Questions tagged [nftables]
68 questions
0
votes
1
answer
42
views
Select routing policy based on gateway address
I run a wireguard interface wg0 on my remote VPS, the wireguard interface has 2 IP addresses, 10.9.0.1 & 10.9.0.2, the network interface of the VPS is ens3 (1.2.3.4), and I also run a VPN ...
- 53
0
votes
1
answer
101
views
Creating a bridge firewall with a DSA switch?
I have experimented with converting my BPI R3 router into a switch without success. The switch is a chip built into the router. I seem to be able to bridge two stations plugged in the switch of my BPI ...
- 103
1
vote
1
answer
102
views
VirtualBox to Docker on WSL2 with SSH
I am struggling trying to establish a SSH connection from my VirtualBox VM to a Docker Container which runs on WSL2.
The SSH runs with the following port and IP-addresses:
WSL2 Port 22, IP 192.168.41....
- 11
0
votes
0
answers
52
views
Allowing use of nebula mesh network and commercial VPN simultaneously (Linux -- Ubuntu 22)?
I'm attempting to configure a server that can access the web over VPN (specifically Mullvad VPN) while simultaneously allowing access to other nodes on a nebula mesh network.
I've made some decent ...
- 1
1
vote
1
answer
148
views
nftables does not catch a packet it has already seen
I setup a segmented local network, where each segment is VLAN'ed and the switch at the root of all VLANs also acts as router between all IP segments/VLAN (the switch is the Dell S4810 Running DNOS 9....
- 63
0
votes
0
answers
389
views
How to redirect requests to remote machine to localhost using nftables?
I have the following nftables configuration:
[root@localhost andrew]# nft list ruleset
table ip nat {
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
ip ...
- 133
0
votes
0
answers
465
views
Full Cone NAT debian nftables
I have a Debian router, and I'd like to set up Full Cone NAT.
I'm using nftables and miniupnpd.
My current config (Restricted Cone NAT):
table inet nat {
chain postrouting {
type nat hook ...
- 1
0
votes
2
answers
279
views
What determines if a packet should be routed locally or forwarded?
As seen in the diagram, when the Linux kernel receives a packet, it goes through the prerouting chain, and then a routing decision is made on whether to forward it to somewhere else or deliver it to a ...
- 138
1
vote
1
answer
314
views
Masquerading traffic with non-default routing table
I have a network set up as follows:
┌──────┬────────┐ ┌───────────┐
│ │ eno1.1 │ │ Network A │
│ │ ├─┤ │
┌────...
- 151
3
votes
1
answer
818
views
What is the default verdict for nftables rule?
For example:
#!/usr/sbin/nft -f
add table ip filter_4
add chain ip filter_4 input {
type filter hook input priority filter; policy drop;
}
add chain ip filter_4 new_in_4 {
comment "New ...
- 286
0
votes
1
answer
998
views
Adding regular chain to nftables "Operation not supported"
Syntax to add regular chain to nftables is:
add chain [family] <table_name> <chain_name> [{ [policy <policy> ;] [comment "text comment about this chain" ;] }]
I run the ...
- 286
0
votes
0
answers
181
views
nftables config for ipsec (strongswan) vpn
If have got a working IPSec connection between a device (raspberry) on remote side (10.X.117.0/24 network) and the local network (10.Y.0.0/16 network).
The raspberry has a static 10.X.117.1 IP on its ...
- 103
0
votes
1
answer
381
views
Internet connection activ only after restart of nftables
I configured a DIY Debian-based router without DHCP and DNS server.
MY PROBLEM:
When I switch on the router and the system boots, the Internet connection on clients becomes available for 4 -5seconds (...
- 1
0
votes
1
answer
566
views
DIY minimal install debian nftables routing not working
I'm trying to build a router on Debian OS and PC-hardware with several network interfaces.
Installed minimal debian-12.2.0-amd64 and trying to implement routing between init7_WAN and Carbon_LAN.
But I ...
- 1
1
vote
1
answer
61
views
Do forward, but deny direct incoming connections
VM = Virtual Machine.
WS = Workstation VM.
GW = Gateway VM.
Virtualization software: Oracle VirtualBox.
Host/Guest OSes: all Debian 12.
Firewall software: nftables
Goal
Whonix-like setup. WS sits ...
- 11
2
votes
0
answers
508
views
redirect local requests to ip to other ip (linux - e.g. debian >= 10)
I want to all request to a certain IP:port on the machine A its self (for a current or rather 10/11/12) to another IP = machine B so that requests from processes on machine A are forwarded to machine ...
- 103
0
votes
1
answer
457
views
Need help using nftables to drop SNMP packets containing a specific community string
I am trying to use nftables [v1.0.2 (Lester Gooch)] to drop SNMP packets containing the community string 'pawan'. I am trying to use the nftables payload expressions - raw payload expression to match ...
