Highest Voted 'nftables' Questions - Server Fault Stack Exchange

2

votes

1 answer

Nftables timestamp map

Is it possible to construct a nftables map based on timestamp? Currently I use: numgen random mod 2 map { 0: 10.10.10.1, 1: 10.10.10.2, } But how to convert the random mod 2 expression to (timestamp / 1800) mod 2,…

iptables nftables

asked Dec 18 '19 at 15:05

mvorisek

515
1
9
19

2

votes

1 answer

nftables ip6 route to localhost/ ipv6 nat to loopback

I'm trying to route incoming http internet traffic to [::1]:8080 which is where my http server binds to. I'm using nftables on an IPv6-only device. If I add following rules: sudo nft flush ruleset sudo nft add table ip6 nat sudo nft add chain…

ipv6 nftables

asked Jul 17 '19 at 08:57

adabru

123
4

2

votes

1 answer

nftables bridge match local packets

I am using Arch linux and I have set up a bridge with bridge-utils. Now I would like to firewall it. I would like to drop some packets going through that bridge while allowing this machine to freely communicate with the one behind the bridge. I…

firewall bridge nftables

asked Nov 07 '17 at 20:38

Vojtech Kane

155
1
5

2

votes

2 answers

Rate limiting ICMP flood with nftables

I'm trying to figure out how to allow ICMP pings to a server with nftables without being subject to flood attacks. Here's my initial config: table inet firewall { chain incoming { type filter hook input priority 0; policy drop; …

nftables

asked Oct 10 '17 at 22:41

kjs3

155
2
5

2

votes

1 answer

What wrong with snat in nftables?

I have two virtual machines (server, client) with wireguard vpn. When i try ping any IPv6 resource from client packets doesn't return to client. Tcpdump show me ICMP Reply packets in enp0s3 interface (server), not in wg0 (vpn interface on…

iptables vpn nat ip6tables nftables

asked Jul 10 '17 at 21:04

Sorcus

27
1
5

2

votes

1 answer

nftables alternative command like iptables -L -n -v

there is an alternative for command iptables -L -n -v in nftables ?? I need the counter of packages that tomb on my firewall.

nftables

asked Jun 28 '17 at 21:40

VANILKA

123
5

2

votes

0 answers

DHCP unicast packets processing in Linux

I'm trying to catch and process (in 3rd party analytics app) DHCP packets from ERSPAN session, but cannot do this. There is PHY interface which receive ERSPAN traffic and erspan-type interface to get decapsulated packets (ip link add inspan type…

networking dhcp nftables

asked Aug 25 '23 at 01:54

Volodymyr Litovka

123
5

2

votes

1 answer

nftables limit doesn't seem to work for some STUN requests

I'm setting up a server with coturn using only STUN (TURN is disabled). It seems that STUN UDP can be used for DDoS, so I'm trying to set nftables rules to make it harder, but the rules don't seem to always work. Sometimes, I can see something like…

nftables coturn

asked Mar 20 '23 at 02:50

FurretUber

33
2

2

votes

1 answer

Understanding how does jumping work in nftables

I am new to nftables. I have read a few docs and went through the main wiki page and I still don't understand how the DOCKER-USER chain work. Here is the table which was created by docker: table ip filter { chain DOCKER { } …

docker nftables

asked Mar 15 '23 at 15:48

Mitya

128
5

2

votes

1 answer

How exactly is docker circumventing my nftables?

My aim is to block all ports from non "lo" interfaces except for 22, 80, 443. I don't want external devices to my Rasberry pi to be able to access anything else except for 22, 80, 443. I have a nc server running on port 9123. My nftables rightly…

linux networking firewall docker nftables

asked Feb 26 '23 at 20:34

dewijones92

147
1
9

2

votes

1 answer

nft bridge family ruleset not working

I have a Debian 11 server and I am running a Qemu/KVM virtual machine on it created via Qemu commands, there is a bridge device on the server named br0 and the VM has a TAP device named vm0. I want to avoid MAC/IP spoofing by creating an nft…

linux networking debian linux-networking nftables

asked Aug 24 '22 at 09:37

Sinux

75
9

2

votes

1 answer

How to refresh set element timeout in nftables?

How do I refresh a set element's timeout/expires value with nft before it is expired? Adding an existing element to the set does not reset the timeout/expires value: nft add element ip mytable myset { 10.10.10.1 timeout 60s } # wait 10s nft add…

linux-networking nftables

asked Mar 26 '22 at 09:02

Hooman Valibeigi

33
7

2

votes

0 answers

Filtering traffic by MAC address with nftables

TL;DR: when spoofing MAC addresses, how can I make sure the real addresses won't be leaked to the rest of the network using nftables ? Context For network security training purposes I am currently building a network tap consisting of a transparent…

vlan bridge mac-address nftables

asked Dec 20 '21 at 16:10

Kate

487
3
8

2

votes

1 answer

iptables flushed on firewalld reload

I’m running on Rocky Linux (RHEL8 based) and am kind of struggling with firewalld and iptables. Well, not really iptables anyway… Let me explain. I setup a K8S cluster on VMWare ESXi with six virtual machines, all the same. I need to have firewalld…

iptables redhat firewalld centos8 nftables

asked Oct 06 '21 at 07:03

Nicolas Goudry

143
8

2

votes

1 answer

Nftables "Error: Interface does not exist" after reboot

at using nftables on a new virtual machine (Debian 10) I installed and configured nftables as automatic service (systemd). I use also LXC and use an additional interface (lxcbr0). I recognized the problem that the nftables service does not start…

debian systemd nftables

asked Apr 05 '21 at 09:54

ssd_rider

51
1
5

Questions tagged [nftables]