Nftables: what difference between this configs?

Kazbek

New Member
Joined
Jul 18, 2024
Messages
4
Reaction score
0
Credits
35
I have config:
Code:
table netdev rawinput {
        set cyberwhite4 {
                type ipv4_addr
                flags timeout
                elements = { my_ips_here }
        }

        set cyberwhite6 {
                type ipv6_addr
                flags timeout
        }

        chain rawchain {
                type filter hook ingress device "eth0" priority -470; policy accept;
                ip saddr != @cyberwhite4 drop
                ip6 saddr != @cyberwhite6 drop
        }
}
and it works fine. But this version doesnt work at all and blocking tcp, ssh and other connections (also outcoming as I think) even if it ip in whitelist:

Code:
table netdev rawinput {
        set cyberwhite4 {
                type ipv4_addr
                flags timeout
                elements = { my_ips_here }
        }

        set cyberwhite6 {
                type ipv6_addr
                flags timeout
        }

        chain rawchain {
                type filter hook ingress device "eth0" priority -470; policy drop;
                ip saddr @cyberwhite4 accept
                ip6 saddr @cyberwhite6 accept
        }
}
I thought its almost the same.
Additional details: server runs behind provider firewall (which we configured to allow only tcp connections, no udp, no icmp).
Can someone explain why second option doesnt work and how I can fix it?
 


These two lines are wrong should be
ip saddr != @cyberwhite4 drop
ip6 saddr != @cyberwhite6 drop
In second example default policy is drop. So for white list work I guess required use accept in rules. Am I wrong?
 
No you are correct, I am wrong - but I think the problem is no != inbetween saddr @cyberwhite4
"saddr != @cyberwhite4" means saddr not in @cyberwhite4
and
"saddr @cyberwhite4" means saddr in @cyberwhite4

In second example I want accept ips when they are IN whitelist. As in first example Im dropping when ip is NOT IN whitelist.
 
Why are you using an @ sign?

Are you trying to block or allow traffic from cyberwhite4 and cyberwhite6? Why are you using such extreme measures? Use input and output, not ingress. Use a normal priority instead of -470.

Signed,

Matthew Campbell
 
Why are you using an @ sign?

Are you trying to block or allow traffic from cyberwhite4 and cyberwhite6? Why are you using such extreme measures? Use input and output, not ingress. Use a normal priority instead of -470.

Signed,

Matthew Campbell
I want to allow traffic only from cyberwhite4 and cyberwhite6.
I tried previously use input and output, not ingress and normal priority instead of -470 but DDOS attacks (340+ mbit/s) in this case make our server die after few seconds. CPU Core kernel usage go to 100% immediately (guess connection traccking and packets defragmentation makes a lot of load) so I moved rules to maximum reduce load on server. And now server can survive attacks but allowed tcp connections still dying and users need to reconnect.
 
I want to allow traffic only from cyberwhite4 and cyberwhite6.
I tried previously use input and output, not ingress and normal priority instead of -470 but DDOS attacks (340+ mbit/s) in this case make our server die after few seconds. CPU Core kernel usage go to 100% immediately (guess connection traccking and packets defragmentation makes a lot of load) so I moved rules to maximum reduce load on server. And now server can survive attacks but allowed tcp connections still dying and users need to reconnect.
Perhaps you need some kind of external system to protect your server from the DDoS attacks. Using a priority number of -470 only changes when those rules get considered compared to other firewall rules. It won't make your firewall work any faster. Using ingress might help your system get to it a little sooner though. Adapt this script as needed to suit your needs.

Code:
#!/bin/bash
#
# Create the filter tables.
/usr/sbin/nft create table ip filter4
/usr/sbin/nft create table ip6 filter6

# Create the input and output base chains.
/usr/sbin/nft add chain ip filter4 input \{ type filter hook input priority 0 \; policy drop \; \}
/usr/sbin/nft add chain ip6 filter6 input \{ type filter hook input priority 0 \; policy drop \; \}
/usr/sbin/nft add chain ip filter4 output \{ type filter hook output priority 0 \; policy accept \; \}
/usr/sbin/nft add chain ip6 filter6 output \{ type filter hook output priority 0 \; policy accept \; \}

# Block undesired stuff.
/usr/sbin/nft add rule ip filter4 input ct state invalid drop
/usr/sbin/nft add rule ip6 filter6 input ct state invalid drop
/usr/sbin/nft add rule ip filter4 input icmp type echo-request drop
/usr/sbin/nft add rule ip6 filter6 input icmpv6 type echo-request drop

# Enable local access and basic connectivity.
/usr/sbin/nft add rule ip filter4 input iif lo accept
/usr/sbin/nft add rule ip6 filter6 input iif lo accept
/usr/sbin/nft add rule ip filter4 input ct state established,related accept
/usr/sbin/nft add rule ip6 filter6 input ct state established,related accept
/usr/sbin/nft add rule ip6 filter6 input icmpv6 type \{ nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert \} accept
/usr/sbin/nft add rule ip6 filter6 output icmpv6 type \{ nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert \} accept
/usr/sbin/nft add rule ip filter4 input ip saddr (Your static local IPv4 address here) ip daddr (Your static local IPv4 address here) accept
/usr/sbin/nft add rule ip6 filter6 input ip6 saddr (Your static public IPv6 address here) ip6 daddr (Your static public IPv6 address here) accept

# Enable Network Time Protocol.
/usr/sbin/nft add rule ip filter4 input udp dport 123 accept
/usr/sbin/nft add rule ip6 filter6 input udp dport 123 accept
/usr/sbin/nft add rule ip filter4 output udp dport 123 accept
/usr/sbin/nft add rule ip6 filter6 output udp dport 123 accept

# Enable your desired network traffic.
/usr/sbin/nft add rule ip filter4 input ip saddr cyberwhite4 accept
/usr/sbin/nft add rule ip6 filter6 input ip6 saddr cyberwhite6 accept

exit 0

# EOF

I would strongly recommend using numeric IP addresses instead of hostnames in this script. Are they using IPv4 or IPv6 for the DDoS attacks?

Signed,

Matthew Campbell
 


Top