| View previous topic :: View next topic |
| Author |
Message |
jhon987
Guru
Joined: 18 Nov 2013
Posts: 302
|
 Posted: Sat Nov 20, 2021 10:13 am Post subject: iptables + ipset to nftables ? |
 |
|
Can someone please direct me how can I create a match-set to certain ports in nftables?
in iptables i use the following:
| Code: | | -A INPUT -p tcp -m multiport --dports 25,143,465,587,993 -m set --match-set mail src -j DROP |
and then i have an ipset list for all the ips I want to drop...
how can I achieve the same result with nftables?
P.S. I've created a netdev table called filter in nftables as I understand that it's the fastest way to filter large amounts of ips (https://blog.cloudflare.com/how-to-drop-10-million-packets/), as I understand, it should support both ipv4 and ipv6. |
|
| Back to top |
|
 |
pa4wdh
l33t
Joined: 16 Dec 2005
Posts: 910
|
| Posted: Sat Nov 20, 2021 11:57 am Post subject: |
|
|
Hi jhon987,
I think this does what you want:
| Code: | table inet firewall {
set mail_ipv4 {
type ipv4_addr
flags dynamic
}
set mail_ipv6 {
type ipv6_addr
flags dynamic
}
chain input {
type filter hook input priority 0; policy accept;
tcp dport { 25, 143, 465, 587, 993 } ip saddr @mail_ipv4 counter drop
tcp dport { 25, 143, 465, 587, 993 } ip6 saddr @mail_ipv6 counter drop
}
}
|
You can save this in a file and use nft -f to load it.
This first defines two sets, one for IPv4 and one for IPv6. The rules in the input chain check for source addresses in those sets. Because the table type is inet you can mix IPv4 and IPv6 there.
To add addresses to the sets use:
| Code: | nft add element inet firewall mail_ipv4 { x.x.x.x }
nft add element inet firewall mail_ipv6 { xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx }
|
_________________
The gentoo way of bringing peace to the world:
USE="-war" emerge --newuse @world
My shared code repository: https://code.pa4wdh.nl.eu.org
Music, Free as in Freedom: https://www.jamendo.com |
|
| Back to top |
|
|
jhon987
Guru
Joined: 18 Nov 2013
Posts: 302
|
| Posted: Sat Nov 20, 2021 3:14 pm Post subject: |
|
|
| pa4wdh wrote: | Hi jhon987,
|
thank U very much. thanks to you i figured how to do it with netdev as well...
for reference:
I placed a file under /etc/nftables/mail.conf
| Code: |
#! /sbin/nft -f
table netdev filter {
set mail_ipv4 {
type ipv4_addr
flags dynamic
}
set mail_ipv6 {
type ipv6_addr
flags dynamic
}
chain ingress {
type filter hook ingress device enp0s3 priority -500; policy accept;
tcp dport { 25, 143, 465, 587, 993 } ip saddr @mail_ipv4 counter drop
tcp dport { 25, 143, 465, 587, 993 } ip6 saddr @mail_ipv6 counter drop
}
} |
the device name can be found by ifconfig.
in terminal I issued nft -f /etc/nftables/mail.conf |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
