Re: new to nft
Le 13/01/2021 à 17:40, François Patte a écrit :
I begin to use nftables and wrote thes rules:
chain input { # handle 1
type filter hook input priority 0; policy drop;
ct state established,related accept # handle 4
ip saddr 192.168.1.0/24 accept # handle 5
ip6 saddr fe80::/10 accept # handle 6
ct state invalid drop # handle 7
iifname "lo" accept # handle 8
tcp dport 22222 accept # handle 9
log # handle 10
}
I expect to block all traffic from anywhere except on the local network
(192.168.1.0/24)
"on the local network" does not make any sense, and, this ruleset fails
to drop all traffic from anywhere but 192.168.1.0/24 :
ct state established,related accept # handle 4
accepts traffic from any address, and
iifname "lo" accept # handle 8
accepts traffic from 127.0.0.0/8 and any local (host) address.
Is "fe80::/10" the ipv6 corresponding syntax for ipv4 192.168.1.0/24?
No. 192.168.1.0/24 is a private prefix. Addresses can be configured by
any conventional method (static, DHCP...). They are routable.
fe80::/10 is the link local prefix. Addresses are automatically assigned
by the kernel itself. They are not routable.
The last line "log" is (for me) supposed to log all dropped packets, am
I right?
No. It does not log packets already dropped by
ct state invalid drop # handle 7
For this last line, logwatch reports "logged packets on interface".
logwatch with iptables reports "drop packets on the interface"
I wonder how logwatch knows the logged packets are dropped.
Are these packets dropped or only logged?
What do you trust more ? The chain default policy "drop" or logwatch ?
Reply to:
- References:
- new to nft
- From: François Patte <francois.patte@mi.parisdescartes.fr>