- 101
0
votes
1
answer
101
views
How do I get data from weather.gov through my nftables firewall?
I'm writing a python script that grabs data from weather.gov (the NDFD SOAP service and current observations XML) to draw a screensaver picture. The script works on my regular computer but not on my ...
1
vote
1
answer
1k
views
How to bypass the vpn tunnel for a single docker container using nftables?
I am trying to come up with a solution to bypass the vpn tunnel in the incoming and outgoing docker container.
The VPN I'm using is Mullvad VPN and in the split tunneling section they have addressed ...
- 111
5
votes
1
answer
3k
views
How does one create nftables rule that accepts connections from the same IPv6 subnet, when the IPv6 prefix is dynamic?
For IPv4, it is easy to create a rule that only accepts connections from hosts of the same subnet, for example (assuming my computer is 192.168.42.2, and the incoming connection is 192.168.42.20):
...
- 53
4
votes
1
answer
2k
views
nftables: How to stop further chain traversal after accept verdict
Context : https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains
If a packet is accepted and there is another chain, bearing the same hook type and with a later priority, then the packet ...
- 41
0
votes
0
answers
830
views
Using iptables-nft/ebtables-nft to intercept specific forwarded/bridged IP packets on a bridge and redirect them to the bridge device itself
With a bridge br0 using eth0 and wlan0 as bridge ports, formerly one could intercept packets arriving on a bridge port with iptables -t mangle -A PREROUTING -m physdev --physdev-in wlan0 --protocol ...
- 1
1
vote
1
answer
457
views
nftables, dnat in output chain appears to be done after routing
I have an EC2 instance and an application that requires to send to the EIP from within the instance.
I am trying to configure a dnat on the output chain so that the packets dont go out to the internet ...
- 11
0
votes
0
answers
120
views
Forwarded packet seemingly, skipping POSTROUTING rules
I have a very simple Wireguard configuration. Client are assigned 10.7.0.0/24 addressed, traffic is forwarded out the primary interface, finally the packets are SNAT'd out of the primary interface on '...
- 101
0
votes
1
answer
2k
views
Configuring nftable firewall for one way packet traffic
Hello I'm a beginner in configuring firewall, but what I want to do is to allow the host a (10.1.0.2) to send packet to host b (10.12.0.10) but that b cannot send packet to a. both machine are ...
- 13
0
votes
1
answer
690
views
nftables: isolate VLANs with some exceptions
Say there is a custom router (a Raspberry Pi box) with Debian 11 and nftables installed, with a single physical Ethernet inferface and the following VLANs configured:
eth0.501 192.168.41.0/24 CCTV ...
- 831
0
votes
1
answer
66
views
nft_pipapo_avx2_scratch_index shows up on all my perf recordings
I'm investigating a performance issue on my Ubuntu 22.04.2 LTS machine. I take the following steps:
sudo perf record -g -F max -s --call-graph dwarf -e cycles -e sched:sched_switch --switch-events --...
0
votes
1
answer
345
views
nftables: usage ct label set in
Using in statefull mode, I collect information about the amount of packages/bytes from the rules and do not create the rules for returning packages because they are accepted based on the states stored ...
user283584wc
0
votes
0
answers
177
views
What is the l4proto carp counter in nftables?
I was converting my iptables rules to nbtables and the script produced a few errors.
One of them was:
add rule ip6 mangle protos_check meta l4proto carp counter return
which was translated from
-A ...
0
votes
0
answers
114
views
Nftables exits with "Killed" when trying to update a set with a huge list of ips
I have a huge list of IPs (about 300 000) I want to put into a nftables set (to use with pbr on openwrt). Currently what I am doing is directly executing add element with all the IPs, but nftables ...
- 11
0
votes
0
answers
440
views
Using nftables maps
I have a wireguard network in which I want a "host" peer to forward some traffic to multiple network cameras in its local network. Said peer registers several IPs, and I want to use nftables ...
- 1
0
votes
0
answers
3k
views
Allow DNS traffic using Nftables
I tried the following commands but it still doesn't allow DNS traffic. What am I doing wrong?
nft add table inet tarffic
nft add chain inet traffic INPUT '{ type filter hook input priority 100; policy ...
- 1
1
vote
1
answer
2k
views
How to ban <SUBNET> with fail2ban and nftables
I have Debian 10, Fail2Ban v0.10.6 with iptables and my filter with <SUBNET> works. Now I have Ubuntu 22.04, Fail2Ban v0.11.2 and I try to make it works with nftables. I added only jail.local ...
