0

I'm playing around with nftables a little bit and I've set up this rule to block all traffic coming from 192.168.0.29.

The curious result, however, is that it blocks the pings, but I can still SSH from that respective host, in spite of the rule.

sudo nft rule add mytable mychain ip saddr 192.168.0.29 drop

What's wrong with this? nft list ruleset

table ip mytable {
chain mychain {
    type filter hook input priority 0; policy accept;
    ip saddr 192.168.0.29 drop
}

} Edit: Now I've blocked the whole subnet, with the same result. SSH is still standing, for some reason.

Daniel
  • 101
  • 1
  • Add the whole configuration to your question, i.e. the output of `nft list ruleset` – Hauke Laging May 05 '20 at 17:15
  • 2
    Also, ipv6 maybe? – Tom Yan May 05 '20 at 17:28
  • @HaukeLaging that IS my whole configuration. I mean, like I said in the title, I don't have a setup. I'm just feeling it out right now, playing around with nft. But I'm still puzzled as to why ssh connections are allowed. I gave the rule a progressively lower priority (down to 380), and it's still the same. – Daniel May 05 '20 at 17:34
  • @TomYan That's what I thought, and then it just slipped my mind. Thanks for reminding me - I'm looking into it right now. It's actually likely that it might use ipv6 since ipv4 is blocked. Darn it – Daniel May 05 '20 at 17:37
  • @TomYan it was ip6. I could see the connection in ss and lsof. I set up another table with a rule to drop all ip6 connections, and sure enough, things were now as expected. – Daniel May 05 '20 at 17:51

0 Answers0