Questions tagged [nftables]
64
questions
5
votes
1
answer
4k
views
Match IPv6 protocol using nftables
In nftables I can use follwoing rule to match IPv4 UDP DNS packets.
ip protocol udp udp dport 53 accept
but IPv6 variant
ip6 protocol udp udp dport 53 accept
fails and nftables says
v0001.nft:39:5-...
- 626
5
votes
1
answer
2k
views
How does one create nftables rule that accepts connections from the same IPv6 subnet, when the IPv6 prefix is dynamic?
For IPv4, it is easy to create a rule that only accepts connections from hosts of the same subnet, for example (assuming my computer is 192.168.42.2, and the incoming connection is 192.168.42.20):
...
- 53
5
votes
1
answer
4k
views
iptables / nftables: Forward UDP data to multiple targets
I need to create iptables rules for the following scenario:
Different hosts send UDP data to host A. The target port is 1234.
Host A (8.2.3.4) redirects the received UDP data to hosts B1 (7.2.3.1), ...
- 163
4
votes
1
answer
1k
views
nftables: How to stop further chain traversal after accept verdict
Context : https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains
If a packet is accepted and there is another chain, bearing the same hook type and with a later priority, then the packet ...
- 41
3
votes
1
answer
587
views
What is the default verdict for nftables rule?
For example:
#!/usr/sbin/nft -f
add table ip filter_4
add chain ip filter_4 input {
type filter hook input priority filter; policy drop;
}
add chain ip filter_4 new_in_4 {
comment "New ...
- 286
3
votes
2
answers
9k
views
Making routing decisions based on UID using nftables
I am trying to route packets based on the uid of of the originating process.
I know that PREROUTING is not hit for outgoing packets. In iptables there where a MANGLE table where you could place those ...
3
votes
1
answer
2k
views
nftables: How to get BROUTING behavior like ebtables legacy?
In ebtables, BROUTING chain in broute table has special behaviors for ACCEPT and DROP actions: ACCEPT means bridging/forward path and DROP means routing/input path. For example, to force all non-IPv6 ...
3
votes
1
answer
660
views
Linux: only allow outgoing connections to specific domains
I have a CentOS server and only want to allow outgoing connections to specific domains. (allowlist) My thought was to have a DNS proxy which adds the allowed ips (only ipv4 needed) to nftable named ...
- 73
2
votes
1
answer
972
views
How to redirect traffic from container A to container B when using the address of the external interface
Following a short/simplified diagram of my setup (sorry for the title):
Internet ----- eth0 (1.2.3.4) --- br0 (10.0.0.1)
|
+---------------+-...
- 151
2
votes
1
answer
2k
views
How do I make a stateful bridge filewall with nftables?
The nftables wiki has an example, but it doesn't seem to work for me.
The page says that it should work since kernel 5.3, but it says "protocol error" when I try the exact commands from the ...
- 589
2
votes
1
answer
2k
views
nftables filter port scan
In order to ease my pain filtering dropped packets from logs I figured I'll filter out port scans "first" and log them separately.
However I can't seem to find any documentation on how to do ...
- 315
2
votes
1
answer
393
views
Accept ip connections from address and port with already established connections
I have put in place a solution to open temporarily a port based on nft:
# create the nft set
nft add set ip filter SSHallowed { type ipv4_addr\; timeout 2m \;}
# add the rule to the table
nft insert ...
- 147
2
votes
0
answers
2k
views
Should I allow IGMP traffic on my workstation, home server or a hosted VPS?
I'm new to firewall configuration and I've been reading some theory and studying example configurations. One thing that I noticed is that many of those examples allow IGMP packets.
The Wikipedia ...
- 121
2
votes
0
answers
196
views
Safe rule applying remotely using NFT
If you have experience, could you please advise how to safely apply firewall rules remotely on Linux using nft?
Particularly on Debian, we used for a long time iptables-apply(8) to safely apply ...
- 29
2
votes
0
answers
1k
views
Blocking DHCP between two bridged home networks using nft
So my setup is as follows. I have two home networks and a server standing elsewhere. I'm running OpenVPN as a server, on the server to connect the two home networks into a single big network. Because ...
- 86
1
vote
2
answers
4k
views
Nftables DNAT doesn't seem to be working
I am trying to setup a DNAT on my new centos 8 using nftables. This utility (and centos 8) is new to me, I've been using iptables (centos through 6) for ages.
My assumption is that I did not setup ...
- 315
1
vote
1
answer
16
views
nftables does not catch a packet it has already seen
I setup a segmented local network, where each segment is VLAN'ed and the switch at the root of all VLANs also acts as router between all IP segments/VLAN (the switch is the Dell S4810 Running DNOS 9....
