Highest Voted 'nftables' Questions - Server Fault Stack Exchange

1

vote

0 answers

Routing between tables in nftables

I'm looking for an equivalent to this rule. ip -4 rule add fwmark 0xfeed table 64 I understand fwmark selector can be accomplished using conntrack support. Is there anyway to specify that packets use a different routing table?

nftables

asked Dec 08 '20 at 05:24

Genono

11
1

1

vote

0 answers

Connect two bridges only works in one direction

I have a Centos8 host with libvirt (KVM) and podman (1.6) installed. libvirt brought a bridge called "virbr0" and guests will be attached to with an address from range 192.168.122.0/24. virbr0 itself has 192.168.122.1. Guests can talk to each other,…

iptables linux-networking libvirt nftables podman

asked Dec 05 '20 at 22:24

praha

11
1

1

vote

0 answers

how can i block/ban an ip after a number of rejects on a mail server?

I found several attempts to use my email server as relay. The helo command was not coming from a FQDN and therefor the request got rejected. Is there a way to ban an IP address complelty after a number of "malicious" attempts without sending a…

postfix fqdn nftables flooding

asked Nov 07 '20 at 12:58

zippy-flop

21
4

1

vote

1 answer

Should RELATED connections always be allowed in iptables, ip6tables, nftables etc?

In all examples of configuring Linux firewall rules, I see that it is necessary to allow connections which state is RELATED. nftables (link: https://wiki.nftables.org/wiki-nftables/index.php/Simple_ruleset_for_a_workstation): table ip filter { …

linux iptables firewall nftables

asked Oct 09 '20 at 14:54

Kirill M

13
2

1

vote

1 answer

Specifying more than one interface in an nftables rule

I am in a situation where i have multiple interfaces for multiple docker networks. All docker networks should be able to access the internet, so i currently have the following nftables snippet: chain forward { type filter hook forward priority 0;…

iptables firewall nftables

asked Oct 07 '20 at 09:08

simonszu

373
7
14

1

vote

1 answer

NFTables: is it possible to forward traffic without masquerading it?

I have a remote server (B) that forwards certain incoming traffic to another port of a different server (A, dest). With "masquerade" I only see traffic coming from the forward server (B), is it possible to see traffic coming from the original…

smtp port-forwarding ip-forwarding nftables masquerade

asked Sep 19 '20 at 23:59

Polizi8

25
1
6

1

vote

1 answer

nftables reject resulting in a drop verdict instead

I have nftables setup to reject packets that don't match my allow block (nft list ruleset added below), but the packets are being dropped instead. For context, I have a service that listens on port 8080 that only localhost should have access to (for…

firewall centos8 nftables

asked Sep 02 '20 at 12:58

ricekab

123
5

1

vote

1 answer

Strongswan and nftables (migrating from iptables)

I am trying to migrate from iptables to nftables (Debian) and hit a wall here with the rules for Strongswan VPN. Can anybody help me translate this rules to nftables? Auto-converter could not do them. # -t filter -A FORWARD -s 10.10.10.2/24 -m…

debian iptables strongswan nftables

asked Aug 30 '20 at 07:13

b4d

125
1
9

1

vote

2 answers

nftables does not write to syslog

Running Debian 10 on a LXC container: # apt-get -y install nftables # nft --version nftables v0.7 (Scrooge McDuck) # nft flush ruleset # nft add table inet filter # nft add chain inet filter input # nft add rule inet filter input log # nft list…

linux debian logging lxc nftables

asked Aug 18 '20 at 19:22

Julen Larrucea

338
1
3
11

1

vote

1 answer

nft vs iptables: inserting a rule at the top of a chain on multiple hosts

I'm managing a number of hosts that rely on nft to manage the firewall. I need to insert a rule at the top of the INPUT chain on these hosts. Under iptables, this would be as simple as running, on every host: iptables -I INPUT 1 ... But nft relies…

networking firewall nftables

asked Jul 21 '20 at 21:00

larsks

43,623
14
121
180

1

vote

1 answer

How to use defined variables in Nftables though terminal (not in script)

I want to run these two commands in a interactive shell, one after the other (as root and with the "filter" table and the "input" chain loaded): nft define lala=1.2.3.4 nft add rule ip filter input ip saddr \$lala accept You can see I escape the…

firewall nftables

asked May 22 '20 at 22:55

Osqui

135
1
8

1

vote

0 answers

Setting up nftables for dual stack (ICMP, http, https)

I'm having a little trouble setting up nftables on a dual stack server. My setup is debian 9.11 with nftables installed (obviously). The IPv4 part is working as expected but IPv6 is not. Output of nft list ruleset: chain input { …

ipv6 nftables

asked Apr 26 '20 at 16:33

proximity

11
3

1

vote

2 answers

Checking existence of IPSEC as a meta expression in nftables

Whilst recently setting up a router manually from scratch using Debian, I decided to use nftables along with strongSwan to provide an IKEv2 VPN access into this. After much frustration along with trial and error, I have finally discovered the…

vpn ipsec strongswan nftables ikev2

asked Apr 22 '20 at 00:06

jren207

11
4

1

vote

0 answers

nftables - how do I route specific website via specific interface?

I have built my own debian 10 router for my house, principally so its an always on VPN router using openvpn, also acting as DHCP server, and encrypted DNS using dnscrypt-proxy. Everything has been working well for some time, until I got an amazon…

linux debian openvpn nftables

asked Apr 21 '20 at 05:17

adam_c

11
2

1

vote

1 answer

ufw replacement (or workaround) for Debian 10

We have servers where the admins are used to using ufw on Debian 9. Upgrading to Debian 10 means switching from iptables to nftables (yes, we could still use iptables-legacy but do not want to unless ufw will support nftables in the future.) Is…

debian iptables ufw nftables

asked Mar 15 '20 at 01:50

Jason Cotman

132
2
7

Questions tagged [nftables]