1
vote
1
answer
453
views
Linux conntrack not seeing multicast responses as part of the same flow
My tv (192.168.1.48) is multicasting an SSDP packet (to 239.255.255.250:1900), and on my server (192.168.1.17), by running smcroute and doing some packet mangling to increase the IP TTL of this ...
- 290
1
vote
0
answers
641
views
How can I use the WAN interface IP address(es) in NFTables config?
Background
I'm attempting to write an NFTables configuration that would allow me to keep IPv4 and IPv6 forwarding rules in the same table.
I'm hosting some web services behind a reverse proxy and want ...
- 146
1
vote
1
answer
2k
views
How to allow traffic over VPN across namespaces using nftables
I have a wireguard interface configured in a dedicated namespace vpn. It is configured first creating the interface in the main namespace (that has access to the physical interface routing to the ...
- 420
0
votes
0
answers
602
views
nftables or fw4 issue with timebased traffic rules
Since the OpenWRT ver > 22.3 does use NFTABLES instead of IPTABLES
I got issue with some firewall (fw4) time based traffic rules that I
have no idea how to solve them.
The firewall rule is as ...
- 1
0
votes
1
answer
2k
views
nftables: IPv6 NAT packets not going into forward chain but returned destination unreachable
I'm setting up NAT for IPv6 on an OpenWrt (22.03.0-rc4) router because my ISP only allocates one single IPv6 address via DHCPv6, and only allows one MAC address to use a single IPv6 address obtained ...
1
vote
0
answers
5k
views
How to stop the sending of ICMP timestamps replies and requests?
Woo, progress! Updated below! I've been all over the internet looking for an answer to this one. I am using a Raspberry Pi running Raspbian Debian 11. The problem seems rather simple, just blocking ...
- 11
4
votes
1
answer
3k
views
nftables: How to get BROUTING behavior like ebtables legacy?
In ebtables, BROUTING chain in broute table has special behaviors for ACCEPT and DROP actions: ACCEPT means bridging/forward path and DROP means routing/input path. For example, to force all non-IPv6 ...
0
votes
0
answers
288
views
nftables rules syantax getting error in adding rule
I am trying to add this rule
nft insert rule ip nat PREROUTING iifname enp0s3 udp dport 9100 counter dnat to 192.168.150.2
I am getting this error
[root@ph3ro]# nft insert rule ip nat PREROUTING ...
- 143
2
votes
1
answer
1k
views
How to redirect traffic from container A to container B when using the address of the external interface
Following a short/simplified diagram of my setup (sorry for the title):
Internet ----- eth0 (1.2.3.4) --- br0 (10.0.0.1)
|
+---------------+-...
- 151
0
votes
0
answers
1k
views
How to do "source-MAC based routing" with nftables
(This is a simplified version of this: Can Linux do "source MAC based routing?")
I have an appliance that needs to route egress packets back to the MAC interface where the ingress packets ...
- 873
1
vote
2
answers
445
views
Nftables firewall rule hex value 0x1fff changed to decimal 8191
I started the process of migrating into nftables, just noticed that while I add this rule
add rule netdev filter INGRESS ip frag-off & 0x1fff != 0 counter drop
should look like this in nftables....
- 13
1
vote
1
answer
2k
views
iptables to nftables for iKEv2 IPSEC VPN server
Can someone please help in converting the below iptable rules to equivalent nftables rules?
I have already tried to use iptables-translate, but it is not translating all of my rules...
# accept ports ...
- 111
2
votes
1
answer
2k
views
How do I make a stateful bridge filewall with nftables?
The nftables wiki has an example, but it doesn't seem to work for me.
The page says that it should work since kernel 5.3, but it says "protocol error" when I try the exact commands from the ...
- 609
0
votes
1
answer
1k
views
Translate WireGuard config from iptables to nft
I was installing WireGuard on a fresh Raspberry Pi OS image and wanted to move the server config from another device onto this. But bringing up the interface said it can't find the iptables command. ...
- 2,408
0
votes
0
answers
286
views
nftables disables/disconnects wifi interfaces
I am trying to switch to nftables to set up some port forwarding. But when I enable the nftables service, it disables my wifi connection. Attempting to connect to an access point, I get Error: ...
- 121
0
votes
1
answer
473
views
NFTABLE issue: IPv6 does not behave like IPv4 with mirror config
I have an issue with IPv6 on my server. I have nginx configured to listen on port 443 from IPv4 and IPv6. And it works great: my webiste is available form Internet with TLS enabled.
Things get ...
- 156
3
votes
1
answer
701
views
Linux: only allow outgoing connections to specific domains
I have a CentOS server and only want to allow outgoing connections to specific domains. (allowlist) My thought was to have a DNS proxy which adds the allowed ips (only ipv4 needed) to nftable named ...
- 83