Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect rules in case if nftables is already present and activated #112

Open
lokapal opened this issue Nov 7, 2023 · 2 comments
Open

Incorrect rules in case if nftables is already present and activated #112

lokapal opened this issue Nov 7, 2023 · 2 comments
Assignees
@burghardt
Labels
bug Something isn't working

Comments

@lokapal
Copy link

lokapal commented Nov 7, 2023

Hello!

Thanks a lot for your script, but it took for me a few hours to detect why all doesn't work as should be at the computer with nftables already activated. In this case these rules ARE incorrect, or config is not full at least:

PostUp = nft add chain inet filter %i-forward "{ type filter hook forward priority 0; }"
PostUp = nft add rule inet filter %i-forward iifname %i accept
PostUp = nft add rule inet filter %i-forward oifname %i ct state related,established accept

You should check the presence of the "main" forwarding chain and add rules to it like:

nft list ruleset | grep forward

or something similar. If something is found, then CORRECT rules are:

PostUp = nft add chain inet filter forward "{ type filter hook forward priority 0; }"
PostUp = nft add rule inet filter forward iifname %i accept
PostUp = nft add rule inet filter forward oifname %i ct state related,established accept

You can leave your commands as they are, then you should add to the main forward chain something like to
jump %i-forward - i didn't checked it out, it's the common nftables idea to extend standard filters, to make jump to custom filters.
@christianbur
Copy link

christianbur commented Dec 27, 2023
edited

I have also changed my debian 12 to nftables and unfortunately my wiregard no longer works.
After a lot of testing, everything is working again with ipv4 nat and public ipv6 addresses.
Attached is my nftables.conf, maybe this is helpful for someone.

The challenge was that I can't use the FORWARD chain because I use docker. So you have to use DOCKER-USER, but there is a bug in debian 12 nft/docker moby/moby#46147.

#!/usr/sbin/nft -f

# content of /etc/nftables.conf
# validate: sudo nft -c -f /etc/nftables.conf
# install: systemctl enable nftables.service
# status:  systemctl status nftables.service
# show rules: nft list ruleset 2> /dev/null |more 
# show logs: journalctl -f |grep nft-

define IF-INET = enp3s0
define IF-WG = wghub
define PORT-WG = 1234
define TRUST-SOURCE-v4 = { 10.60.0.0/16, 1.2.3.4 }
define TRUST-SOURCE-v6 = { fdab::/16, fdbb::/16 }

add table ip  filter
add table ip6 filter
add chain ip  filter INPUT   { type filter hook input   priority 0; policy accept; }
add chain ip6 filter INPUT   { type filter hook input   priority 0; policy accept; }
add chain ip  filter OUTPUT  { type filter hook output  priority 0; policy accept; }
add chain ip6 filter OUTPUT  { type filter hook output  priority 0; policy accept; }
add chain ip  filter FORWARD { type filter hook forward priority 0; policy accept; }
add chain ip6 filter FORWARD { type filter hook forward priority 0; policy accept; }
add chain ip  filter DOCKER-USER
add chain ip6 filter DOCKER-USER
add chain ip  filter FORWARD-CB
add chain ip6 filter FORWARD-CB
add chain ip  filter FORWARD-WIREGARD
add chain ip6 filter FORWARD-WIREGARD

flush chain ip  filter INPUT
flush chain ip6 filter INPUT
flush chain ip  filter OUTPUT
flush chain ip6 filter OUTPUT
flush chain ip  filter DOCKER-USER
flush chain ip6 filter DOCKER-USER
flush chain ip  filter FORWARD-CB
flush chain ip6 filter FORWARD-CB
flush chain ip  filter FORWARD-WIREGARD
flush chain ip6 filter FORWARD-WIREGARD


add rule ip  filter DOCKER-USER oifname $IF-WG counter jump FORWARD-WIREGARD
add rule ip6 filter DOCKER-USER oifname $IF-WG counter jump FORWARD-WIREGARD
add rule ip  filter DOCKER-USER iifname $IF-WG counter jump FORWARD-WIREGARD
add rule ip6 filter DOCKER-USER iifname $IF-WG counter jump FORWARD-WIREGARD
add rule ip  filter DOCKER-USER counter jump FORWARD-CB
add rule ip6 filter DOCKER-USER counter jump FORWARD-CB

# these rules are set automatically by docker
#insert rule ip  filter DOCKER-USER counter return
#insert rule ip6 filter DOCKER-USER counter return

#################################################################################################################################
# INPUT
#################################################################################################################################

# already established connections
add rule ip  filter INPUT iifname "lo" counter accept
add rule ip6 filter INPUT iifname "lo" counter accept

# already established connections
add rule ip  filter INPUT counter ct state vmap { invalid : drop, established : accept, related : accept }
add rule ip6 filter INPUT counter ct state vmap { invalid : drop, established : accept, related : accept }

# icmp
add rule ip  filter INPUT icmp   type echo-request counter accept
add rule ip6 filter INPUT icmpv6 type echo-request counter accept
add rule ip6 filter INPUT icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} counter accept

# broadcast,multicast
add rule ip  filter INPUT pkttype { broadcast,multicast} counter accept
add rule ip6 filter INPUT pkttype { broadcast,multicast} counter accept

# ssh
add rule ip  filter INPUT ct state new tcp dport 22 ip  saddr $TRUST-SOURCE-v4 counter accept comment "ssh"
add rule ip6 filter INPUT ct state new tcp dport 22 ip6 saddr $TRUST-SOURCE-v6 counter accept comment "ssh"

