Am 2018-06-01 um 20:30 schrieb Arturo Borrero Gonzalez:
>> I tipped in every letter one by one at the
>> command line manually. no way.
>> after fiddling around I came across if I rename
>> my »table ip filter« into »table inet filter«
>> it works. still wondering I need
>> to use inet because I try to avoid ipv6.
>
> So, it was a misconfiguration.
> You aren't tied to the inet family. The example I sent you (from my
> laptop) uses the ip family.
>
>> BUT now var-definitions not working anymore.
>
> I can't help in debugging without seeing the complete ruleset.
> But I would say: please, double check the syntax.
first of all, thank you arturo for your efforts!
now I have already solved the problems by reinstalling
nftables and libnfnl from source because during an
unattended
kernelupdate I automatically screwed back to nftable version
0.5 tied to my distribution (ubuntu).
have overseen this, sorry.
but:
chain filter{
type filter hook ingress device $nic_int priority -400;
...
}
results in:
In file included from bastion-ruleset.nft:10:10-48:
./bastion-bridge-ingress.nft:3:41-41: Error: syntax error, unexpected
'$', expecting string
type filter hook ingress device $nic_int priority -400;
by hardcoding eth0 into the line above
current ruleset is the following:
% nft list ruleset
table ip mangle {
chain prerouting {
type filter hook prerouting priority 0; policy accept;
counter packets 0 bytes 0 comment "count accepted packets"
}
chain input {
type filter hook input priority 0; policy accept;
counter packets 0 bytes 0 comment "count accepted packets"
}
chain output {
type filter hook output priority 0; policy drop;
counter packets 0 bytes 0 comment "count accepted packets"
}
chain postrouting {
type filter hook postrouting priority 0; policy drop;
oifname "lxdbr0" udp dport bootpc ip checksum 68 accept
counter packets 0 bytes 0 comment "count accepted packets"
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority -100; policy drop;
dnat to tcp dport map { 4711 : 10.81.5.7, 30118 : 10.81.5.1 }:tcp
dport map { domain : domain, http : http, 30118 : openvpn }
counter packets 0 bytes 0 comment "count dropped packets"
}
chain input {
type nat hook input priority 0; policy accept;
counter packets 0 bytes 0 comment "count accepted packets"
}
chain output {
type nat hook output priority 0; policy accept;
counter packets 0 bytes 0 comment "count accepted packets"
}
chain postrouting {
type nat hook postrouting priority 0; policy accept % nft list ruleset
table ip mangle {
chain prerouting {
type filter hook prerouting priority 0; policy accept;
counter packets 0 bytes 0 comment "count accepted packets"
}
chain input {
type filter hook input priority 0; policy accept;
counter packets 0 bytes 0 comment "count accepted packets"
}
chain output {
type filter hook output priority 0; policy accept;
counter packets 0 bytes 0 comment "count accepted packets"
}
chain postrouting {
type filter hook postrouting priority 0; policy accept;
oifname "lxdbr0" udp dport bootpc ip checksum 68 accept
counter packets 0 bytes 0 comment "count accepted packets"
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority -100; policy drop;
dnat to tcp dport map { 4711 : 10.81.5.7, 30118 : 10.81.5.1 }:tcp
dport map { domain : domain, http : http, 30118 : openvpn }
counter packets 0 bytes 0 comment "count dropped packets"
}
chain input {
type nat hook input priority 0; policy accept;
counter packets 0 bytes 0 comment "count accepted packets"
}
chain output {
type nat hook output priority 0; policy accept;
counter packets 0 bytes 0 comment "count accepted packets"
}
chain postrouting {
type nat hook postrouting priority 0; policy accept;
ip saddr 10.27.69.0/24 ip daddr != 10.27.69.0/24 masquerade
counter packets 0 bytes 0 comment "count accepted packets"
}
}
table ip filter {
set lxdIPs {
type ipv4_addr
elements = { 10.27.69.39, 10.27.69.61 }
}
chain global {
ct state established,related accept
ct state invalid drop
ip protocol icmp accept
udp dport domain accept
}
chain dmz_in {
ip saddr @lxdIPs
}
chain dmz_out {
}
chain forward {
type filter hook forward priority 0; policy drop;
jump global
oifname vmap { "br1" : jump dmz_in }
oifname "eth0" iifname vmap { "br1" : jump dmz_out }
}
chain input {
type filter hook input priority 0; policy drop;
jump global
iifname "lxdbr0" tcp dport domain accept
iifname "lxdbr0" udp dport domain accept
iifname "lxdbr0" udp dport bootps accept
udp dport 30118 accept
counter packets 0 bytes 0 drop
}
chain output {
type filter hook output priority 0; policy drop;
jump global
oifname "lxdbr0" tcp sport domain accept
oifname "lxdbr0" udp sport domain accept
oifname "lxdbr0" udp sport bootps accept
counter packets 0 bytes 0 drop
}
}
table bridge filter {
}
table netdev filter {
set blacklist {
type ipv4_addr
flags interval
elements = { 37.49.225.0/24, 159.65.160.121,
172.16.0.0/16, 192.0.2.0/24,
200.66.112.0/20 }
}
chain filter {
type filter hook ingress device eth0 priority -400; policy accept;
icmp type echo-request limit rate over 10/second drop
icmp type echo-request limit rate over 10/second drop
ip saddr @blacklist counter packets 0 bytes 0 drop
tcp dport ssh limit rate 15/minute accept
}
}
;
ip saddr 10.27.69.0/24 ip daddr != 10.27.69.0/24 masquerade
counter packets 0 bytes 0 comment "count accepted packets"
}
}
table ip filter {
set lxdIPs {
type ipv4_addr
elements = { 10.27.69.39, 10.27.69.61 }
}
chain global {
ct state established,related accept
ct state invalid drop
ip protocol icmp accept
udp dport domain accept
}
chain dmz_in {
ip saddr @lxdIPs
}
chain dmz_out {
}
chain forward {
type filter hook forward priority 0; policy drop;
jump global
oifname vmap { "br1" : jump dmz_in }
oifname "eth0" iifname vmap { "br1" : jump dmz_out }
}
chain input {
type filter hook input priority 0; policy drop;
jump global
iifname "lxdbr0" tcp dport domain accept
iifname "lxdbr0" udp dport domain accept
iifname "lxdbr0" udp dport bootps accept
udp dport 30118 accept
counter packets 0 bytes 0 drop
}
chain output {
type filter hook output priority 0; policy drop;
jump global
oifname "lxdbr0" tcp sport domain accept
oifname "lxdbr0" udp sport domain accept
oifname "lxdbr0" udp sport bootps accept
counter packets 0 bytes 0 drop
}
}
table bridge filter {
}
table netdev filter {
set blacklist {
type ipv4_addr
flags interval
elements = { 37.49.225.0/24, 159.65.160.121,
172.16.0.0/16, 192.0.2.0/24,
200.66.112.0/20 }
}
chain filter {
type filter hook ingress device eth0 priority -400; policy accept;
icmp type echo-request limit rate over 10/second drop
icmp type echo-request limit rate over 10/second drop
ip saddr @blacklist counter packets 0 bytes 0 drop
tcp dport ssh limit rate 15/minute accept
}
}
cheers
karl
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
