Hello, world!
I'd appreciate your help with the following issue on my Debian 10 with converting the ruleset from iptables to nftables.
I'm using iptables to blacklist incoming packets for a short while. If somebody tries to scan my host, his IP address gets blacklisted for ten minutes.
The following rules are in use:
[…]
iptables -A Enemies -m recent --name psc --update --seconds 600 -j DROP
iptables -A Enemies -i eth0 -m tcp -p tcp --dport 1:21 -m recent --name psc --set -j PORTSCAN
iptables -A Enemies -i eth0 -m tcp -p tcp --dport 23:24 -m recent --name psc --set -j PORTSCAN
iptables -A Enemies -i eth0 -m tcp -p tcp --dport 26:79 -m recent --name psc --set -j PORTSCAN
[…]
(PORTSCAN then simply logs and drops the packet.)
Since Debian uses the iptables command to insert nftables rules, I look at them and get the following:
root@host:~# nft list ruleset
[…]
chain Enemies {
# recent: UPDATE seconds: 600 name: psc side: source mask: 255.255.255.255 counter packets 0 bytes 0 drop
iifname "eth0" meta l4proto tcp tcp dport 1-21 # recent: SET name: psc side: source mask: 255.255.255.255 counter packets 0 bytes 0 jump PORTSCAN
iifname "eth0" meta l4proto tcp tcp dport 23-24 # recent: SET name: psc side: source mask: 255.255.255.255 counter packets 0 bytes 0 jump PORTSCAN
iifname "eth0" meta l4proto tcp tcp dport 26-79 # recent: SET name: psc side: source mask: 255.255.255.255 counter packets 0 bytes 0 jump PORTSCAN
[…]
Obvisiously, the recent module of iptables is not converted to anything of nftables, and if I dump my ruleset generated by iptables with nft list ruleset > ruleset , flush iptables, and run the nftables rules (nft -f ruleset), I don’t get the functionality of blocking for a while
Can you please guide me and help me defining a rule that blacklists IP addresses trying to open a specific TCP or UDP port (IPv4 and v6) for a defined time?
Thank you very much
Sig
