HI
For some time now, (2 yrs?) my iptables rules haven't worked. For more
than 5 yrs nftables is supposed to supercede iptables, so I installed
it and have been trying to set up the config file. Unfortunately I
haven't been entirely successful.
The following nftables.conf works but is not complete:
#!/usr/sbin/nft -f
flush ruleset
# List all IPs and IP ranges of your traffic filtering proxy source.
#define SAFE_TRAFFIC_IPS = {
# x.x.x.x/xx,
# x.x.x.x/xx,
# x.x.x.x,
# x.x.x.x
#}
table inet firewall {
chain inbound {
# By default, drop all traffic unless it meets a filter
# criteria specified by the rules that follow below.
type filter hook input priority 0; policy drop;
# Allow traffic from established and related packets.
ct state established,related accept
# Drop invalid packets.
ct state invalid drop
# Allow loopback traffic.
iifname lo accept
# Allow SSH on port 22.
tcp dport 22 accept
# Allow HTTP(S).
# -- From anywhere
tcp dport { http, https } accept
udp dport { http, https } accept
# -- From approved IP ranges only
# tcp dport { http, https } ip saddr $SAFE_TRAFFIC_IPS accept
# udp dport { http, https } ip saddr $SAFE_TRAFFIC_IPS accept
# Uncomment to allow incoming traffic on other ports.
# -- Allow nodejs traffic on port 3000
tcp dport 3000 accept
# Uncomment to enable logging of denied inbound traffic
# log prefix "[nftables] Inbound Denied: " flags all counter drop
}
chain forward {
# Drop everything (assumes this device is not a router)
type filter hook forward priority 0; policy drop;
# Uncomment to enable logging of denied forwards
# log prefix "[nftables] Forward Denied: " flags all counter drop
}
chain outbound {
# Allow all outbound traffic
type filter hook output priority 0; policy accept;
}
}
After the line:
iifname lo accept
I wanted to include a line to allow icmp traffic (e.g. ping) but to
restrict the rate to 1/ per second. I tried this line:
ip protocol icmp icmp type echo-request limit rate 1/second accept
systemctl start nftables complains that this line cannot be processed
with the message:
"/etc/nftables.conf:33:9-74: Error: Could not process rule: No such
file or directory
ip protocol icmp icmp type echo-request limit rate 1/second accept
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
nftables.service: Main process exited, code=exited, status=1/FAILURE"
I assume this is because I haven't uncommented the correct option in
the kernel. So finally to my question:
Does anyone know which kernel option will process this line?
Apologies for the prolixity.
jb.
--
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
