On Fri, 27 Apr 2018, rypervenche wrote:
Hello Yves,
Thank you for your configuration. I looked over it and see that you are
indeed using the "timeout 0s" to achieve what I was looking to achieve.
It seems that when I create a rule to do this, the "timeout 0s" simply
gets removed. I even copied your entire config and started my nftables
with it and as you can see below, all of the places where "timeout 0s"
was present in your config, it no longer exists in the actual running
Oh, you are right! And I did not notice! I guess a simple solution,
although less satisfying is to replace 0 with 1... I suppose this is the
smallest we can write above 0. IMO, this is a bug from nft.
Thanks for notifying me! Cheers,
Yves.
configuration. I simply cleared nftables of all rules, than ran "nft -f
/path/to/your/config/file" and then "nft list ruleset -nn" and below is
the result.
Does yours show this as well? When I tested it, any "set update" would
simply restart the timeout to 1m. Is your configuration doing this as
well?
I'm on kernel 4.14.35 and nftables version 0.8.3 in Gentoo.
=================================================
table ip Inet4 {
set Knocked_1 {
type ipv4_addr
timeout 10s
gc-interval 4s
}
set Knocked_2 {
type ipv4_addr
timeout 10s
gc-interval 4s
}
set Knocked_3 {
type ipv4_addr
timeout 10s
gc-interval 4s
}
set Knocked_4 {
type ipv4_addr
timeout 2m
gc-interval 4s
}
chain Knock_1 {
set add ip saddr @Knocked_1
}
chain Unknock_1 {
set update ip saddr @Knocked_1
}
chain Knock_2 {
set update ip saddr @Knocked_1
set add ip saddr @Knocked_2
}
chain Unknock_2 {
set update ip saddr @Knocked_2
}
chain Knock_3 {
set update ip saddr @Knocked_2
set add ip saddr @Knocked_3
}
chain Unknock_3 {
set update ip saddr @Knocked_3
}
chain Knock_4 {
set update ip saddr @Knocked_3
set add ip saddr @Knocked_4 log prefix "Port-Knock accepted: "
}
chain RefreshKnock {
set update ip saddr timeout 2m @Knocked_4
}
chain PortKnock {
ct state new ip saddr @Knocked_4 goto RefreshKnock
tcp dport 456 ct state new ip saddr @Knocked_3 goto Knock_4
tcp dport 345 ct state new ip saddr @Knocked_3 return
ip saddr @Knocked_3 ct state new goto Unknock_3
tcp dport 345 ct state new ip saddr @Knocked_2 goto Knock_3
tcp dport 234 ct state new ip saddr @Knocked_2 return
ip saddr @Knocked_2 ct state new goto Unknock_2
tcp dport 234 ct state new ip saddr @Knocked_1 goto Knock_2
tcp dport 123 ct state new ip saddr @Knocked_1 return
ip saddr @Knocked_1 ct state new goto Unknock_1
tcp dport 123 ct state new goto Knock_1
}
chain FilterIn {
type filter hook input priority 0; policy drop;
ct state { established, related } accept
ct state invalid drop
iif "lo" accept
ip protocol icmp accept
jump PortKnock
}
chain FilterOut {
type filter hook output priority 0; policy accept;
}
}
=================================================
On Fri, Apr 27, 2018 at 08:50:11AM +0200, nft.ml@xxxxxxxx wrote:
Hi rypervenche,
I have a working port-knocking nft firewall with this setup:
http://yalis.fr/public/knock_nftables.conf
In this example, the ports to knock are 123 234 345 456.A
I hope this helps. Cheers,
Yves.
On Thu, 26 Apr 2018, rypervenche wrote:
Hello,
I'm looking to set up something of a port knocker in nftables. While I
can do this with sets with timeouts, I also would like the flexibility
to be able to remove an IP from one of said sets if the next packet that
gets sent from the source address is not the port in the specific order
I have chosen. This way port scanners would not be able to bruteforce all
of the ports within the timeout that I have chosen.
Would it be possible to request the addition of a "delete" operation to
the following feature? https://wiki.nftables.org/wiki-nftables/index.php/Updating_sets_from_the_packet_path
If this is not possible, would it be possible to use the "update"
operation to set the timeout to "0s" and this have it immediately delete
the element in question? Currently trying to update the element with the
timeout 0s does not update the timeout, however non-zero timeouts do
work.
While my syntax is likely not correct here, this is essentially the idea
in mind:
table inet filter {
set knock1 { type ipv4_addr; timeout 5s; }
set knock2 { type ipv4_addr; timeout 5s; }
set knock3 { type ipv4_addr; timeout 5s; }
chain input {
type filter hook input priority 0; policy drop;
ct state established,related accept
... cut for space ...
meta nfproto ipv4 counter packets 0 bytes 0 jump knock
meta l4proto tcp counter packets 0 bytes 0 reject with tcp reset
meta nfproto ipv4 counter packets 0 bytes 0 reject with icmp type prot-unreachable
counter packets 0 bytes 0 reject
}
chain knock {
tcp dport 1111 ct state new tcp flags & (syn|rst|ack|fin) == syn counter packets 0 bytes 0 set add ip saddr @knock1 reject
tcp dport != 2222 ip saddr @knock1 counter packets 0 bytes 0 set update ip saddr timeout 0s @knock1
tcp dport 2222 ip saddr @knock1 ct state new tcp flags & (syn|rst|ack|fin) == syn counter packets 0 bytes 0 set add ip saddr @knock2 reject
tcp dport != 3333 ip saddr @knock2 counter packets 0 bytes 0 set update ip saddr timeout 0s @knock2
tcp dport 3333 ip saddr @knock2 ct state new tcp flags & (syn|rst|ack|fin) == syn counter packets 0 bytes 0 set add ip saddr @knock3 reject
tcp dport != 4444 ip saddr @knock3 counter packets 0 bytes 0 set update ip saddr timeout 0s @knock3
tcp dport 4444 ip saddr @knock3 ct state new tcp flags & (syn|rst|ack|fin) == syn counter packets 0 bytes 0 accept
}
}
Any and all help with this would be greatly appreciated.
Thank you,
rypervenche
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
