nftables.service - nftables - Active: active (exited) | nftables exits immediately in Debian server

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

hello,

On a fresh installation of Debian Bullseye/Sid minimal server, nftables gets exited right away upon "system boot" or "systemctl restart".

So far the Debian server have: (1) SSH Server, (2) Unbound DNS Resolver, and (3) Pi-hole Ad-blocking installed.

There are no Docker or any other containers installed on the server.

Even after going through numerous forum pages, I still couldn't figured out why nftables exits immediately. Though I was able to put together quite a few troubleshooting commands from these forum pages.

Below is a list of troubleshooting commands I have run so far (in the order they are run), and their detailed output is further down.

Note: My earlier emails were not going through, so I have created this Paste too: pastebin dot com / ftryh9sF

Please let me know what's missing from my setup. Any help is greatly appreciated.


Many thanks, - Jags



List of commands I've ran to troubleshoot:

hostnamectl
uname -a
cat /etc/debian_version
apt-cache policy nftables
systemctl status nftables
sudo systemctl restart nftables
systemctl status nftables
sudo journalctl | grep nft
sudo nft list tables
sudo nano /etc/nftables.conf
systemctl status systemd-modules-load.service
lsmod | grep '^nf'
sudo journalctl -xe
ls -l /usr/lib/modules/$(uname -r)/kernel/net/netfilter | grep nft
sudo modprobe -r ip_tables
sudo dmesg | grep ip_tables
sudo lsmod | grep ip_tables
sudo modinfo ip_tables
sudo modinfo x_tables



Output of commands mentioned in the list above:

admn@debpi:~$ hostnamectl
   Static hostname: debpi
         Icon name: computer-vm
           Chassis: vm
        Machine ID: a93cff9bb8574fa5959ff5655de23c3f
           Boot ID: 0b7041a38abd46ae8e2053d9a61aa7d6
    Virtualization: oracle
  Operating System: Debian GNU/Linux bullseye/sid
            Kernel: Linux 5.2.0-2-amd64
      Architecture: x86-64
admn@debpi:~$


admn@debpi:~$ cat /etc/debian_version
bullseye/sid
admn@debpi:~$


admn@debpi:~$ uname -a
Linux debpi 5.2.0-2-amd64 #1 SMP Debian 5.2.9-2 (2019-08-21) x86_64 GNU/Linux
admn@debpi:~$


admn@debpi:~$ apt-cache policy nftables
nftables:
  Installed: 0.9.2-1
  Candidate: 0.9.2-1
  Version table:
 *** 0.9.2-1 500
        500 ftp us debian org / debian testing/main amd64 Packages
        500 ftp us debian org /debian unstable/main amd64 Packages
        100 /var/lib/dpkg/status
admn@debpi:~$


admn@debpi:~$ systemctl status nftables

● nftables.service - nftables
   Loaded: loaded (/lib/systemd/system/nftables.service; enabled; vendor preset: enabled)
   Active: active (exited) since Tue 2019-09-03 19:20:18 PDT; 19min ago
     Docs: man:nft(8)
           wiki nftables org
  Process: 2224 ExecStart=/usr/sbin/nft -f /etc/nftables.conf (code=exited, status=0/SUCCESS)
 Main PID: 2224 (code=exited, status=0/SUCCESS)
admn@debpi:~$


admn@debpi:~$ sudo systemctl restart nftables
admn@debpi:~$


admn@debpi:~$ systemctl status nftables

● nftables.service - nftables
   Loaded: loaded (/lib/systemd/system/nftables.service; enabled; vendor preset: enabled)
   Active: active (exited) since Tue 2019-09-03 19:40:04 PDT; 6s ago
     Docs: man:nft(8)
           wiki nftables org
  Process: 2370 ExecStart=/usr/sbin/nft -f /etc/nftables.conf (code=exited, status=0/SUCCESS)
 Main PID: 2370 (code=exited, status=0/SUCCESS)
admn@debpi:~$


