spidark queries nftables

labels:
I had some kernel config issues re nftables. While helping me, spidark says

I have no idea (yet) what im doing.
But this works ( crippled i think but it works)
Can't remember where i got it from :( Sorry original author, and thanks )
However it does timeout my eix-sync and dhclient complains about ipv6 not permitted because of the drop state ( working on that )
Maybe you can figure it out.

#==== TO LIST sudo nft list ruleset
#==== TO DISCRIBE PORTS do sudo nft describe tcp dport

flush ruleset

table inet filter {
 set tcp_accepted {
  type inet_service; flags interval;
  elements = {
   http, https,rsync,
  }
 }
 set udp_accepted {
  type inet_service; flags interval;
  elements = {
   domain,
  }
 }

 chain base_checks {
  # allow established/related connections
  ct state {established, related} accept

  # early drop of invalid connections
  ct state invalid log prefix "Invalid Input Connection: " drop
 }
 chain input {
  type filter hook input priority 0; policy drop;

  jump base_checks

  # allow from loopback
  iifname lo accept

  # allow icmp
  ip protocol icmp icmp type { echo-request, echo-reply, time-exceeded, parameter-problem, destination-unreachable } accept
  ip6 nexthdr icmpv6 icmpv6 type { echo-request, echo-reply, time-exceeded, parameter-problem, destination-unreachable, packet-too-big, nd-router-advert, nd-router-solicit, nd-neighbor-solicit, nd-neighbor-advert, mld-listener-query } accept

  # allow ports
  #tcp dport @tcp_accepted accept
  #udp dport @udp_accepted accept

  # everything else
  reject with icmpx type port-unreachable
 }
 chain forward {
  type filter hook forward priority 0; policy drop;
  log prefix "Dropped Forward Connection: "
 }

 chain output {
  type filter hook output priority 0; policy drop;
  jump base_checks
  # allow ports
  tcp dport @tcp_accepted accept
  udp dport @udp_accepted accept
  #log prefix "Invalid Output Connection: " Warning : This floods logs
 }
}

I thought I could try help spidark. This is how I incrementally tried to resolve this.

As a first step, before I try fix anything, I simply rewrite these rules so I can understand them better.

I want to read compact clean code. So remove spurious lines.

flush ruleset
table inet filter {
 set tcp_accepted {
  type inet_service; flags interval;
  elements = {
   http, https,rsync,
  }
 }
 set udp_accepted {
  type inet_service; flags interval;
  elements = {
   domain,
  }
 }
 chain base_checks {
  ct state {established, related} accept
  ct state invalid log prefix "Invalid Input Connection: " drop
 }
 chain input {
  type filter hook input priority 0; policy drop;
  jump base_checks
  iifname lo accept
  ip protocol icmp icmp type { echo-request, echo-reply, time-exceeded, parameter-problem, destination-unreachable } accept
  ip6 nexthdr icmpv6 icmpv6 type { echo-request, echo-reply, time-exceeded, parameter-problem, destination-unreachable, packet-too-big, nd-router-advert, nd-router-solicit, nd-neighbor-solicit, nd-neighbor-advert, mld-listener-query } accept
  reject with icmpx type port-unreachable
 }
 chain forward {
  type filter hook forward priority 0; policy drop;
  log prefix "Dropped Forward Connection: "
 }
 chain output {
  type filter hook output priority 0; policy drop;
  jump base_checks
  tcp dport @tcp_accepted accept
  udp dport @udp_accepted accept
 }
}

I remove the chains base_checks, and move those rules as-in where they were called.

