Hi,
I'm trying to write an nftables rule set that should eventually allow
multiplexing SSH and TLS on TLS port 443. The idea is to match the
"SSH-" string in the TCP payload of the SSH client's first packet of the
connection/handshake to port 443, and then redirect/forward that TCP
connection to port 22, where the actual SSH server is running.
However, I seem unable to get "@ih" expressions to work/match at all -
even when I write two "@ih" expressions that should match the exact
complement of each other, none of them match anything. Here's the full
output of "nft list ruleset" after one SSH connection to port 22:
# nft list ruleset
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
ct state invalid drop comment "early drop of invalid connections"
ct state { established, related } accept comment "allow tracked connections"
iif "lo" accept comment "allow from loopback"
ip protocol icmp accept comment "allow icmp"
meta l4proto ipv6-icmp accept comment "allow icmp v6"
udp dport 51820 accept comment "allow wireguard"
tcp dport 22 @ih,0,32 0x5353482d counter packets 0 bytes 0 log prefix "##### SSH DEBUG 1 ##### " flags all accept comment "allow SSH- via SSH port"
tcp dport 22 @ih,0,32 != 0x5353482d counter packets 0 bytes 0 log prefix "##### SSH DEBUG 2 ##### " flags all accept comment "allow SSH- via SSH port"
tcp dport 22 counter packets 1 bytes 80 log prefix "##### SSH DEBUG 3 ##### " flags all accept comment "allow SSH- via SSH port"
tcp dport 22 accept comment "allow ssh"
udp dport 443 accept comment "allow http/3"
tcp dport 443 @ih,0,32 0x5353482d counter packets 0 bytes 0 log prefix "##### SSH DEBUG 4 ##### " flags all accept comment "allow SSH- via HTTPS port"
tcp dport 443 @ih,0,32 != 0x5353482d counter packets 0 bytes 0 log prefix "##### SSH DEBUG 5 ##### " flags all accept comment "allow SSH- via HTTPS port"
tcp dport 443 counter packets 45 bytes 3052 log prefix "##### SSH DEBUG 6 ##### " flags all accept comment "allow SSH- via HTTPS port"
tcp dport 443 counter packets 0 bytes 0 accept comment "allow https"
tcp dport 80 accept comment "allow http"
counter packets 0 bytes 0 continue
}
chain forward {
type filter hook forward priority filter; policy drop;
counter packets 0 bytes 0 continue
}
}
Note that the incoming SSH connection on port 22 only incremented the
counter for the "SSH DEBUG 3" line, but not the counter for any of the
two preceding lines ("SSH DEBUG 1" and "SSH DEBUG 2"). What am I doing
wrong?
I'm using Arch Linux x86_64 with testing repos enabled, with the
nftables package 1:1.0.9-3 from the Arch repos, and a custom kernel
that's basically the equivalent of linux-hardened 6.9.3-rc1.
Regards
Pascal