admn@debpi:~$ sudo journalctl | grep nft
Sep 03 19:20:18 debpi systemd[1]: Stopping nftables...
Sep 03 19:20:18 debpi systemd[1]: nftables.service: Succeeded.
Sep 03 19:20:18 debpi systemd[1]: Stopped nftables.
Sep 03 19:20:18 debpi systemd[1]: Starting nftables...
Sep 03 19:20:18 debpi systemd[1]: Started nftables.
Sep 03 19:40:04 debpi sudo[2366]:     admn : TTY=pts/0 ; PWD=/home/admn ; USER=root ; COMMAND=/usr/bin/systemctl restart nftables
Sep 03 19:40:04 debpi systemd[1]: Stopping nftables...
Sep 03 19:40:04 debpi systemd[1]: nftables.service: Succeeded.
Sep 03 19:40:04 debpi systemd[1]: Stopped nftables.
Sep 03 19:40:04 debpi systemd[1]: Starting nftables...
Sep 03 19:40:04 debpi systemd[1]: Started nftables.
Sep 03 19:43:15 debpi sudo[2375]:     admn : TTY=pts/0 ; PWD=/home/admn ; USER=root ; COMMAND=/usr/sbin/nft list tables
Sep 03 19:45:31 debpi sudo[2379]:     admn : TTY=pts/0 ; PWD=/home/admn ; USER=root ; COMMAND=/usr/bin/nano /etc/nftables.conf
admn@debpi:~$


$ sudo nft list tables

table inet filter
admn@debpi:~$


admn@debpi:~$ sudo nano /etc/nftables.conf

###    /etc/nftables.conf  ###

#!/usr/sbin/nft -f

#clears the previous ruleset
flush ruleset

table inet filter {

    #This defines a chain with the name input. You can use any name you prefer.
    chain input {

        #The type statement tells nftables our chain will be of type filter (filtering packets).
        #It will filter incoming packets. We also set a priority of zero.
        type filter hook input priority 0; policy drop;

        #Allow loopback. Packets from the loopback interface are generally safe, so accept everything coming from there.
        iifname lo accept

        # change to your own ssh port if not using default
        #tcp dport 22 ct state new accept
        ip saddr 192.168.73.0/24 tcp dport 22 counter accept
        ct state established,related accept

        # early drop of invalid connections
        ct state invalid drop

        # ICMP & IGMP
        ip saddr 192.168.73.0/24 icmp type echo-request counter accept
        icmp type echo-request counter drop
        #ip protocol icmp drop
        ip protocol igmp drop

        # avoid brute force on ssh, and your ssh port here
        tcp dport 22 ct state new limit rate 15/minute accept # change to your own ssh port

        # DNS for internal network
        ip saddr 192.168.73.0/24 udp dport 53 counter accept
        ip saddr 192.168.73.0/24 tcp dport 53 counter accept

        # DNS for internal network
        ip saddr 192.168.73.0/24 udp dport 5353 counter accept
        ip saddr 192.168.73.0/24 tcp dport 5353 counter accept

        # Pi-hole
        ip saddr 192.168.73.0/24 tcp dport 80 counter accept

        # Additional ports you want to allow
        #tcp dport { xxx, yyy} ct state established,new accept
        #udp dport { xxx, yyy} ct state established,new accept

        # everything else
        reject with icmpx type port-unreachable

        # uncomment to enable log, choose one
        log flags all counter drop
        log prefix "[nftables] Input Denied: " flags all counter drop
    }
}

###    /etc/nftables.conf  ###
admn@debpi:~$



admn@debpi:~$ systemctl status systemd-modules-load.service

● systemd-modules-load.service - Load Kernel Modules
   Loaded: loaded (/lib/systemd/system/systemd-modules-load.service; static; vendor preset: enabled)
   Active: active (exited) since Tue 2019-09-03 18:39:17 PDT; 59min ago
     Docs: man:systemd-modules-load.service(8)
           man:modules-load.d(5)
  Process: 218 ExecStart=/lib/systemd/systemd-modules-load (code=exited, status=0/SUCCESS)
 Main PID: 218 (code=exited, status=0/SUCCESS)
admn@debpi:~$


admn@debpi:~$ lsmod | grep '^nf'

