        }
}

the device name can be found by ifconfig.
in terminal I issued nft -f /etc/nftables/mail.conf