Nftables rules and tables dissapiered after reboot!
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Nftables rules and tables dissapiered after reboot!
Hello, dear forum! Many times i used this place to got info about debian and all my question was resolved. But with nftables i got stuck. I use Debian Buster and tried nftables this way:
1. First, i blocked iptables to prevent mess
Code:
iptables -F
ip6tables -F
2. After that i created my ruleset
nft add table inet filter
and so on
3. I saved my ruleset
Code:
sudo nft list ruleset > /etc/nftables.conf
And it was saved right in place/
4. I installed netfilter-persistent and this command said me OK
Code:
sudo service netfilter-persistent save
But when i reboot my nftables rules and tables dissapiered!
I googled a lot for a few days but nothing works. If you have working solution, please, share it!
Although I am not aware of netfilter-persistent and don't know what it does, it shouldn't be necessary. Buster, as I understand it, uses systemd, not sysvinit. So all you should need is nftables itself which is configured through /etc/nftables.conf.
Under systemd installing and/or running a service is not enough to have it activated across sessions/reboots. You also have to enable it.
Set up nftables the way you want it through /etc/nftables.conf. You start and stop it by
Code:
sudo systemctl start nftables
and
Code:
sudo systemctl stop nftables
When it runs the way you want it to, enable it with
Code:
sudo systemctl enable nftables
Now when you boot nftables will automatically start with the configuration in your /etc/nftables.conf. Changing the conf file will change the setup the next time it initializes, of course.
By the way, if the systemd commands claim nftables is masked then remove iptables and install nftables.
First, the commands you showed for flushing the firewall are iptables commands and you are using nftables so they don't apply!
At the beginning of your nftables.conf file you should put
Code:
flush ruleset
That flushes everything anytime you start nftables. You don't need to do anything else unless you are entering firewall rules manually from the terminal or through a script. Then your first instruction would be
Code:
sudo nft flush ruleset
but it is easiest to just to edit your nftables.conf file and restart through systemctl. That actually saves a lot of trouble.
A sample, bare bones configuration (/etc/nftables.conf) that accepts everything but is a good starting point would be
This, in effect, removes the firewall since it accepts everything from anywhere but is a good neutral starting point for programming a firewall. But, if you are going to program your firewall yourself you really need to get a good reference. There are a number of good books available. The one I use is "Linux Firewalls" Fourth Edition by Steve Suehring available through Amazon. It isn't cheap, none of them are, but that one is complete and deals with both iptables and nftables.
Thank you a lot for Linux Security book! I am ready to pay for book, because i spent lots of money when try to clean my hacked laptop in service. Now i search for info by myself. It's the best way i think. I put
Quote:
flush ruleset
at the beginning of nftables.conf file.
I put also counter
Quote:
type filter hook input priority 0; counter; policy drop
Because i need to understand where i have a gap in my system. And i was surprised when i found this
Thank you a lot for Linux Security book! I am ready to pay for book, because i spent lots of money when try to clean my hacked laptop in service. Now i search for info by myself. It's the best way i think. I put
Quote:
flush ruleset
at the beginning of nftables.conf file.
I put also counter
Quote:
type filter hook input priority 0; counter; policy drop
Because i need to understand where i have a gap in my system. And i was surprised when i found this
At least part of what you are seeing is the work the system is always doing behind the scenes. One thing you probably have not done is allowed the loopback interface, lo. The system uses this to communicate with itself, so if you have set policies to DROP and not allowed the firewall to accept traffic on lo you will have lots of drops and also will find that many things on the system do not work right. One of the things any guide to firewalls using any system will tell you to do is to add a rule accepting traffic on the lo interface. Programming a firewall from scratch can really be somewhat complicated which is why you really do need a good guide to go by.
Another gotcha that can bite: opening ssh. Assume you are working on a remote computer with no physical access. You are using ssh to access it. You decide to set your policies to be fairly restrictive which is a good idea (AT THE RIGHT TIME!). So, you set INPUT and FORWARD to DROP which keeps the world from getting in unwanted and set OUTPUT to ACCEPT which allows you to contact the world. Makes sense EXCEPT you have now blocked all external ssh input including yourself! You are now locked out with no way to get in unless you have physical access to open things up again. And even if you do give yourself ssh access first you still have problems because the outside world cannot respond to your contacts so you have to enable what is called 'Connection Tracking' which requires a system module to be turned on and the appropriate rules added to the firewall. It is things like this that you would not know unless you have a good guide to follow at least the first time. Your willingness to buy a book is excellent. The information can be found for free on the internet but having a book makes it always available and at your fingertips.
Agillator, thank you for lot's of userful information! I set all connections to DROP, but in OUTPUT chain i still see number of packets. So, my nftables.conf file looks like that:
Thank you for point to lo interface. I got lot's of userful info from your posts and need time to learn it.
So, there is two ways:
1. System uses this to communicate with itself.
2. Laptop still on remote control and packets goes through it despite on OUTPUT DROP. I think i need use 'Connection Tracking' as you said and admin tools. I need to see where outgoing packets starting, server, protocol, port, network frequency et so on.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
Now i search for info by myself. It's the best way i think. I put 