nf_log_ipv6            16384  2
nf_log_ipv4            16384  2
nf_log_common          16384  2 nf_log_ipv4,nf_log_ipv6
nft_log                16384  2
nft_reject_inet        16384  1
nf_reject_ipv4         16384  1 nft_reject_inet
nf_reject_ipv6         20480  1 nft_reject_inet
nft_reject             16384  1 nft_reject_inet
nft_limit              16384  1
nft_ct                 20480  3
nf_conntrack          159744  1 nft_ct
nf_defrag_ipv6         24576  1 nf_conntrack
nf_defrag_ipv4         16384  1 nf_conntrack
nft_counter            16384  10
nf_tables             159744  106 nft_ct,nft_log,nft_reject_inet,nft_counter,nft_limit,nft_reject
nfnetlink              16384  1 nf_tables
admn@debpi:~$


admn@debpi:~$ sudo journalctl -xe
[sudo] password for admn:

-- A stop job for unit nftables.service has begun execution.
--
-- The job identifier is 699.
Sep 03 19:20:18 debpi systemd[1]: nftables.service: Succeeded.
-- Subject: Unit succeeded
-- Defined-By: systemd
-- Support: debian org / support
--
-- The unit nftables.service has successfully entered the 'dead' state.
Sep 03 19:20:18 debpi systemd[1]: Stopped nftables.
-- Subject: A stop job for unit nftables.service has finished
-- Defined-By: systemd
-- Support: debian org / support
--
-- A stop job for unit nftables.service has finished.
--
-- The job identifier is 699 and the job result is done.
Sep 03 19:20:18 debpi systemd[1]: Starting nftables...
-- Subject: A start job for unit nftables.service has begun execution
-- Defined-By: systemd
-- Support: debian org / support
--
-- A start job for unit nftables.service has begun execution.
--
-- The job identifier is 699.
Sep 03 19:20:18 debpi systemd[1]: Started nftables.
-- Subject: A start job for unit nftables.service has finished successfully
-- Defined-By: systemd
-- Support: debian org / support
--
-- A start job for unit nftables.service has finished successfully.
--
-- The job identifier is 699.
Sep 03 19:26:01 debpi CRON[2236]: pam_unix(cron:session): session opened for user root by (uid=0)
Sep 03 19:26:01 debpi CRON[2237]: (root) CMD (   PATH="$PATH:/usr/local/bin/" pihole updatechecker remote)
Sep 03 19:26:04 debpi CRON[2236]: pam_unix(cron:session): session closed for user root
Sep 03 19:30:01 debpi CRON[2259]: pam_unix(cron:session): session opened for user root by (uid=0)
Sep 03 19:30:01 debpi CRON[2260]: (root) CMD (   PATH="$PATH:/usr/local/bin/" pihole updatechecker local)
Sep 03 19:30:01 debpi CRON[2259]: pam_unix(cron:session): session closed for user root
Sep 03 19:30:34 debpi su[2187]: pam_unix(su:session): session closed for user root
Sep 03 19:30:34 debpi sudo[2186]: pam_unix(sudo:session): session closed for user root
Sep 03 19:31:12 debpi dhclient[419]: DHCPREQUEST for 192.168.73.46 on enp0s3 to 192.168.73.246 port 67
Sep 03 19:31:12 debpi dhclient[419]: DHCPACK of 192.168.73.46 from 192.168.73.246
Sep 03 19:31:12 debpi dhclient[419]: bound to 192.168.73.46 -- renewal in 1310 seconds.
Sep 03 19:31:47 debpi sudo[2289]: pam_unix(sudo:auth): Couldn't open /etc/securetty: No such file or directory
Sep 03 19:31:52 debpi sudo[2289]: pam_unix(sudo:auth): Couldn't open /etc/securetty: No such file or directory
Sep 03 19:31:52 debpi sudo[2289]:     admn : TTY=pts/0 ; PWD=/home/admn ; USER=root ; COMMAND=/usr/bin/journalctl -xe
Sep 03 19:31:52 debpi sudo[2289]: pam_unix(sudo:session): session opened for user root by admn(uid=0)
lines 1522-1569/1569 (END)
admn@debpi:~$


