Questions tagged [nftables]

Question 1

(First, please excuse me. Not a professional sysadmin, just someone who has had to set up a VPS recently). I recently set up a new Almalinux 10 box, and I wanted to add port knocking to it to further ...

Question 2

I am trying to setup some very specific rules with NF tables, but I am stuck at some point. There is obviously something I am missing. Here is the script I am using: #!/usr/sbin/nft -f flush ruleset ...

Question 3

I'd like to use nftables to set up a firewall in the following way: a basic table with a default-deny policy custom tables (which I'd add per service running on a machine) which allow only relevant ...

Question 4

I was following solution 1 from https://unix.stackexchange.com/a/693643/29529 but I get the following error in the 1st command ~# iptables -t mangle -A INPUT -i eth1 -j CONNMARK --set-mark 2 iptables ...

Question 5

I have two VPSs (SERVER-A and SERVER-B) connected to a 10.252.1.0/24 WireGuard network. The WireGuard client config in SERVER-A has AllowedIPs=10.252.1.0/24 and SERVER-B has AllowedIPs = 0.0.0.0/0. ...

Question 6

I have a proxmox server on 73.xx.xx.xx which I wanna do a port foward to. In this case its 51800/udp to 192.168.2.2 I have configured the firewall from proxmox and the vm itself. Both processes ...

Question 7

I've launched a new AWS EC2 instance running Amazon Linux 2023. I want to set up nftables with the nftables.conf file to limit the concurrent connections per source IP so that any one user cannot hog ...

Question 8

I am setting up a firewall to guard a web server. I don't need it to be secure since it is not publicly available and will not be in the near future. But I need to set up the firewall so that the ...

Question 9

I have an IPtables matching as -m policy --dir out --pol ipsec --mode tunnel --tunnel-src 1.1.1.2 --tunnel-dst 1.1.1.1. I know that this matching works with nftables in compatible mode as xt "...

Question 10

i have a seemingly easy goal: there is a certain container. i want traffic originating from that container to be routed via custom routing table to vpn. i don't need ALL container traffic to be routed ...

Question 11

Default nftables: nft list ruleset table inet filter { chain input { type filter hook input priority filter; policy accept; iif "lo" accept ...

Question 12

I have a setup where I'm attempting to restrict access to the server with iptables rules that specify allowed IP ranges, like this: -A INPUT -i lo -j ACCEPT -A INPUT -s 127.0.0.0/8 -j ACCEPT -A INPUT -...

Question 13

I am in the middle of installing NFT-based firewalls on some routers. Routers run Slackware linux, kernel 6.12.21, nftables 1.1.1, libnftnl 1.2.8. The actual firewalls are generated from a list of ...

Question 14

I am running WireGuard in a Podman container. I have a Hub and Spoke configuration like this Client A <--> Hub <--> Client B | | Internet This is ...

Question 15

I am looking for a solution where TCP packets need to be forwarded or broadcasted to multiple destinations. Using nftables, I managed to forward packets to another machine with the following rule: nft ...

Question 16

So I have an internet setup with a BGP router that provides me with my own /24 IPv4 bloc. In order to have those same IPs on a disaster recovery site, I've built a server machine on the disaster site ...

Question 17

I have a very simple setup that needs to forward traffic from a WireGuard interface (wg0) to hosts connected to a LAN interface (enp0s25). [ other LAN host ] <---> enp0s25 [ server ] wg0 <---&...

Question 18

I am new to Networking. I am working on a project where I need to implement a Captive Portal inside an Alpine Linux container, but there are some tricky parts to it. The system I am working on uses ...

Question 19

Before We have a server which is also a vpn client. It has so 2 interfaces: eth0 (physical) and tun0 (vpn) The vpn is only there to serve external requests: it goes to another site which directs ...

Question 20

In iptables, you can use the following command to check if a rule exists in a specific chain: iptables -C INPUT -s 192.168.254.0 -j DROP The -C option verifies the existence of the rule in the ...

Question 21

Determined to turn an old computer into a server (NAS, Home assistant, ...), I decided to learn about Virtualization with Xen Project on Debian. The server is expected to be used on LAN only and it ...

Question 22

I wanted to expose an IPcam to Internet using WireGuard tunnel, diagram looks like this: Client --—> ServerA -—-(wireguard)---> ServerB ---(LAN)--—> Cam I've set proper DNAT and SNAT rules; ...

Question 23

I'm running my proxy client on the same Linux machine I'm using the connection on. In the configuration I can tell it to tproxy to port 2500. The proxy runs on port 443, using TLS (although this part ...

Question 24

I am using nftables v0.9.6 and the geoip database to drop inbound traffic from specific countries. For example, I have in a chain: meta mark 0x0000033a drop comment "block traffic from GB" ...