flush ruleset
table inet filter {
 set tcp_accepted {
  type inet_service; flags interval;
  elements = {
   http, https,rsync,
  }
 }
 set udp_accepted {
  type inet_service; flags interval;
  elements = {
   domain,
  }
 }
 chain input {
  type filter hook input priority 0; policy drop;
  ct state {established, related} accept
  ct state invalid log prefix "Invalid Input Connection: " drop
  iifname lo accept
  ip protocol icmp icmp type { echo-request, echo-reply, time-exceeded, parameter-problem, destination-unreachable } accept
  ip6 nexthdr icmpv6 icmpv6 type { echo-request, echo-reply, time-exceeded, parameter-problem, destination-unreachable, packet-too-big, nd-router-advert, nd-router-solicit, nd-neighbor-solicit, nd-neighbor-advert, mld-listener-query } accept
  reject with icmpx type port-unreachable
 }
 chain forward {
  type filter hook forward priority 0; policy drop;
  log prefix "Dropped Forward Connection: "
 }
 chain output {
  type filter hook output priority 0; policy drop;
  ct state {established, related} accept
  ct state invalid log prefix "Invalid Input Connection: " drop
  tcp dport @tcp_accepted accept
  udp dport @udp_accepted accept
 }
}

This shows us that sets - tcp_accepted and udp_accepted - are probably unnecessary as they are only used the one time. Sets are more useful, if we use them repeatedly many times.

So, I move those sets inline too.

flush ruleset
table inet filter {
 chain input {
  type filter hook input priority 0; policy drop;
  ct state {established, related} accept
  ct state invalid log prefix "Invalid Input Connection: " drop
  iifname lo accept
  ip protocol icmp icmp type { echo-request, echo-reply, time-exceeded, parameter-problem, destination-unreachable } accept
  ip6 nexthdr icmpv6 icmpv6 type { echo-request, echo-reply, time-exceeded, parameter-problem, destination-unreachable, packet-too-big, nd-router-advert, nd-router-solicit, nd-neighbor-solicit, nd-neighbor-advert, mld-listener-query } accept
  reject with icmpx type port-unreachable
 }
 chain forward {
  type filter hook forward priority 0; policy drop;
  log prefix "Dropped Forward Connection: "
 }
 chain output {
  type filter hook output priority 0; policy drop;
  ct state {established, related} accept
  ct state invalid log prefix "Invalid Input Connection: " drop
  tcp dport {http,https,rsync} accept
  udp dport {domain} accept
 }
}

Nothing has changed yet. The ruleset is still the same.

Now I can start modifying the ruleset, as all the logic is inline and not jumping about. Once we have a clean working rulset, we can create additional chains, sets, etc. where necessary to reduce the ruleset further.

Is this easier to understand the logic flow and/or troubleshoot?

[1] Explaining My Configs: nftables

No comments:

Post a Comment

most viewed

  • grub rescue btrfs ubuntu
    to play more seriously with yet another distro, i needed to install it. so i had some fun resizing/moving partitions around to clear some fr...
  • Discovering zram and replacing all tmpfs
    I have just discovered zram [2] :) woohoo... and what a thing that is! I was so sold on tmpfs , that I used it for everything I possibly ...
  • slackware netinstall
    you won't see many docs about minimal netinstall slackware. indeed, you will see many experts saying there is no such thing. and your on...
  • debian stretch kernel compile
    debian kernels contain everything needed by everyone. customising your kernel is easy and highly recommended. i recommend using the same ker...
  • runit openrc gentoo
    I decided to have another go at runit , this time on my gentoo . I had been thinking about this, since I noticed this on
  • multiboot btrfs subvolumes
    this idea has been knocking around in my head for a while. i want to document it, while it is still there and to flush it out later.. i us...
  • openwrt backfire x86 install
    vision: portable internet router, to carry on my travels, or use at home. openwrt on a portable (thin-client/netbook) device. internet sour...
  • gentoo portage
    ref: http://wiki.gentoo.org/wiki/portage Gentoo is Portage. Portage is Gentoo. Getting portage settings right is vitally important. It&#...
  • wpa_supplicant dhcpcd systemd debian
    The leanest cleanest way to connect to wpa/2 networks is wpa_supplicant . Optional wpa_gui provides a GUI and System Tray icon, if need be...
  • How to WiFi: wpa_supplicant + systemd
    I don't prefer systemd , but sometimes you can't avoid demandware . Below is my how to wifi with systemd . This method now works wi...