|
Nftables rules and tables dissapiered after reboot!
Hello, dear forum! Many times i used this place to got info about debian and all my question was resolved. But with nftables i got stuck. I use Debian Buster and tried nftables this way:
1. First, i blocked iptables to prevent mess Code:
iptables -Fnft add table inet filter and so on 3. I saved my ruleset Code:
sudo nft list ruleset > /etc/nftables.conf4. I installed netfilter-persistent and this command said me OK Code:
sudo service netfilter-persistent saveI googled a lot for a few days but nothing works. If you have working solution, please, share it! |
Although I am not aware of netfilter-persistent and don't know what it does, it shouldn't be necessary. Buster, as I understand it, uses systemd, not sysvinit. So all you should need is nftables itself which is configured through /etc/nftables.conf.
Under systemd installing and/or running a service is not enough to have it activated across sessions/reboots. You also have to enable it. Set up nftables the way you want it through /etc/nftables.conf. You start and stop it by Code:
sudo systemctl start nftablesCode:
sudo systemctl stop nftablesCode:
sudo systemctl enable nftablesBy the way, if the systemd commands claim nftables is masked then remove iptables and install nftables. |
That's works. Agillator, thank you very much!
I found info about netfilter-persistent in internet. i think it is plugin and does the same job as Quote:
I am not shure - should i put Quote:
|
First, the commands you showed for flushing the firewall are iptables commands and you are using nftables so they don't apply!
At the beginning of your nftables.conf file you should put Code:
flush rulesetCode:
sudo nft flush rulesetA sample, bare bones configuration (/etc/nftables.conf) that accepts everything but is a good starting point would be Code:
#!/usr/sbin/nft -f |
Thank you a lot for Linux Security book! I am ready to pay for book, because i spent lots of money when try to clean my hacked laptop in service.:) Now i search for info by myself. It's the best way i think. I put
Quote:
I put also counter Quote:
Quote:
Thank you very much for your explanation, it's very helpfull! If you advice me good linux system book i will be very greatfull. |
Thank you a lot for Linux Security book! I am ready to pay for book, because i spent lots of money when try to clean my hacked laptop in service.:) Now i search for info by myself. It's the best way i think. I put
Quote:
I put also counter Quote:
Quote:
Thank you very much for your explanation, it's very helpfull! If you advice me good linux system book i will be very greatfull. |
At least part of what you are seeing is the work the system is always doing behind the scenes. One thing you probably have not done is allowed the loopback interface, lo. The system uses this to communicate with itself, so if you have set policies to DROP and not allowed the firewall to accept traffic on lo you will have lots of drops and also will find that many things on the system do not work right. One of the things any guide to firewalls using any system will tell you to do is to add a rule accepting traffic on the lo interface. Programming a firewall from scratch can really be somewhat complicated which is why you really do need a good guide to go by.
Another gotcha that can bite: opening ssh. Assume you are working on a remote computer with no physical access. You are using ssh to access it. You decide to set your policies to be fairly restrictive which is a good idea (AT THE RIGHT TIME!). So, you set INPUT and FORWARD to DROP which keeps the world from getting in unwanted and set OUTPUT to ACCEPT which allows you to contact the world. Makes sense EXCEPT you have now blocked all external ssh input including yourself! You are now locked out with no way to get in unless you have physical access to open things up again. And even if you do give yourself ssh access first you still have problems because the outside world cannot respond to your contacts so you have to enable what is called 'Connection Tracking' which requires a system module to be turned on and the appropriate rules added to the firewall. It is things like this that you would not know unless you have a good guide to follow at least the first time. Your willingness to buy a book is excellent. The information can be found for free on the internet but having a book makes it always available and at your fingertips. |
Agillator, thank you for lot's of userful information! I set all connections to DROP, but in OUTPUT chain i still see number of packets. So, my nftables.conf file looks like that:
Quote:
So, there is two ways: 1. System uses this to communicate with itself. 2. Laptop still on remote control and packets goes through it despite on OUTPUT DROP. I think i need use 'Connection Tracking' as you said and admin tools. I need to see where outgoing packets starting, server, protocol, port, network frequency et so on. Starting reading book :) |
hello i see first result in google
is also more book for nftable recommendation?? good for learn |
Try this:
Code:
nft list ruleset > /etc/nftables.rulesCode:
table inet filter { |
| All times are GMT -5. The time now is 06:12 AM. |