- 63
1
vote
1
answer
304
views
Linux conntrack not seeing multicast responses as part of the same flow
My tv (192.168.1.48) is multicasting an SSDP packet (to 239.255.255.250:1900), and on my server (192.168.1.17), by running smcroute and doing some packet mangling to increase the IP TTL of this ...
- 240
1
vote
1
answer
1k
views
How to allow traffic over VPN across namespaces using nftables
I have a wireguard interface configured in a dedicated namespace vpn. It is configured first creating the interface in the main namespace (that has access to the physical interface routing to the ...
- 420
1
vote
2
answers
387
views
Nftables firewall rule hex value 0x1fff changed to decimal 8191
I started the process of migrating into nftables, just noticed that while I add this rule
add rule netdev filter INGRESS ip frag-off & 0x1fff != 0 counter drop
should look like this in nftables....
- 13
1
vote
1
answer
1k
views
multihomed inbound natting using nftables
i have a multihomed router with two external IPs. I would like to NAT incoming connections from both IPs to the same internal IP.
What I have so far
$ ip rule show
0: from all lookup local
32761: ...
1
vote
1
answer
119
views
Masquerading traffic with non-default routing table
I have a network set up as follows:
┌──────┬────────┐ ┌───────────┐
│ │ eno1.1 │ │ Network A │
│ │ ├─┤ │
┌────...
- 153
1
vote
1
answer
51
views
Do forward, but deny direct incoming connections
VM = Virtual Machine.
WS = Workstation VM.
GW = Gateway VM.
Virtualization software: Oracle VirtualBox.
Host/Guest OSes: all Debian 12.
Firewall software: nftables
Goal
Whonix-like setup. WS sits ...
- 11
1
vote
0
answers
384
views
redirect local requests to ip to other ip (linux - e.g. debian >= 10)
I want to all request to a certain IP:port on the machine A its self (for a current or rather 10/11/12) to another IP = machine B so that requests from processes on machine A are forwarded to machine ...
- 73
1
vote
1
answer
750
views
How to bypass the vpn tunnel for a single docker container using nftables?
I am trying to come up with a solution to bypass the vpn tunnel in the incoming and outgoing docker container.
The VPN I'm using is Mullvad VPN and in the split tunneling section they have addressed ...
- 111
1
vote
1
answer
374
views
nftables, dnat in output chain appears to be done after routing
I have an EC2 instance and an application that requires to send to the EIP from within the instance.
I am trying to configure a dnat on the output chain so that the packets dont go out to the internet ...
- 11
1
vote
1
answer
2k
views
How to ban <SUBNET> with fail2ban and nftables
I have Debian 10, Fail2Ban v0.10.6 with iptables and my filter with <SUBNET> works. Now I have Ubuntu 22.04, Fail2Ban v0.11.2 and I try to make it works with nftables. I added only jail.local ...
1
vote
0
answers
3k
views
How to stop the sending of ICMP timestamps replies and requests?
Woo, progress! Updated below! I've been all over the internet looking for an answer to this one. I am using a Raspberry Pi running Raspbian Debian 11. The problem seems rather simple, just blocking ...
- 11
1
vote
0
answers
2k
views
iptables to nftables for iKEv2 IPSEC VPN server
Can someone please help in converting the below iptable rules to equivalent nftables rules?
I have already tried to use iptables-translate, but it is not translating all of my rules...
# accept ports ...
- 111
1
vote
0
answers
788
views
500 Server Error: Internal Server Error with Kathara, Docker and iptables/nftables
I want to use Kathara via "kathara lstart" but I get a 500 Server Error: Internal Server Error and I don't understand why. I'm using Docker (Preview version for Apple M1). I don't know if ...
- 11
1
vote
1
answer
4k
views
How do I install iptables-translate?
I'm on a CentOS 7 machine. I'd like to try the use of nftables. Many sites reference iptables-translate as a helpful tool for translating from iptables to nftables rules. I've installed the nftables....
- 429
1
vote
1
answer
7k
views
Wireguard server and client are able to ping each other but wireguard clients are unable to ping each other
I am setting up a Wireguard configuration where I have the following entities:
Remote VM instance on hosts such as google cloud or amazon aws. This
is a remote client to my wireguard server. Let's ...
- 13
1
vote
0
answers
2k
views
How to write an nfttables snat rule?
Set-up:
Linux (tried on LEDE, OpenWrt, Ubuntu 16)
iptables disabled (kernel modules unloaded)
nftables (tried v. 0.8, 0.8.2)
chains and NAT are created according to official nftables wiki:
% nft add ...