Question 25

0.The main problem is the nft counters increase but no web page shows. Claims http 404 error. DNS and dig report valid results.From inet firewalld filter_INPUT: '''meta l4proto {tcp,udp} ct state ...

Question 26

Recent versions of Linux's have switched for iptables to nftables. However, I am newbie with the nft command. So, my question is: How do I list all specific IPs (IPv4 & IPv6) that are blocked &...

Question 27

I use AlmaLinux 9, I understand that there is new backend service nftables which can be managed by iptables-nft command, so I set some rules and my rule set looks like: # Warning: table ip nat is ...

Question 28

I have a moderately complex ruleset, running on Debian 12, but it includes simple rules to open e.g. ports 80 and 443 (implicitly for both ipv4 and ipv6). Immediately after running "systemctl ...

Question 29

I have a Ubuntu 24.04.1 LTS server, running Strongswan. I have since learned that it's using nftables and not iptables for its firewall. In setting up the VPN, I am able to connect with the client, ...

Question 30

I am currently trying to solve the following problem, but my google/SO searches have not yielded a matching scenario so far: From my linux host, I must reach the destination host 172.19.28.152. ...

Question 31

I'm aware of two main ways to write and receive network packets from an existing network interface on linux. The first is with the classic sockets API, in which the linux kernel is responsible for ...

Question 32

I need to configure my router (Ubuntu Server 24/ NNFTables) so that computers connected to the lan1 and lan2 interfaces can browse the internet using the wan1 or wan2 interfaces, depending on the ...

Question 33

This is my nftables config file. #/bin/sbin/nft -f flush ruleset table inet my_fw_tables { chain input_filter { type filter hook input priority filter; policy drop; ct ...

Question 34

Network/Firewalls isn't my strong side, so there is the possibility that I'm making a very basic mistake. I need to access services running inside my qemu guest system from other devices in my network....

Question 35

Documentation of nftables about match concept is too weak . nftables document I want accept all traffic from ip x.w.y.z with port 80 only between two Date & Time for example : start : 2024/01/12 ...

Question 36

I have setup a Debian 12 machine as an IPv4 NAT Gateway / Router by following the various tutorials on the internet (mostly following arch wiki) and tried to do it the most modern way possible. I use ...

Question 37

I use KVM to virtualize a Guest-Linux-Mint on my Host-Debian12. The Guest is obviously configured well with NAT: I can ssh into the Guest from the Host, I can reach the Internet from the Guest. But I ...

Question 38

I need help creating rules. According to CPanel firewall-d broke migrating from CentOS > Alma Linux. They no longer supported CentOS so I bit the bullet finally and migrated. Everything went ...

Question 39

Basically what I need is to change all packets destined to one subnet to a different subnet I need this because my router has 2 VPNs and both of them use the same ip range [out of my control] This is ...

Question 40

tldr; bridge (see below) doesn't work if there is a matching drop in another table (like the default rules of firewalld). Hello, I'm building my own VM lib (kind of quickemu). I have a problem with ...

Question 41

I have a Linux server that is an OpenVPN endpoint, but also hosts a webserver. When my client connects to the server address for the webserver, the packets travel outside the VPN. Rightly so, since ...

Question 42

So I have a quick and dirty firewall that I plan to use on my vps using nftables. Here's the initial rule table inet filter { chain input { type filter hook input priority 0; # ...

Question 43

Over one year I have had a working nft configuration. After updating NVM of my network cards and "apt update & upgrade" I encounter the following error on boot. But nftables starts ...

Question 44

I have a Debian box running firewalld set up a as gateway NAT/router. This device has two NICS; wan --- public interface, assigned to the external firewalld zone, dynamically assigned IP address using ...

Question 45

I have table ip nat { chain Redirect_to_local { limit rate 3/minute burst 10 packets log prefix "[nft.ip.dnat.8080]: " redirect to :8080 } chain ...

Question 46

It is not clear to me from the manual if this commands are equal in their function: meta skuid == "root" counter accept skuid 0 counter accept also ct state == { established, related } ...

Question 47

I'm looking for ways to confuse port scanners. I do realize it is not that useful, but it is mostly to slow down attackers, and also to avoid ending up on websites like Shodan (or at least make the ...

Question 48

I have input file which has data like below chain:VARIABLE_IN ip_version:v4 proto:tcp sport:5401 dst_ip:18.159.158.206 dport:5432 decision:a tcpflags:&syn!=syn My code reads above data to form ...

Question 49

I have requirement where am getting parameters to set in iptables as below: Rate Limit = 1/sec Source port = 5432 Source IP = 203.0.113.0 Protocol = tcp TCP flags = &syn!=syn iptables -A PRIO_IN -...

Question 50

I'm trying to expose a libvirt (qemu) virtual machine to the open world on a separate address via a promiscuous device and attached macvtap, but at the same time protect the local network from ...