Highest Voted 'nftables' Questions - Server Fault Stack Exchange

1

vote

1 answer

nftables (nft) chain priority issues

nft is causing me endless headaches, no matter how I tweak the policy, I still cannot get it to function. The concept I have in mind : One "base" chain where common rules live (e.g. allow ssh etc.) One or more application specific where daemon…

debian nftables

asked Jan 21 '22 at 19:32

Little Code

199
1
2
10

1

vote

0 answers

How to reload firewalld without loosing Libvirt iptables forwarding rules

It's been well know that firewalld will flush Libvirt rules upon reload and thus making port forwarding to VMs broken until you restart libvirtd. Here is what I did: Create…

kvm-virtualization libvirt firewalld nftables

asked Dec 29 '21 at 23:43

nforced

111
2

1

vote

1 answer

What is UDP Masquerading behavior when forwarding and listening on the same port to the same remote address?

Assuming the following: ||netns2|<-kernel routing-> netnsRoot| <-network routing-> |remote server| netns2 is a network namespace has a client that connects to the UDP server on UDP/5060 netnsRoot is the root network namespace (IE: typical linux…

iptables nat port-forwarding nftables dnat

asked Nov 18 '21 at 17:05

Liam Kelly

124
6

1

vote

1 answer

nftable produce unexpected message in syslog

I have the following nftables rule: log prefix "[nftables] output denied1: " ip daddr 34.117.59.81 reject in syslog i can see the message: [nftables] output denied1: IN= OUT=br0 SRC=10.10.10.1 DST=10.10.10.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=540…

firewall logging nftables

asked Oct 16 '21 at 21:50

grueni

11
2

1

vote

2 answers

nftables read counters as non-root user

I have set up some firewall rules using nftables. They include some data counters for some types of traffic that I'm interested to monitor. Now, I'd like to be able to have an application read those counters, ideally using libnftnl, running as a…

nftables

asked Sep 08 '21 at 05:20

Craig McQueen

780
7
20

1

vote

0 answers

TPROXY interferes DNAT port forwarding rules

I'm setting up TPROXY on my VyOS router to forward certain traffic to a local transparent proxy. It works pretty well, until I discovered that all of my DNAT port forwarding rules are no longer working (connection timeout when connecting from…

iptables transparent-proxy nftables dnat vyos

asked Jul 25 '21 at 03:51

GreenVine

23
4

1

vote

0 answers

`bad-setting (Reason: Unit nftables.service has a bad unit file...` when add `/etc/systemd/system` conf to nftables

System is debian 10 with nftables. I plan to make nftalbes auto restart when failed,script as below: cat << EOF >> /etc/systemd/system/nftables.service.d/override.conf [Service] Restart=on-failure RestartSec=1s EOF systemctl daemon-reload Output…

ubuntu debian systemd systemctl nftables

asked Jul 24 '21 at 13:23

kittygirl

945
5
13
33

1

vote

0 answers

how to set mtu on specfic udp connection?

is there iptables target to fragment packets, let say i have packet with length 1280 i want to split this packet into smaller 5 packets with maximum length equal 250 , is it possible to use firewall in linux (nftables, iptables) to fragment packet…

iptables nftables fragmentation

asked Jul 21 '21 at 17:54

Hosni

11
2

1

vote

1 answer

How to block network connection to all `root` process?

My system is debian 10 with nftables. output of nethogs as below: ? root 192.168.2.10:59100-172.217.27.138:443 ? root 192.168.2.10:59086-172.217.27.138:443 ? root 192.168.2.10:59082-172.217.27.138:443 ? root …

networking nftables

asked Jul 16 '21 at 03:35

kittygirl

945
5
13
33

1

vote

2 answers

nftables - limit rate behavior (error or misusage ?)

I am trying to set up a firewall with nftables but I failed to understand and implement a simple rate limit based on the documentation I have found. OS : Ubuntu 20.04 LTS nftables version : 0.9.3 (Topsy) kernel release: 5.8.0-53-generic I have…

firewall ubuntu-20.04 nftables

asked Jun 28 '21 at 13:51

keeplearningtogether

11
1
2

1

vote

0 answers

Nftables systemd ExecStart and ExecReload

I have an ansible role (historically inherited) to configure nftables for RHEL8, which I have been trying to make sense of. It is copying a systemd file for nftables.service that has a following…

ansible nftables rhel8

asked May 20 '21 at 01:59

JaneD

65
4

1

vote

0 answers

IPv6 iptables/nftables multi-wan NETMAP can't access internal hosts from WAN2, WAN3

I have an ip6tables router with 3 WANs, each supporting IPv6. For some reason incoming connections only work for the default route, not ISPs #2 and #3. For example, I can ping the translated IP for WAN1, but the translated IPs for WANs 2 and 3 time…

iptables ipv6 nftables

asked Feb 11 '21 at 18:46

ensnare

2,212
7
24
40

1

vote

2 answers

nftables does not accept port 25. Why?

Server: Debian Buster. In nftables.conf I have: chain INPUT { .. tcp dport { 25,465,587,993} log prefix "nft smtp: " accept comment "accept SMTP, SMTPS, IMAPS" .. log prefix "nft nac: " comment "not accepted" } chain OUTPUT { .. tcp sport {…

postfix smtp nftables

asked Jan 06 '21 at 14:05

nulacomputers

11
4

1

vote

1 answer

Boot without nftables | Debian 10

While rebooting our newest strorage servers, we're experiencing a kernel error (probably) caused by nftables. Please see attached call trace: After configuring the server (incl nftables), everything worked fine. When we'd tried to reboot the…

debian boot debian-buster nftables

asked Dec 15 '20 at 14:27

0stone0

113
7

1

vote

1 answer

RHEL/CentOS Now to add nftable rules to firewalld on system boot?

I am using firewalld on RHEL 8, and need to add a few nftable rules as well. (The nftable rules are based on the answer to CentOS 8 as NAT router with nft and firewalld - how to get it to pass TFTP?) In a running firewall, this works well with the…

firewalld nftables

asked Dec 15 '20 at 01:40

Kevin Keane

900
1
8
13

Questions tagged [nftables]