Questions tagged [nftables]
packet filtering framework, userspace utility and compatibility layer for {ip,ip6}tables, developed as consolidated replacement for existing {ip,ip6,arp,eb}tables frameworks
228
questions
0
votes
1
answer
27
views
How to route all traffic going to specific address to localhost using nft?
I need intercept traffic going to external IP and reroute it to localhost. Its quite simple using iptables, but I could not understand how to make it work through nft. I create table and chain inside ...
- 3
0
votes
2
answers
126
views
Trying to exclude traffic on specific interface from Mullvad vpn
I have an ubuntu machine with one interface connected to the internet (through mullvad). A RPi box is connected to another ethernet interface on my ubuntu box. Connection works if mullvad is turned ...
- 1
-1
votes
0
answers
29
views
Routing Issues with OpenVPN, Docker Compose, and NAT
I have been struggling with this for more than two days with this networking
and docker problem. I have the following setup:
Server hilux: Has an OpenVPN server serving ips in the range 10.160.0.0/16....
- 527
1
vote
1
answer
55
views
nftables: referencing a set from another table
With the following setup:
#!/usr/sbin/nft -f
add table ip filter
add chain ip filter input { type filter hook input priority 0; }
add set ip filter nat-group-1 { type ipv4_addr; }
add set ip ...
0
votes
0
answers
31
views
How can nft block excessive 443 access?
I'm having a hard time configuring nft to fight floods on 443/TCP.
I gave up on iptables and module recent, and now I'm testing nft with its man page sample code, as a lab.
So, I'm sending all source ...
0
votes
0
answers
13
views
NFTable dynamic denylist not working
I'm trying to setup an nftable rule to add source IP if IP tries to connect mulitple times via dport ssh. I'm new to nftables so I'm still trying to understand the proper way of create rules. This ...
- 101
0
votes
2
answers
166
views
nftables: hairpin / loopback NAT with dynamic IP
I've a Debian 12 server (public IP 85.xxx.xxx.xxx at enp6s0) running a bunch of LXC containers on a network bridge cbr0.
Since the public IP is dynamic I had to setup forward + prerouting rules with ...
- 1,206
-1
votes
1
answer
103
views
nft accounting support: is this wiki example wrong?
Official nft wiki page accounting example look under 'nexthop'
nft add rule filter postrouting meter acct { rt nexthop timeout 600s counter }
nft add rule ip6 filter postrouting meter acct { rt ...
- 170
1
vote
2
answers
225
views
How to use nft on linux bridge to block access to certain ip addr?
I have an Ubuntu box with a bridge br0 defined. The bridge has eth0 connected to the internet service and eth1 connected to the network port of a PC. The bridge is functioning as expected and passing ...
- 13
0
votes
0
answers
57
views
Nftables does not work as expected to block with meter
Goal:
Account for excess packets whose rate source IP and destination port are greater than 200 packets per second, example:
1s to 2s:
IP 1.1.1.1 to MyServer:80
[This happens 201 times in second 1]
...
- 9
0
votes
0
answers
74
views
TPROXY is not redirecting all traffic to a specified port
I'm writing a UDP transparent proxy in Rust, I'm using several crates
socket2 => Access to the creation of a RAW socket
nix::sys::socket => Access to all of the low level socket API calls
std::...
1
vote
1
answer
61
views
Bash has problems with cmdline nft cmd vs script
linux mint. uname -r yields 5.15.0-56. dpkg-query -l bash yields 5.1.6ubuntu1.
My script shows this problematic output
when bash -x script invoked:
attrib =' '\''{type nat hook prerouting priority ...
- 170
0
votes
0
answers
41
views
SSL Cerificates blocked by VPN?
I have a server that hosts a website delivered via https on port 443. The website is not directly open to the public internet, but traffic is routed via a VPN from an EC2 instance that has a public ...
- 101
2
votes
0
answers
64
views
DHCP unicast packets processing in Linux
I'm trying to catch and process (in 3rd party analytics app) DHCP packets from ERSPAN session, but cannot do this. There is PHY interface which receive ERSPAN traffic and erspan-type interface to get ...
1
vote
1
answer
48
views
TCP Packet Loss in nftable nat chain
I am trying to connect to a Minecraft server but get a connection Timeout when tryping to connect although the Server is showing up as online
Minecraft Multiplayer screen
This question meight seem out ...
0
votes
0
answers
242
views
Use nftables to set up IPv6 NAT to IPv4
I am working on setting up a number of EC2 instances with IPv6-only networking.
A few of these servers require occasional access to IPv4-only resources controlled by third-parties.
Amazon has a blog ...
- 3,122
0
votes
1
answer
97
views
nftables netdev rewrite - what I'm doing wrong?
[EDITED] I'm receiving on physical interface ERSPAN-encapsulated traffic and need to process just a small part of it. In order to do this, I'm decapsulating traffic on local tunnel interface:
ip link ...
0
votes
1
answer
101
views
nftables masquerading is not working
I've a laptop (172.16.0.2) and a desktop PC (172.16.0.1). The phone is connected to the PC in USB modem mode, and it appears as the enp5s0f3u1 interface. I've set up masquerading through nftables so ...
- 1
0
votes
0
answers
75
views
Nftables DNAT from external to internal interface and different port where Web server is binded to, how?
There is multihomed Ubuntu 22.04: internal 192.168.0.99/24 external 12.12.12.12/29 (for example) acting as gateway also.
All, including internet access from the server as well as from the Lan behind ...
0
votes
0
answers
90
views
nftables Rules for ProxyChains-over-Tor
I am trying to configure nftables rules for ProxyChains-over-Tor, so that:
My system --> Tor SOCKS5 proxy --> HTTP proxy --> Internet
My system can only communicate with Tor SOCKS5 proxy
Tor ...
0
votes
0
answers
49
views
Script to filter nginx logs to automatically running nftables
I have a domain served by nginx. nginx logs have this format:
178.128.120.151 - - [19/Jul/2023:20:27:25 +0200] "GET /favicon.ico HTTP/1.1" 301 162 "-" "Mozilla/5.0 (Windows NT ...
- 101
0
votes
0
answers
167
views
nft Quality of Service (qos)
Is there any way to have a QoS over nftables.
I have a webserver and I want to restrict that HTTP input traffic should have maximum of 90% of bandwith. Is it possible?
Nothing found in official ...
- 101
0
votes
0
answers
38
views
nftables: VM to VM Communication over Host IP
I have the following situation:
A Debian Linux host with multiple VMs running on it.
One VM is set up as a mail server.
nftables on the host redirects the mail traffic from the world to the mail VM ...
- 150
0
votes
1
answer
41
views
Compare on-disk rules and in-memory rules (find the difference) for nftables
I want to check that rules was loaded (e.g. ruleset in files are the same as in the kernel). I want to do it without modifying kernel rules. I can't compare files and nft list ruleset due to ordering, ...
- 296
1
vote
1
answer
66
views
nftables chain priority not working
So I have two input chains, input and dyn which is dynamically generated.
However the rules of dyn just don't work because of input. I've tried setting the priority of input to 1, and the dyn to 0 ...
- 239
0
votes
0
answers
33
views
Configure network stack to consume data from TAP device, so that application can operate as if the data was intended to it
I have two devices communicating, A and B over udp.
In between there is a tap device, where C is connected. In order for C to be able to receive the traffic it needs to set the same ip and mac address ...
- 101
0
votes
0
answers
45
views
Redirect traffic in "sniff/tap?" mode to specific ip address(es), that is: rewrite destination headers to target other machine(s)
I have incoming traffic on eth1 (vlan id 201) which is emitted by another machine which is doing
sudo tcpreplay -x 0.01 --loop=0 --intf1=eth12 Wireshark_bidirectional_data.pcap
I would like to ...
- 101
0
votes
1
answer
50
views
nftabels rules and rc.local
i have problem like this
this is my iptables rules
sysctl net.ipv4.ip_forward=1
iptables -t nat -A PREROUTING -p tcp --dport 22 -j DNAT --to-destination (( my first server ))
iptables -t nat -A ...
- 1
0
votes
1
answer
398
views
Debian 11 firewalld+nftables rules not taking effect
Update: after commenting out the line in /etc/hosts that is kinda like
#127.0.1.1 my-host.domain.edu my-host
and rebooting, the firewall does open the expected ports. I thought to do this because, ...
- 1
1
vote
1
answer
249
views
Whitelist cgroup from wireguard VPN
I have a wireguard VPN, setup and enabled through NetworkManager, called wg0. I want to allow a program to access the internet directly without going through the tunnel. For this I’m trying to match ...
- 183
1
vote
1
answer
443
views
nftables: Possible to block SYN packets with payload?
Is it possible to drop all TCP SYN packets with a payload using nftables?
The man pages mention various length options, but none that I could get to work for TCP packets without syntax errors.
I am ...
- 13
1
vote
1
answer
161
views
nftables: getting a per-port whitelist to work
Setup: Ubuntu 20.04, created a bridge "br0" with brctl, added three physical ports to it: enp10s0, enp7s0 and enp5s0.
The desire: enp5s0 and enp7s0 should be able to talk to each other on ...
- 165
2
votes
1
answer
189
views
nftables limit doesn't seem to work for some STUN requests
I'm setting up a server with coturn using only STUN (TURN is disabled). It seems that STUN UDP can be used for DDoS, so I'm trying to set nftables rules to make it harder, but the rules don't seem to ...
