On Monday, 05-08-2024 at 21:52 Michel Verdier wrote:
> On 2024-08-05, George at Clug wrote:
>
> > Down below is the output of the translation commands for my Iptables
> > commands. Interesting but again, I will need to learn what this means,
> > it does not look self explanatory. But hopefully, like everything
> > computer related, it is usually not that complex, just you need to
> > understand the new syntax and how to use it.
> >
> > I am also a bit concerned about the statement "table ip nat", I do not
> > want [e.g. need] any Network Address Translation occurring.
>
> Simply remove table ip nat and table ip mangle as they are empty and you
> don't use them.
Thanks.
>
> > table ip filter {
> > chain INPUT {
> > type filter hook input priority filter; policy drop;
> > iifname "lo" counter packets 0 bytes 0 accept
> > iifname "enp1s0" ct state established,related counter packets
> > 243 bytes 27964 accept
> > iifname "enp1s0" ct state new tcp dport 22 counter packets 0
> > bytes 0 accept
> > iifname "enp1s0" ct state new tcp dport 25565 counter packets 0
> > bytes 0 accept
> > iifname "enp1s0" ct state new tcp dport 8123 counter packets 0
> > bytes 0 accept
> > }
>
> Remove "packets nnn bytes nnn", syntax is:
> iifname lo counter accept
> The action "counter" will count packets matching the rule. If you do the
> shell command:
> nft list ruleset
> the line will be listed with the packets and bytes counters.
> Also you don't need to test iifname "enp1s0" if you don't have multiple
> interfaces or don't want to differenciate them.
> Only loopback (lo) is to be tested.
>
> > chain OUTPUT {
> > type filter hook output priority filter; policy drop;
> > oifname "lo" counter packets 0 bytes 0 accept
> > oifname "enp1s0" ct state established,related counter packets
> > 189 bytes 33916 accept
> > oifname "enp1s0" ct state new udp dport 53 counter packets 16
> > bytes 984 accept
> > oifname "enp1s0" ct state new tcp dport { 22, 53, 80, 123, 443
> > } counter packets 9 bytes 540 accept
> > }
>
> Same as for input don't test oifname "enp1s0" if not needed.
>
> So you drop packets not accepted. Here for workstation I add a last rule
> like this one:
> log level warn prefix "[FW accept output] " counter accept
> This will log a warning but still accept the packet out.
>
>
I would like to specify the interface, as on another interface, and have a
different set of rules for the other interface.
I do not think I need the counter to be counting packets, so for now I will
remove the statement for now.
To disable port forwarding would this be a better method?
# echo 0 > /proc/sys/net/ipv4/ip_forward
# cat /etc/sysctl.conf
# Uncomment the next line to enable packet forwarding for IPv4
#net.ipv4.ip_forward=1
# Uncomment the next line to enable packet forwarding for IPv6
# Enabling this option disables Stateless Address Autoconfiguration
# based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1
After sleep, tomorrow I would like to test this out:
===============================
# nano /etc/nftables.conf
flush ruleset
#!/usr/sbin/nft -f
flush ruleset
table ip filter {
chain INPUT {
type filter hook input priority filter; policy drop;
iifname "lo" accept
iifname "enp1s0" ct state established,related accept
iifname "enp1s0" ct state new tcp dport ssh accept
iifname "enp1s0" ct state new tcp dport 25565 accept
iifname "enp1s0" ct state new tcp dport 8123 accept
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
}
chain OUTPUT {
type filter hook output priority filter; policy drop;
oifname "lo" accept
oifname "enp1s0" ct state established,related accept
oifname "enp1s0" ct state new udp dport dns accept
oifname "enp1s0" ct state new tcp dport { ssh, dns, http, ntp,
https } accept
}
}
# systemctl restart nftables.service
====================================