admn@debpi:~$ ls -l /usr/lib/modules/$(uname -r)/kernel/net/netfilter | grep nft

-rw-r--r-- 1 root root   9164 Aug 21 05:48 nft_chain_nat.ko
-rw-r--r-- 1 root root  28508 Aug 21 05:48 nft_compat.ko
-rw-r--r-- 1 root root  14060 Aug 21 05:48 nft_connlimit.ko
-rw-r--r-- 1 root root  13868 Aug 21 05:48 nft_counter.ko
-rw-r--r-- 1 root root  31508 Aug 21 05:48 nft_ct.ko
-rw-r--r-- 1 root root   7796 Aug 21 05:48 nft_dup_netdev.ko
-rw-r--r-- 1 root root   7692 Aug 21 05:48 nft_fib_inet.ko
-rw-r--r-- 1 root root   9668 Aug 21 05:48 nft_fib.ko
-rw-r--r-- 1 root root   7708 Aug 21 05:48 nft_fib_netdev.ko
-rw-r--r-- 1 root root  12052 Aug 21 05:48 nft_flow_offload.ko
-rw-r--r-- 1 root root  11388 Aug 21 05:48 nft_fwd_netdev.ko
-rw-r--r-- 1 root root  12780 Aug 21 05:48 nft_hash.ko
-rw-r--r-- 1 root root  15428 Aug 21 05:48 nft_limit.ko
-rw-r--r-- 1 root root  13820 Aug 21 05:48 nft_log.ko
-rw-r--r-- 1 root root  14036 Aug 21 05:48 nft_masq.ko
-rw-r--r-- 1 root root  12748 Aug 21 05:48 nft_nat.ko
-rw-r--r-- 1 root root  12404 Aug 21 05:48 nft_numgen.ko
-rw-r--r-- 1 root root  12796 Aug 21 05:48 nft_objref.ko
-rw-r--r-- 1 root root  10396 Aug 21 05:48 nft_osf.ko
-rw-r--r-- 1 root root  12420 Aug 21 05:48 nft_queue.ko
-rw-r--r-- 1 root root  11404 Aug 21 05:48 nft_quota.ko
-rw-r--r-- 1 root root  13604 Aug 21 05:48 nft_redir.ko
-rw-r--r-- 1 root root   9300 Aug 21 05:48 nft_reject_inet.ko
-rw-r--r-- 1 root root   8764 Aug 21 05:48 nft_reject.ko
-rw-r--r-- 1 root root  10804 Aug 21 05:48 nft_socket.ko
-rw-r--r-- 1 root root  12732 Aug 21 05:48 nft_tproxy.ko
-rw-r--r-- 1 root root  17836 Aug 21 05:48 nft_tunnel.ko
admn@debpi:~$


admn@debpi:~$ sudo modprobe -r ip_tables
admn@debpi:~$


admn@debpi:~$ sudo dmesg | grep ip_tables
admn@debpi:~$


admn@debpi:~$ sudo lsmod | grep ip_tables
admn@debpi:~$


admn@debpi:~$ sudo modinfo ip_tables

filename:       /lib/modules/5.2.0-2-amd64/kernel/net/ipv4/netfilter/ip_tables.ko
alias:          ipt_icmp
description:    IPv4 packet filter
author:         Netfilter Core Team <coreteam @ netfilter . org>
license:        GPL
depends:        x_tables
retpoline:      Y
intree:         Y
name:           ip_tables
vermagic:       5.2.0-2-amd64 SMP mod_unload modversions
sig_id:         PKCS#7
signer:         Debian Secure Boot CA
sig_key:        A7:46:8D:EF
sig_hashalgo:   sha256
signature:      11:65:DD:F3:BC
                    .....
                47:92:33:EA:08
admn@debpi:~$


admn@debpi:~$ sudo modinfo x_tables
filename:       /lib/modules/5.2.0-2-amd64/kernel/net/netfilter/x_tables.ko
description:    {ip,ip6,arp,eb}_tables backend module
author:         Harald Welte < laforge @ netfilter . org>
license:        GPL
depends:
retpoline:      Y
intree:         Y
name:           x_tables
vermagic:       5.2.0-2-amd64 SMP mod_unload modversions
sig_id:         PKCS#7
signer:         Debian Secure Boot CA
sig_key:        A7:46:8D:EF
sig_hashalgo:   sha256
signature:      25:D4:CD:EF:DD
                    .....
                4F:8C:AB:8D:8D
admn@debpi:~$

===== xxxxx =====
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux