Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Re: new to nft
5 views
Skip to first unread message
Pascal Hambourg
Jan 13, 2021, 2:20:03 PM1/13/21
to
Le 13/01/2021 à 17:40, François Patte a écrit :
>
> I begin to use nftables and wrote thes rules:
> chain input { # handle 1
> type filter hook input priority 0; policy drop;
> ct state established,related accept # handle 4
> ip saddr 192.168.1.0/24 accept # handle 5
> ip6 saddr fe80::/10 accept # handle 6
> ct state invalid drop # handle 7
> iifname "lo" accept # handle 8
> tcp dport 22222 accept # handle 9
> log # handle 10
> }
>
> I expect to block all traffic from anywhere except on the local network
> (192.168.1.0/24)
"on the local network" does not make any sense, and, this ruleset fails
to drop all traffic from anywhere but 192.168.1.0/24 :
ct state established,related accept # handle 4
accepts traffic from any address, and
iifname "lo" accept # handle 8
accepts traffic from 127.0.0.0/8 and any local (host) address.
> Is "fe80::/10" the ipv6 corresponding syntax for ipv4 192.168.1.0/24?
No. 192.168.1.0/24 is a private prefix. Addresses can be configured by
any conventional method (static, DHCP...). They are routable.
fe80::/10 is the link local prefix. Addresses are automatically assigned
by the kernel itself. They are not routable.
> The last line "log" is (for me) supposed to log all dropped packets, am
> I right?
No. It does not log packets already dropped by
ct state invalid drop # handle 7
> For this last line, logwatch reports "logged packets on interface".
> logwatch with iptables reports "drop packets on the interface"
I wonder how logwatch knows the logged packets are dropped.
> Are these packets dropped or only logged?
What do you trust more ? The chain default policy "drop" or logwatch ?
>
> I begin to use nftables and wrote thes rules:
> chain input { # handle 1
> type filter hook input priority 0; policy drop;
> ct state established,related accept # handle 4
> ip saddr 192.168.1.0/24 accept # handle 5
> ip6 saddr fe80::/10 accept # handle 6
> ct state invalid drop # handle 7
> iifname "lo" accept # handle 8
> tcp dport 22222 accept # handle 9
> log # handle 10
> }
>
> I expect to block all traffic from anywhere except on the local network
> (192.168.1.0/24)
"on the local network" does not make any sense, and, this ruleset fails
to drop all traffic from anywhere but 192.168.1.0/24 :
ct state established,related accept # handle 4
accepts traffic from any address, and
iifname "lo" accept # handle 8
accepts traffic from 127.0.0.0/8 and any local (host) address.
> Is "fe80::/10" the ipv6 corresponding syntax for ipv4 192.168.1.0/24?
No. 192.168.1.0/24 is a private prefix. Addresses can be configured by
any conventional method (static, DHCP...). They are routable.
fe80::/10 is the link local prefix. Addresses are automatically assigned
by the kernel itself. They are not routable.
> The last line "log" is (for me) supposed to log all dropped packets, am
> I right?
No. It does not log packets already dropped by
ct state invalid drop # handle 7
> For this last line, logwatch reports "logged packets on interface".
> logwatch with iptables reports "drop packets on the interface"
I wonder how logwatch knows the logged packets are dropped.
> Are these packets dropped or only logged?
What do you trust more ? The chain default policy "drop" or logwatch ?
Dennis Filder
Jan 13, 2021, 5:00:03 PM1/13/21
to
On Wed, Jan 13, 2021 at 05:40:20PM +0100, François Patte wrote:
> Is "fe80::/10" the ipv6 corresponding syntax for ipv4 192.168.1.0/24?
That is the address range for link-local addresses assigned via
> Is "fe80::/10" the ipv6 corresponding syntax for ipv4 192.168.1.0/24?
stateless address autoconfiguration. Think of it as an IP address
derived from the unique MAC address that gets automatically assigned.
It's not routable, i.e. you can only communicate with computers on the
local network, so you'd usually assign other IPv6 addresses that are
routable.
> I expect too accept connections from the internet to port 22222
I would specify the incoming interface here, too, just for clarity.
> The last line "log" is (for me) supposed to log all dropped packets, am I
> right?
> For this last line, logwatch reports "logged packets on interface".
> logwatch with iptables reports "drop packets on the interface"
>
> Are these packets dropped or only logged?
Both. The log messages should show up in the output of "dmesg". I
usually use rules like this:
log prefix "filter_inet:c_f_in " flags all
This tells my which chain caused that log entry and some more details.
You could also use:
counter log prefix "filter_inet:c_f_in " flags all
It should add a counter of how often that rule was matched. You can
inspect it with "list ruleset" or by listing that rule by its handle.
Regards,
Dennis.
0 new messages