View previous topic :: View next topic |
Author |
Message |
jhon987 Apprentice
Joined: 18 Nov 2013 Posts: 297
|
Posted: Mon May 16, 2022 2:45 pm Post subject: nftables not blocking an ip |
|
|
So I have a table netdev filter that is supposed to block certain ips I put into a set inside it.
the set is defined as so:
Code: | set mail_ipv4 {
type ipv4_addr
flags dynamic
elements = { ...
} |
and one of the ips inside that set is: 167.248.133.63
which I took from my mail server log.
the ip was put inside the set on 05-05-2022, and yet the log clearly shows:
Code: | May 16 07:51:24 localhost postfix/smtpd[24268]: connect from scanner-09.ch1.censys-scanner.com[167.248.133.63] |
which means nft isn't blocking it cause it still managed to make a connection.
The nftable rule I use is:
Code: | chain ingress {
type filter hook ingress device "enp1s4" priority -500; policy accept;
ip saddr @mail_ipv4 counter packets 5869 bytes 310398 drop
.... } |
most of the ips I block seem to never show up in the log again, however, this one for example, I can't seem to be able to get rid of...
Anyone knows why? |
|
Back to top |
|
|
pa4wdh l33t
Joined: 16 Dec 2005 Posts: 811
|
Posted: Mon May 16, 2022 5:30 pm Post subject: |
|
|
Based on the information you gave the only thing i can think of it that it came in via an other interface. Could that be possible? It is the only thing you specify next to the IP address. _________________ The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world
My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com |
|
Back to top |
|
|
jhon987 Apprentice
Joined: 18 Nov 2013 Posts: 297
|
Posted: Tue May 17, 2022 7:41 am Post subject: |
|
|
pa4wdh wrote: | Based on the information you gave the only thing i can think of it that it came in via an other interface. Could that be possible? It is the only thing you specify next to the IP address. |
I only have enp1s4 and lo, so I don't think so... |
|
Back to top |
|
|
mimosinnet l33t
Joined: 10 Aug 2006 Posts: 713 Location: Barcelona, Spain
|
Posted: Sat Jul 23, 2022 11:38 pm Post subject: Re: nftables not blocking an ip |
|
|
jhon987 wrote: | the ip was put inside the set on 05-05-2022, and yet the log clearly shows:
Code: | May 16 07:51:24 localhost postfix/smtpd[24268]: connect from scanner-09.ch1.censys-scanner.com[167.248.133.63] |
most of the ips I block seem to never show up in the log again, however, this one for example, I can't seem to be able to get rid of...
Anyone knows why? |
Could it be possible that the connection from 167.248.133.63 is through the UDP port? From Netfilter hooks, about the Ingress hook:
Quote: | So, for example, matching ip saddr and daddr works for all ip packets, but matching L4 headers like udp dport works only for unfragmented packets, or the first fragment. |
_________________ Please add [solved] to the initial post's subject line if you feel your problem is resolved.
Take care of the community answering unanswered posts. |
|
Back to top |
|
|
jhon987 Apprentice
Joined: 18 Nov 2013 Posts: 297
|
Posted: Fri Jul 29, 2022 10:13 am Post subject: Re: nftables not blocking an ip |
|
|
mimosinnet wrote: | jhon987 wrote: | the ip was put inside the set on 05-05-2022, and yet the log clearly shows:
Code: | May 16 07:51:24 localhost postfix/smtpd[24268]: connect from scanner-09.ch1.censys-scanner.com[167.248.133.63] |
most of the ips I block seem to never show up in the log again, however, this one for example, I can't seem to be able to get rid of...
Anyone knows why? |
Could it be possible that the connection from 167.248.133.63 is through the UDP port? From Netfilter hooks, about the Ingress hook:
Quote: | So, for example, matching ip saddr and daddr works for all ip packets, but matching L4 headers like udp dport works only for unfragmented packets, or the first fragment. |
|
Thanks for the advice, I guess it's possible, though I wouldn't bet on it (but i'll test it anyway), because as i recall i started getting the same issues with iptsblaes+ipset, which was the reason for my migration to nftables, and as far as i know there's no such limit with iptables...
maybe it's a bug...
EDIT: BTW, i just noted:
"matching ip saddr and daddr works for all ip packets,.."
"udp dport works only for unfragmented packets"
As you can see, i don't use dport but saddr - so it shold work anyway
I don't know, i feel like it's a bug... |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|