Highest Voted 'nftables' Questions - Server Fault Stack Exchange

1

vote

1 answer

nftables chain priority not working

So I have two input chains, input and dyn which is dynamically generated. However the rules of dyn just don't work because of input. I've tried setting the priority of input to 1, and the dyn to 0 even -200. Still nothing. When I flush the input…

asked Jun 30 '23 at 09:27

Nikk

239
1
4
10

1

vote

1 answer

Whitelist cgroup from wireguard VPN

I have a wireguard VPN, setup and enabled through NetworkManager, called wg0. I want to allow a program to access the internet directly without going through the tunnel. For this I’m trying to match by cgroupv2 Here’s what the routing looks like: >…

linux-networking wireguard nftables

asked Apr 14 '23 at 11:58

Cimbali

183
8

1

vote

1 answer

nftables: Possible to block SYN packets with payload?

Is it possible to drop all TCP SYN packets with a payload using nftables? The man pages mention various length options, but none that I could get to work for TCP packets without syntax errors. I am using kernel v6.2.10, and nftables v1.0.7.

firewall linux-networking tcp nftables

asked Apr 13 '23 at 21:30

c44761

13
3

1

vote

1 answer

nftables: getting a per-port whitelist to work

Setup: Ubuntu 20.04, created a bridge "br0" with brctl, added three physical ports to it: enp10s0, enp7s0 and enp5s0. The desire: enp5s0 and enp7s0 should be able to talk to each other on the bridge unimpeded (in the end, there will be more than…

networking bridge nftables

asked Apr 12 '23 at 16:11

JamieB

165
4

1

vote

1 answer

Packets dropped when the target addresses (mac and ip) are changed to own hosts interface

My host acts as a router and has two network interfaces enp1s0 (1 host connected with ip 192.168.10.20) and enp2s0. enp1s0 is used to receive UDP packages and enp2s0 usually has the listening hosts connected. When I activate the nftables logging…

networking nftables

asked Mar 08 '23 at 13:12

guenhter

121
5

1

vote

1 answer

nftables set of couples { IP/MAC address }

Is it possible to do something like this : set authorized { type ipv4_addr ether_addr flags constant elements = { { ipaddr: 192.168.1.xx, etheraddr: xx:xx:xx:xx:xx:xx }, { ipaddr: 192.168.1.xx, etheraddr:…

nftables syntax

asked Mar 07 '23 at 19:07

John Doe

125
1
7

1

vote

0 answers

Filtering traffic by MAC - nftables

TL:DR : I am building a network tap with a raspberry-pi that must remains stealth. I have a bridge (br0) between the switch interface (eth0) and the workstation (eth1). Here is how i am building it (open to any suggestion): # Create a bridge with…

firewall linux-networking mac-address nftables

asked Feb 21 '23 at 16:21

m4ki3lf0

41
3

1

vote

1 answer

AlmaLinux 9/RHEL and nftables : Keep getting "type filter hook input priority filter" at chain

Good day to all! First of all, i have to say i'm a Linux novice and new to StackExchange so i hope i'm asking my question the right way. I would like to use nftables as firewall on a new AlmaLinux installation (v9.1, minimal install, headless…

nftables rhel8

asked Feb 21 '23 at 14:17

HenkH

13
4

1

vote

1 answer

IPv6 port scanners hang after scanning a closed port

I am testing nftables firewall rules using two virtual machines, one with the active firewall and one that tries to connect to it. For example with netcat and no firewall: nc -6 fe80::9d08:b3e2:47fa:2935%ens33 responds successfully with…

ipv6 tcpdump nftables netcat

asked Dec 27 '22 at 11:17

stmas

11
1

1

vote

0 answers

Assign outlet IP for a libvirt VM using routed network

My host network interface has got two IPs. Currently, I'm running my VMs in a routed network. Host's network interface is a member of public zone in firewalld, with both forward and masquerade enabled. With the setup described before, the VM is able…

libvirt firewalld nftables

asked Dec 24 '22 at 17:05

Yu Ling

13
4

1

vote

1 answer

Cannot access website in LAN. NAT Hairpinning in nftables

I am trying to get NAT hairpinning working on my router. I cannot access my local website host on my LAN (192.168.1.3). I am using nftables with the following config: enp1s0 = WAN enp2s0 = LAN #!/sbin/nft -f flush ruleset table ip nat { …

iptables router nat nftables

asked Dec 09 '22 at 13:44

whitleystriber

11
1

1

vote

0 answers

nftables rules to allow networked Docker containers on the same host to use their public URLs

I am running two Docker containers on the same host living in Docker the same bridge network, and I have nftables set up to restrict more or less all traffic (rules below). My only problem (that I know of) is that traffic from one container to the…

docker nftables docker-networking

asked Nov 22 '22 at 16:06

alfonx

250
5
10

1

vote

0 answers

How do debug nft_table allow rule thats contradictory

I have some nftable rules in the inet firewalld table chain filter_FWD_policy_externalTolxc { jump filter_FWD_policy_externalTolxc_pre jump filter_FWD_policy_externalTolxc_log jump…

firewalld nftables fedora-server

asked Nov 10 '22 at 22:13

user22866

151
6

1

vote

1 answer

Nft list ruleset with ports

Is there a way to list the actual ports when listing the rules? I mean: nft list ruleset table ip filter { chain INPUT { type filter hook input priority 0; policy drop; iifname "lo" counter packets 114 bytes 316154 accept …

nftables

asked Oct 25 '22 at 11:09

Arany Péter

112
1
6

1

vote

0 answers

Docker Compose containers cannot communicate through nftables

I just have a quick question about Docker Compose. I have a Nftables firewall installed on my server and regarding the input and forward chain the default drop policy loaded. Until now everything has always worked but today I wanted to install the…

linux networking docker routing nftables

asked Oct 03 '22 at 21:32

Jonathan

43
6

Questions tagged [nftables]