- 33
2
votes
1
answer
448
views
Understanding how does jumping work in nftables
I am new to nftables. I have read a few docs and went through the main wiki page and I still don't understand how the DOCKER-USER chain work.
Here is the table which was created by docker:
table ip ...
- 138
1
vote
1
answer
112
views
Packets dropped when the target addresses (mac and ip) are changed to own hosts interface
My host acts as a router and has two network interfaces enp1s0 (1 host connected with ip 192.168.10.20) and enp2s0. enp1s0 is used to receive UDP packages and enp2s0 usually has the listening hosts ...
- 121
2
votes
1
answer
273
views
nftables set of couples { IP/MAC address }
Is it possible to do something like this :
set authorized {
type ipv4_addr ether_addr
flags constant
elements = {
{ ipaddr: 192.168.1.xx, etheraddr: xx:xx:xx:xx:xx:xx },
...
- 137
0
votes
1
answer
266
views
Does nftables flowtable software/hardware offloading conflict with other nftables rules?
According to https://wiki.nftables.org/wiki-nftables/index.php/Flowtables, flowtables reside in the ingress hook. So, does that mean if connection is picked up by the flowtable, it will not be ...
- 181
0
votes
0
answers
38
views
Why redidrect works with output hook but not with prerouting hook
I'm playing around with nftables to gain more experience and have a pretty easy scenario: NAT the destination port 8080 to 8081 (not really useful but in the Lab it is good enough).
This nft config ...
- 121
0
votes
1
answer
106
views
How to redirect UPD packages targeted for other host to localhost
I want to sniff UDP packages targeted at port 4500 flowing from machine A -> B with a physical TAP device and receive the sniffed packages on machine C on a local port (see image).
About the TAP ...
- 121
2
votes
1
answer
2k
views
How exactly is docker circumventing my nftables?
My aim is to block all ports from non "lo" interfaces except for 22, 80, 443.
I don't want external devices to my Rasberry pi to be able to access anything else except for 22, 80, 443.
I ...
- 147
1
vote
0
answers
144
views
Filtering traffic by MAC - nftables
TL:DR : I am building a network tap with a raspberry-pi that must remains stealth. I have a bridge (br0) between the switch interface (eth0) and the workstation (eth1).
Here is how i am building it (...
- 41
1
vote
1
answer
664
views
AlmaLinux 9/RHEL and nftables : Keep getting "type filter hook input priority filter" at chain
Good day to all!
First of all, i have to say i'm a Linux novice and new to StackExchange so i hope i'm asking my question the right way.
I would like to use nftables as firewall on a new AlmaLinux ...
- 13
0
votes
1
answer
173
views
How to route certain traffic in OpenVPN from one client through another client?
Scenario
ClientA (Windows 10) and ClientB (Raspberry Pi OS) are both connected via OpenVPN to ServerA (Debian 10) over the internet. The OpenVPN network is 10.0.0.0/24.
Machine
OpenVPN IP
ServerA
10....
- 1
0
votes
0
answers
38
views
Is there a way to reset a counter in an nftables set?
I have a table with a set of ipv4_addr that has a counter for each element.
I want to reset the counters after reading the packets counted, but from what I can tell there is no way to do this.
Are set ...
0
votes
0
answers
115
views
Nftables map expects IPv6 address, mapping expression has type integer
I need to change the destination address of an IPv6 packet depending on the payload of that packet.
I'm using a raw payload expression to extract the encapsulated IPv6 address inside that packet and ...
- 1
0
votes
0
answers
287
views
Drop first SYN packet with nftables
How can I drop the first SYN packet (or the first SYN/ACK reply) received by my server?
I have a test VPS set up to capture and analyze malicious traffic directed to non-standard TCP ports, for ...
- 1
0
votes
1
answer
583
views
nftables doesnt start && nftables.conf syntax error
This is my nftables.conf:
#!/usr/bin/env nft -f
flush ruleset
define interface = "venet0"
table inet filter {
set tcp_ok {
type inet_service
}
set udp_ok {
type inet_service
...
- 1
1
vote
4
answers
2k
views
nftables firewall configuration on Rocky 9.1
I have installed K3s with Rancher on Rocky 9.1 machine.
According to the manual, firewalld must be turned off.
To turn off the firewalld, I performed:
systemctl disable firewalld
systemctl mask --now ...
- 21
1
vote
1
answer
109
views
IPv6 port scanners hang after scanning a closed port
I am testing nftables firewall rules using two virtual machines, one with the active firewall and one that tries to connect to it.
For example with netcat and no firewall:
nc -6 fe80::9d08:b3e2:47fa:...
- 11
1
vote
0
answers
130
views
Assign outlet IP for a libvirt VM using routed network
My host network interface has got two IPs. Currently, I'm running my VMs in a routed network.
Host's network interface is a member of public zone in firewalld, with both forward and masquerade enabled....
- 13