Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

nftables not blocking an ip
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
jhon987
Apprentice
Apprentice


Joined: 18 Nov 2013
Posts: 297
PostPosted: Mon May 16, 2022 2:45 pm    Post subject: nftables not blocking an ip Reply with quote
So I have a table netdev filter that is supposed to block certain ips I put into a set inside it.
the set is defined as so:
Code:
set mail_ipv4 {
                type ipv4_addr
                flags dynamic
                elements = { ...
                }

and one of the ips inside that set is: 167.248.133.63
which I took from my mail server log.
the ip was put inside the set on 05-05-2022, and yet the log clearly shows:
Code:
May 16 07:51:24 localhost postfix/smtpd[24268]: connect from scanner-09.ch1.censys-scanner.com[167.248.133.63]

which means nft isn't blocking it cause it still managed to make a connection.

The nftable rule I use is:
Code:
chain ingress {
                type filter hook ingress device "enp1s4" priority -500; policy accept;
                ip saddr @mail_ipv4 counter packets 5869 bytes 310398 drop
                .... }

most of the ips I block seem to never show up in the log again, however, this one for example, I can't seem to be able to get rid of...
Anyone knows why?
Back to top
View user's profile Send private message
pa4wdh
l33t
l33t


Joined: 16 Dec 2005
Posts: 811
PostPosted: Mon May 16, 2022 5:30 pm    Post subject: Reply with quote
Based on the information you gave the only thing i can think of it that it came in via an other interface. Could that be possible? It is the only thing you specify next to the IP address.
_________________
The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world

My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com
Back to top
View user's profile Send private message
jhon987
Apprentice
Apprentice


Joined: 18 Nov 2013
Posts: 297
PostPosted: Tue May 17, 2022 7:41 am    Post subject: Reply with quote
pa4wdh wrote:
Based on the information you gave the only thing i can think of it that it came in via an other interface. Could that be possible? It is the only thing you specify next to the IP address.

I only have enp1s4 and lo, so I don't think so...
Back to top
View user's profile Send private message
mimosinnet
l33t
l33t


Joined: 10 Aug 2006
Posts: 713
Location: Barcelona, Spain
PostPosted: Sat Jul 23, 2022 11:38 pm    Post subject: Re: nftables not blocking an ip Reply with quote
jhon987 wrote:
the ip was put inside the set on 05-05-2022, and yet the log clearly shows:
Code:
May 16 07:51:24 localhost postfix/smtpd[24268]: connect from scanner-09.ch1.censys-scanner.com[167.248.133.63]

most of the ips I block seem to never show up in the log again, however, this one for example, I can't seem to be able to get rid of...
Anyone knows why?


Could it be possible that the connection from 167.248.133.63 is through the UDP port? From Netfilter hooks, about the Ingress hook:

Quote:
So, for example, matching ip saddr and daddr works for all ip packets, but matching L4 headers like udp dport works only for unfragmented packets, or the first fragment.

_________________
Please add [solved] to the initial post's subject line if you feel your problem is resolved.
Take care of the community answering unanswered posts.
Back to top
View user's profile Send private message
jhon987
Apprentice
Apprentice


Joined: 18 Nov 2013
Posts: 297
PostPosted: Fri Jul 29, 2022 10:13 am    Post subject: Re: nftables not blocking an ip Reply with quote
mimosinnet wrote:
jhon987 wrote:
the ip was put inside the set on 05-05-2022, and yet the log clearly shows:
Code:
May 16 07:51:24 localhost postfix/smtpd[24268]: connect from scanner-09.ch1.censys-scanner.com[167.248.133.63]

most of the ips I block seem to never show up in the log again, however, this one for example, I can't seem to be able to get rid of...
Anyone knows why?


Could it be possible that the connection from 167.248.133.63 is through the UDP port? From Netfilter hooks, about the Ingress hook:

Quote:
So, for example, matching ip saddr and daddr works for all ip packets, but matching L4 headers like udp dport works only for unfragmented packets, or the first fragment.


Thanks for the advice, I guess it's possible, though I wouldn't bet on it (but i'll test it anyway), because as i recall i started getting the same issues with iptsblaes+ipset, which was the reason for my migration to nftables, and as far as i know there's no such limit with iptables...
maybe it's a bug...

EDIT: BTW, i just noted:
"matching ip saddr and daddr works for all ip packets,.."
"udp dport works only for unfragmented packets"
As you can see, i don't use dport but saddr - so it shold work anyway

I don't know, i feel like it's a bug...
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy