Questions tagged [nftables]
57 questions
0
votes
0 answers
nftables blocking local unix sockets
I can't seem to find any documentation that explains how to configure nftables to allow unix sockets for passthrough. I've got a CentOS 8 box running an LDAP server, and local commands like ldapsearch/ldapwhoami fail unless I disable nftables or…
M4v
- 63
- 6
0
votes
1 answer
Create Set or Vmap for DNAT Nftables
I'd like to know if someone has found a way to do this. I've been able to create a set for my DNAT rules with nftables, however I haven't been able to achieve what I truly want. This is the Set I have so far:
nft add map ip nat dnat_map{type…
VantTech
- 143
- 5
0
votes
1 answer
nftables : How to log packets going out of a router?
We have a sudden failure of VoIP which is unable to connect. I can see UDP 5060 packets entering the router by the line :
add rule ip filter FORWARD udp dport 5060 log prefix "=======> FORWARD 5060"
But I didn't find the trick to log output, to be…
Dysmas
- 152
- 11
0
votes
1 answer
How do I specify a subnet mask when adding a rule in nftables?
How does one specify the subnet mask when adding a rule in nftables?
A slash immediately following the specified ip address results in a syntax error.
nft add rule ip filter input 0.0.0.0/24 drop
results in
Error: syntax error, unexpected /
(OS:…
Mithokai
- 3
- 4
0
votes
1 answer
What is the nft rule to let SSH tunnel to work?
I can make SSH connection with a "All IP is matched" rules in nft:
table ip filter {
chain INPUT {
type filter hook input priority 0; policy drop;
iifname "eth0" ip saddr { 0.0.0.0-255.255.255.255 } accept
}
…
user3336503
- 33
- 5
0
votes
1 answer
How to do NETMAP by nftables
I have some home servers in my lan, connecting to internet by an adsl
My router is a linux-based x86 server, and I wrote script on it
I updated the script to nftables some months ago...
It worked all right in ipv4....
One day, I found my isp…
maybeonly
- 49
- 4
-1
votes
1 answer
Linux netfilter / iptables : How to enable iptables TRACE chain handling with nf_log_syslog on RHEL8+?
On a Linux RHEL8 system, I have enabled these iptables rules ,
which I am led to believe should enable ICMP packet syslog logging
on interface ingress & egress :
# iptables -L -t raw
Chain PREROUTING (policy ACCEPT)
target prot opt source …
JVD
- 645
- 1
- 7
- 17
-1
votes
1 answer
NFTABLES: How to DNAT in POSTROUTING
I have a problem setting up a DNAT in POSTROUTING (I really need it for a project).
In the beginning, I tried to set it using iptables with this command:
iptables -t nat -A POSTROUTING -p icmp -d 30.0.0.1 -j DNAT --to-destination 40.0.0.1 but…
-1
votes
1 answer
WSL Kernel Netfilter hooks for Pre/Post Routing not available
I'm on Windows 11, WSL2, kernel 5.10.60.1-microsoft-standard-WSL2.
I'm using a RHEL distribution and I'm trying to enable a netfilter NAT rule. The problem is I receive this error if I try to add a rule to the NAT table for Pre or…
Spence
- 28,526
- 15
- 68
- 103
-2
votes
1 answer
Why do I have no connection to dhcp server at ipv6 over nft
I have configured my nftable with
table inet firewall {
chain input {
type filter hook input priority filter; policy drop;
ct state invalid counter packets 0 bytes 0 drop comment "early drop of invalid packets"
ct state…
madam
- 11
- 3
-2
votes
1 answer
How to add NAPT/PAT rule?
My goal is to forward packets from an interface to another interface without source port conflicts using the right feature, NAPT.
I couldn't find how to add a NAPT rule (Network Address Port Translation or also known as PAT) with iptables and…
Alexis
- 2,136
- 2
- 19
- 47
-2
votes
1 answer
nftables - IPv6 port knocking - accept whole subnet
I'd like to add port knocking to a server which is already working. My client sends the magic sequence of packets and the server will add it to a nftables set of allowed clients for specific time. Therefor the clients are allowed to use some…
bago
- 1
- 1