0
votes
1
answer
292
views
Need help using nftables to drop SNMP packets containing a specific community string
I am trying to use nftables [v1.0.2 (Lester Gooch)] to drop SNMP packets containing the community string 'pawan'. I am trying to use the nftables payload expressions - raw payload expression to match ...
- 101
0
votes
2
answers
89
views
What determines if a packet should be routed locally or forwarded?
As seen in the diagram, when the Linux kernel receives a packet, it goes through the prerouting chain, and then a routing decision is made on whether to forward it to somewhere else or deliver it to a ...
- 138
0
votes
1
answer
1k
views
Configuring nftable firewall for one way packet traffic
Hello I'm a beginner in configuring firewall, but what I want to do is to allow the host a (10.1.0.2) to send packet to host b (10.12.0.10) but that b cannot send packet to a. both machine are ...
- 13
0
votes
1
answer
516
views
nftables: isolate VLANs with some exceptions
Say there is a custom router (a Raspberry Pi box) with Debian 11 and nftables installed, with a single physical Ethernet inferface and the following VLANs configured:
eth0.501 192.168.41.0/24 CCTV ...
- 811
0
votes
1
answer
1k
views
Translate WireGuard config from iptables to nft
I was installing WireGuard on a fresh Raspberry Pi OS image and wanted to move the server config from another device onto this. But bringing up the interface said it can't find the iptables command. ...
- 2,328
0
votes
1
answer
436
views
nftables on Debian: router advertisments are not processed
I want to filter IPv6 packets on a Debian host using nftables. In the "table ip6 filter" section in "chain input" I use icmpv6 type {echo-request,nd-neighbor-solicit,nd-router-...
- 105
0
votes
0
answers
142
views
How to redirect requests to remote machine to localhost using nftables?
I have the following nftables configuration:
[root@localhost andrew]# nft list ruleset
table ip nat {
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
ip ...
- 133
0
votes
0
answers
261
views
Full Cone NAT debian nftables
I have a Debian router, and I'd like to set up Full Cone NAT.
I'm using nftables and miniupnpd.
My current config (Restricted Cone NAT):
table inet nat {
chain postrouting {
type nat hook ...
- 1
0
votes
1
answer
436
views
Adding regular chain to nftables "Operation not supported"
Syntax to add regular chain to nftables is:
add chain [family] <table_name> <chain_name> [{ [policy <policy> ;] [comment "text comment about this chain" ;] }]
I run the ...
- 286
0
votes
0
answers
87
views
nftables config for ipsec (strongswan) vpn
If have got a working IPSec connection between a device (raspberry) on remote side (10.X.117.0/24 network) and the local network (10.Y.0.0/16 network).
The raspberry has a static 10.X.117.1 IP on its ...
- 73
0
votes
1
answer
267
views
Internet connection activ only after restart of nftables
I configured a DIY Debian-based router without DHCP and DNS server.
MY PROBLEM:
When I switch on the router and the system boots, the Internet connection on clients becomes available for 4 -5seconds (...
- 1
0
votes
1
answer
368
views
DIY minimal install debian nftables routing not working
I'm trying to build a router on Debian OS and PC-hardware with several network interfaces.
Installed minimal debian-12.2.0-amd64 and trying to implement routing between init7_WAN and Carbon_LAN.
But I ...
- 1
0
votes
1
answer
93
views
How do I get data from weather.gov through my nftables firewall?
I'm writing a python script that grabs data from weather.gov (the NDFD SOAP service and current observations XML) to draw a screensaver picture. The script works on my regular computer but not on my ...
0
votes
0
answers
665
views
Using iptables-nft/ebtables-nft to intercept specific forwarded/bridged IP packets on a bridge and redirect them to the bridge device itself
With a bridge br0 using eth0 and wlan0 as bridge ports, formerly one could intercept packets arriving on a bridge port with iptables -t mangle -A PREROUTING -m physdev --physdev-in wlan0 --protocol ...
- 1
0
votes
0
answers
57
views
Forwarded packet seemingly, skipping POSTROUTING rules
I have a very simple Wireguard configuration. Client are assigned 10.7.0.0/24 addressed, traffic is forwarded out the primary interface, finally the packets are SNAT'd out of the primary interface on '...
- 101
0
votes
1
answer
54
views
nft_pipapo_avx2_scratch_index shows up on all my perf recordings
I'm investigating a performance issue on my Ubuntu 22.04.2 LTS machine. I take the following steps:
sudo perf record -g -F max -s --call-graph dwarf -e cycles -e sched:sched_switch --switch-events --...
0
votes
1
answer
250
views
nftables: usage ct label set in
Using in statefull mode, I collect information about the amount of packages/bytes from the rules and do not create the rules for returning packages because they are accepted based on the states stored ...
user283584wc