# wireguard
add rule ip  filter INPUT ct state new udp dport $PORT-WG counter accept comment "wireguard"
add rule ip6 filter INPUT ct state new udp dport $PORT-WG counter accept comment "wireguard"

# logging
add rule ip  filter INPUT counter log prefix "nft-drop-INPUT: " flags tcp options flags ip options
add rule ip6 filter INPUT counter log prefix "nft-drop-INPUT: " flags tcp options flags ip options

# drop all
add rule ip  filter INPUT counter drop comment "drop-all"
add rule ip6 filter INPUT counter drop comment "drop-all"

#################################################################################################################################
# FORWARD-WIREGARD (in DOCKER-USER chain)
#################################################################################################################################

# already established connections
add rule ip  filter FORWARD-WIREGARD counter ct state vmap { invalid : drop, established : accept, related : accept }
add rule ip6 filter FORWARD-WIREGARD counter ct state vmap { invalid : drop, established : accept, related : accept }

# wireguard - internet
add rule ip  filter FORWARD-WIREGARD iifname $IF-WG oifname $IF-INET counter accept
add rule ip6 filter FORWARD-WIREGARD iifname $IF-WG oifname $IF-INET counter accept

# wireguard - not internet
#add rule ip  filter FORWARD-WIREGARD counter log prefix "nft-accept-WIREGARD: " flags tcp options flags ip options
#add rule ip6 filter FORWARD-WIREGARD counter log prefix "nft-accept-WIREGARD: " flags tcp options flags ip options
add rule ip  filter FORWARD-WIREGARD counter accept
add rule ip6 filter FORWARD-WIREGARD counter accept

# logging
add rule ip  filter FORWARD-WIREGARD counter log prefix "nft-drop-FORWARD-WIREGARD: " flags tcp options flags ip options
add rule ip6 filter FORWARD-WIREGARD counter log prefix "nft-drop-FORWARD-WIREGARD: " flags tcp options flags ip options

# drop all
add rule ip  filter FORWARD-WIREGARD counter drop comment "drop-all"
add rule ip6 filter FORWARD-WIREGARD counter drop comment "drop-all"

# forward to FORWARD chain
#add rule ip  filter FORWARD-WIREGARD counter return comment "return to DOCKER-USER chain"
#add rule ip6 filter FORWARD-WIREGARD counter return comment "return to DOCKER-USER chain"

#################################################################################################################################
# FORWARD-CB (in DOCKER-USER chain)
# debian 12 nft/docker bug: https://github.com/moby/moby/issues/46147
#################################################################################################################################

# already established connections
add rule ip  filter FORWARD-CB iifname $IF-INET counter ct state vmap { invalid : drop, established : accept, related : accept }
add rule ip6 filter FORWARD-CB iifname $IF-INET counter ct state vmap { invalid : drop, established : accept, related : accept }

# proxy-web
#add rule ip  filter FORWARD-CB iifname $IF-INET ct state new meta l4proto { tcp, udp } th dport { 80, 443 } counter accept comment "proxy-web"
#add rule ip6 filter FORWARD-CB iifname $IF-INET ct state new meta l4proto { tcp, udp } th dport { 80, 443 } counter accept comment "proxy-web"

# mailserver
#add rule ip  filter FORWARD-CB iifname $IF-INET ct state new tcp dport { 25, 465, 587, 993 } counter accept comment "mailserver"
#add rule ip6 filter FORWARD-CB iifname $IF-INET ct state new tcp dport { 25, 465, 587, 993 } counter accept comment "mailserver"

# logging
add rule ip  filter FORWARD-CB iifname $IF-INET counter log prefix "nft-drop-FORWARD-CB: " flags tcp options flags ip options
add rule ip6 filter FORWARD-CB iifname $IF-INET counter log prefix "nft-drop-FORWARD-CB: " flags tcp options flags ip options

# drop all
add rule ip  filter FORWARD-CB iifname $IF-INET counter drop comment "drop-all"
add rule ip6 filter FORWARD-CB iifname $IF-INET counter drop comment "drop-all"

# forward to FORWARD chain
add rule ip  filter FORWARD-CB counter return comment "return to DOCKER-USER chain"
add rule ip6 filter FORWARD-CB counter return comment "return to DOCKER-USER chain"

#################################################################################################################################
# POSTROUTING for wiregard - sees all packets after routing, just before they leave the local system.
#################################################################################################################################

# mtu for wiregard
add chain ip filter POSTROUTING { type nat hook postrouting priority 100; policy accept; }
add rule  ip filter POSTROUTING iifname $IF-WG oifname $IF-INET counter tcp flags syn tcp option maxseg size set rt mtu comment "wireguard roadwarrior"

# ipv4 nat for wiregard
add table ip nat
add chain ip nat POSTROUTING { type nat hook postrouting priority 100; policy accept; }
add rule  ip nat POSTROUTING iifname $IF-WG oifname $IF-INET counter masquerade comment "wireguard ipv4 masquerade"

@burghardt burghardt self-assigned this Jan 25, 2024
@burghardt burghardt added the bug Something isn't working label Jan 25, 2024
@burghardt
Copy link
Owner

I wanted to have multiple instances of forward chains for easier management (i.e. drop the whole chain when the interface is stopped). If they have different priorities it should be possible, but I think it needs more testing.

As for Docker, there is already a similar workaround for iptables. It probably needs to be mirrored to nftables.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@burghardt burghardt

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@burghardt @lokapal @christianbur