Nftables question(s)

linux and tech help
1

I’m looking at a sample firewall rule for a workstation and it has this line:

# activate the following line to accept common local services
		#tcp dport { 22, 80, 443 } ct state new accept

Local to what? The machine or domain?
This is a standalone machine that doesn’t provide anything to a network so there shouldn’t be a need for incoming requests.
I’m trying to get these messages to stop:
[90378.652440] FW6 REJECT (input): IN=enp1s0 OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=255 FLOWLBL=356592 PROTO=ICMPv6 TYPE=134 CODE=0

I believe they’re multicast messages which would be solved by adding this:

# ICMPv6 packets which must not be dropped, see https://tools.ietf.org/html/rfc4890#section-4.4.1
meta nfproto ipv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, echo-request, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, 148, 149 } accept
		ip6 saddr fe80::/10 icmpv6 type { 130, 131, 132, 143, 151, 152, 153 } accept

I’m also unsure about this line:

# accept traffic originated from us
		ct state established,related accept

us as in USA or us as in the domain?
That I’m aware of I should be able to just drop all incoming traffic (except what is required for IP6 to work) and allow all outgoing traffic.

2

I use CSF. While it isn’t the same, I would think your first question would be for the local machine based on my knowledge. I can’t imagine it being in reference to the domain but I could be wrong.

3

Hmm not sure.

But I know that ICMPV6 Type 134 is router advertisement packets. Routers send out router advertisement messages periodically, this is normal.

Your main issue is that you want to quiet those messages from dmesg?

= open ssh, http and https and give them the new state.

But yes no need to uncomment if you are not making use of those ports.

4

Yes I want them to quit, it states that they shouldn’t be dropped, so that’s out, it looks like the meta lines would get it to do it though, (the things I try to teach myself sometimes :speak_no_evil:) I was using gufw for a firewall, but it apparently doesn’t create a rule for the multicast stuff.

1 Like
5

I would expect to find another line in the config file that enables this logging; is there such a line? Also, the packets are type 134 (router adverts, as @hydn mentioned), and you are not accepting type 134 in your suggested addition, so you would still see the log messages.

6

So here’s the example text from the Distro’s (Debian Bookworm) file:

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
	chain input {
		type filter hook input priority 0;

		# accept any localhost traffic
		iif lo accept

		# accept traffic originated from us
		ct state established,related accept

		# activate the following line to accept common local services
		#tcp dport { 22, 80, 443 } ct state new accept

		# ICMPv6 packets which must not be dropped, see https://tools.ietf.org/html/rfc4890#section-4.4.1
		meta nfproto ipv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, echo-request, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, 148, 149 } accept
		ip6 saddr fe80::/10 icmpv6 type { 130, 131, 132, 143, 151, 152, 153 } accept

		# count and drop any other traffic
		counter drop
	}
}

I did follow the link IP6 RFC and got some ideas but I don’t see anything for logging in this script.
I’m assuming that “ingress” is what incoming is called and could do something to the effect of

iif ingress enp1s0 drop

which should block all external (everything that isn’t local to the machine) and leave no open ports… I hope. :cry:

7

Update:
I created a NFTables script that now looks like this:

#!/usr/sbin/nft -f

flush ruleset

table inet filter {

chain base_checks {
        # Drop invalid connections and allow established/related connections
                ct state invalid drop
                ct state {established, related} accept
    }

        chain input {
                type filter hook input priority 0; policy drop;

        jump base_checks

        # Allow from loopback
                iifname lo accept
        iifname != lo ip daddr 127.0.0.1/8 drop

        # New UDP traffic will jump to the UDP chain
                ip protocol udp ct state new jump UDP
        # New TCP traffic will jump to the TCP chain
                tcp flags & (fin | syn | rst | ack) == syn ct state new jump TCP

        # Everything else
                ip protocol udp reject
                ip protocol tcp reject with tcp reset
        reject with icmpx type port-unreachable
        }

        chain forward {
                type filter hook forward priority 0; policy drop;
        } 

        chain output {
                type filter hook output priority 0; policy accept;
        }
		# ICMPv6 packets which must not be dropped, see https://tools.ietf.org/html/rfc4890#section-4.4.1
		ip6 nexthdr ipv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, echo-request, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, 148, 149 } accept
		ip6 saddr fe80::/10 icmpv6 type { 130, 131, 132, 143, 151, 152, 153 } accept

