View previous topic :: View next topic |
Author |
Message |
eeckwrk99 Apprentice
Joined: 14 Mar 2021 Posts: 167 Location: Gentoo forums
|
Posted: Tue Apr 30, 2024 1:57 pm Post subject: From iptables to nftables - how to delete rules |
|
|
I'm using a program that can be configured to use either iptables or nftables. I've been using iptables but now I'd like to switch to nftables.
When running, the program sets some rules. Some of these rules prevent my virtual machines (QEMU/KVM with virt-manager, using NAT) from having any Internet traffic.
Said rules (with iptables):
Code: | # iptables-legacy -L -n -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[...] some "ACCEPT" rules
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[...] some "ACCEPT" rules
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
[...] some "ACCEPT" rules
0 0 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0 |
I manually delete these "DROP" rules whenever I need to use a virtual machine. However, I'm having trouble doing the same thing with nftables:
Code: | # nft -a list ruleset
table ip filter { # handle 99
chain INPUT { # handle 1
type filter hook input priority filter; policy drop;
[...] - some "accept" rules
counter packets 0 bytes 0 drop # handle 11
}
chain FORWARD { # handle 2
type filter hook forward priority filter; policy drop;
[...] - some "accept" rules
counter packets 0 bytes 0 drop # handle 13
}
chain OUTPUT { # handle 3
type filter hook output priority filter; policy drop;
[...] - some "accept" rules
counter packets 0 bytes 0 drop # handle 38
}
} |
These "counter" rules are the only ones listed containing "drop", all the others contain "accept".
Quoting nftables Wiki:
nftables Wiki wrote: | policy is the default verdict statement to control the flow in the base chain. Possible values are: accept (default) and drop. Warning: Setting the policy to drop discards all packets that have not been accepted by the ruleset. |
It seems that "policy drop" already implies that anything not listed as "accept" is blocked, so I guess I cannot delete "drop" rules just like with iptables since they're not listed.
Any suggestion on how to proceed? Should I add "accept" rules for each chain instead?
Thanks. |
|
Back to top |
|
|
pietinger Moderator
Joined: 17 Oct 2006 Posts: 4300 Location: Bavaria
|
Posted: Tue Apr 30, 2024 3:07 pm Post subject: |
|
|
Normally, a firewall works in such a way that everything that has not been expressly permitted is prohibited. (There are some special situations where you allow everything and only forbid some things, but forget that right away).
There is a POLICY in iptables AND nftables - and - there are DROP rules in iptables and nftables. Please do not confuse the two.
Now the question arises why you need a DROP rule if the policy already drops everything that was not previously allowed. A sensible use is, for example, if you want to know HOW MANY packets were dropped due to a special DROP rule.
But I don't understand your problem right now, because YOU have a standard DROP policy in both rule works ...
In general, however, I would recommend simply logging all DROPS and then checking the message log to see where you still need to allow something. _________________ https://wiki.gentoo.org/wiki/User:Pietinger |
|
Back to top |
|
|
Hu Administrator
Joined: 06 Mar 2007 Posts: 21761
|
Posted: Tue Apr 30, 2024 3:29 pm Post subject: |
|
|
Perhaps it would also be useful to configure this unidentified program not to write rules that conflict with other uses of the machine. Either make it add rules that keep the VM working, or prohibit it adding rules that break the VM. |
|
Back to top |
|
|
eeckwrk99 Apprentice
Joined: 14 Mar 2021 Posts: 167 Location: Gentoo forums
|
Posted: Tue Apr 30, 2024 5:11 pm Post subject: |
|
|
pietinger wrote: | There is a POLICY in iptables AND nftables - and - there are DROP rules in iptables and nftables. Please do not confuse the two. |
I think the program sets the exact same rules regardless of whether iptables or nftables is used. At least, the "accept" rules look identical (with different syntax, of course). While I can see the "drop" policy for both tools in the relevant chains, I can only see the drop rules for iptables, not nftables.
pietinger wrote: | Now the question arises why you need a DROP rule if the policy already drops everything that was not previously allowed. But I don't understand your problem right now, because YOU have a standard DROP policy in both rule works ... |
Indeed, seeing "DROP" rules with iptables don't make sense considering the policy for all chains is set to "DROP". But still, they're present. And they're not with nftables.
Hu wrote: | Perhaps it would also be useful to configure this unidentified program not to write rules that conflict with other uses of the machine. Either make it add rules that keep the VM working, or prohibit it adding rules that break the VM. |
Maybe I should've mentioned that I have no control over what the program does regarding the initial creation of rules. I can only add new ones or remove some of them once it's launched. All I know is that when using iptables, I have to remove these DROP rules for the three chains (INPUT, FORWARD, OUTPUT) to get Internet traffic with my VMs, else it wouldn't work. I'm now trying to do this with nftables instead, but I cannot see the equivalent "DROP" rules listed, they're just not listed. |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|