		# count and drop any other traffic
		counter drop

# ---------------------------------------------------------------------------------
		##CHAIN RULES

    # TCP chain
    set TCP_accepted {
        type inet_service; flags interval; 
        elements = {1714-1764}
    }
        chain TCP {
        tcp dport @TCP_accepted accept
        } 

    # UDP chain
    set UDP_accepted {
        type inet_service; flags interval;
         elements = {1714-1764}
    }
        chain UDP {
        udp dport @UDP_accepted accept
        }
}

and it gives me errors about unexpected ip6?
If I try the example in Debian

# ICMPv6 packets which must not be dropped, see https://tools.ietf.org/html/rfc4890#section-4.4.1
		meta nfproto ipv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, echo-request, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, 148, 149 } accept
		ip6 saddr fe80::/10 icmpv6 type { 130, 131, 132, 143, 151, 152, 153 } accept

It complains about unexpected Meta?
Any Ideas on where I goofed?

8

So I got fed up with Googling the answer and opened a bug with Debian about it.
After the dev replied to me the nftables,conf now looks like :

#!/usr/sbin/nft -f

flush ruleset

table inet filter {

chain base_checks {
        # Drop invalid connections and allow established/related connections
                ct state invalid drop
                ct state {established, related} accept
    }
    


        chain input {
                type filter hook input priority 0; policy drop;
# ICMPv6 packets which must not be dropped, see https://tools.ietf.org/html/rfc4890#section-4.4.1
		meta nfproto ipv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, echo-request, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, 148, 149 } accept
		#ipv6 saddr fe80::/10 
		icmpv6 type { 130, 131, 132, 134, 143, 151, 152, 153 } accept
        jump base_checks

        # Allow from loopback
                iifname lo accept
        iifname != lo ip daddr 127.0.0.0/32 drop

        # New UDP traffic will jump to the UDP chain
                ip protocol udp ct state new jump UDP
        # New TCP traffic will jump to the TCP chain
                tcp flags & (fin | syn | rst | ack) == syn ct state new jump TCP

        # Everything else
                ip protocol udp reject
                ip protocol tcp reject with tcp reset
        reject with icmpx type port-unreachable
        }

        chain forward {
                type filter hook forward priority 0; policy drop;
        } 

        chain output {
                type filter hook output priority 0; policy accept;
        }
		
		# count and drop any other traffic
		counter enp1s0{}

# ---------------------------------------------------------------------------------
		##CHAIN RULES

    # TCP chain
    set TCP_accepted {
        type inet_service; flags interval; 
        elements = {1714-1764}
    }
        chain TCP {
        tcp dport @TCP_accepted accept
        } 

    # UDP chain
    set UDP_accepted {
        type inet_service; flags interval;
         elements = {1714-1764}
    }
        chain UDP {
        udp dport @UDP_accepted accept
        }
}

I had to make the line starting with “meta” have “nfproto” and comment out the IPv6 Loopback but it’s working now.
:partying_face: :dancing_women: :dancing_women: :dancing_women: :dancing_women: :tada:

1 Like
9

Nice work! I also added the “solved” feature to this tech help parent forum. Didn’t realize it was not already active. Marked your last response as the solution.

Thanks!

10

Is there an almost solved? I am able to use the table as I posted, but it didn’t solve the initial problem. I’m still getting flooded with these messages:
May 29 15:02:02 localhost kernel: [492584.475649] FW6 REJECT (input): IN=enp1s0 OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=255 FLOWLBL=1007108 PROTO=ICMPv6 TYPE=134 CODE=0
I’m out of ideas now, I guess NFTables doesn’t insert itself into the Kernel like everyone says it does. I still have no ideas how to be rid of these in my logs.

11

Now it’s solved ::smile_cat: I found a firewall script I had installed was the issue (uruk). It was apparently blocking that port (5353) and removing it and flushing my IPTables and ensuring iptables-legacy were flushed out solved it.

1 Like