* nftables equivalent for iptables -m recent
@ 2020-01-20 14:48 Sig Pam
2020-01-20 20:29 ` kfm
0 siblings, 1 reply; 3+ messages in thread
From: Sig Pam @ 2020-01-20 14:48 UTC (permalink / raw
To: netfilter@vger.kernel.org
Hello, world!
I'd appreciate your help with the following issue on my Debian 10 with converting the ruleset from iptables to nftables.
I'm using iptables to blacklist incoming packets for a short while. If somebody tries to scan my host, his IP address gets blacklisted for ten minutes.
The following rules are in use:
[…]
iptables -A Enemies -m recent --name psc --update --seconds 600 -j DROP
iptables -A Enemies -i eth0 -m tcp -p tcp --dport 1:21 -m recent --name psc --set -j PORTSCAN
iptables -A Enemies -i eth0 -m tcp -p tcp --dport 23:24 -m recent --name psc --set -j PORTSCAN
iptables -A Enemies -i eth0 -m tcp -p tcp --dport 26:79 -m recent --name psc --set -j PORTSCAN
[…]
(PORTSCAN then simply logs and drops the packet.)
Since Debian uses the iptables command to insert nftables rules, I look at them and get the following:
root@host:~# nft list ruleset
[…]
chain Enemies {
# recent: UPDATE seconds: 600 name: psc side: source mask: 255.255.255.255 counter packets 0 bytes 0 drop
iifname "eth0" meta l4proto tcp tcp dport 1-21 # recent: SET name: psc side: source mask: 255.255.255.255 counter packets 0 bytes 0 jump PORTSCAN
iifname "eth0" meta l4proto tcp tcp dport 23-24 # recent: SET name: psc side: source mask: 255.255.255.255 counter packets 0 bytes 0 jump PORTSCAN
iifname "eth0" meta l4proto tcp tcp dport 26-79 # recent: SET name: psc side: source mask: 255.255.255.255 counter packets 0 bytes 0 jump PORTSCAN
[…]
Obvisiously, the recent module of iptables is not converted to anything of nftables, and if I dump my ruleset generated by iptables with nft list ruleset > ruleset , flush iptables, and run the nftables rules (nft -f ruleset), I don’t get the functionality of blocking for a while
Can you please guide me and help me defining a rule that blacklists IP addresses trying to open a specific TCP or UDP port (IPv4 and v6) for a defined time?
Thank you very much
Sig
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: nftables equivalent for iptables -m recent
2020-01-20 14:48 nftables equivalent for iptables -m recent Sig Pam
@ 2020-01-20 20:29 ` kfm
2020-01-23 19:25 ` AW: " Sig Pam
0 siblings, 1 reply; 3+ messages in thread
From: kfm @ 2020-01-20 20:29 UTC (permalink / raw
To: netfilter@vger.kernel.org
On 20/01/2020 14:48, Sig Pam wrote:
> Hello, world!
>
> I'd appreciate your help with the following issue on my Debian 10 with converting the ruleset from iptables to nftables.
>
> I'm using iptables to blacklist incoming packets for a short while. If somebody tries to scan my host, his IP address gets blacklisted for ten minutes.
>
> The following rules are in use:
>
> […]
> iptables -A Enemies -m recent --name psc --update --seconds 600 -j DROP
> iptables -A Enemies -i eth0 -m tcp -p tcp --dport 1:21 -m recent --name psc --set -j PORTSCAN
> iptables -A Enemies -i eth0 -m tcp -p tcp --dport 23:24 -m recent --name psc --set -j PORTSCAN
> iptables -A Enemies -i eth0 -m tcp -p tcp --dport 26:79 -m recent --name psc --set -j PORTSCAN
> […]
This should do it:
table ip filter {
set enemies {
type ipv4_addr
flags dynamic
timeout 10m
}
chain portscan {
iifname "eth0" tcp dport { 1-21, 23-24, 26-79 } \
update @enemies { ip saddr }
iifname "eth0" ip saddr @enemies log drop
}
# ...
}
See
https://wiki.nftables.org/wiki-nftables/index.php/Updating_sets_from_the_packet_path.
--
Kerin Millar <kfm@plushkava.net>
^ permalink raw reply [flat|nested] 3+ messages in thread
* AW: nftables equivalent for iptables -m recent
2020-01-20 20:29 ` kfm
@ 2020-01-23 19:25 ` Sig Pam
0 siblings, 0 replies; 3+ messages in thread
From: Sig Pam @ 2020-01-23 19:25 UTC (permalink / raw
To: kfm@plushkava.net, netfilter@vger.kernel.org
This works:
table ip filter {
set enemies {
type ipv4_addr
flags timeout
timeout 5m
}
chain INPUT {
type filter hook input priority 0; policy accept;
iifname ens192 ip saddr @enemies \
update @enemies { ip saddr }
iifname ens192 tcp dport { 1-21, 23-24, 26-79 } \
update @enemies { ip saddr }
iifname ens192 ip saddr @enemies log drop
}
}
First, the set "enemies" is defined with a 5 Minute timeout
In the INPUT Chain,
- ip addresses already in the set are re-added and theire ban is prolonged
- ip addresses trying to open one of the specified ports are newly put into the set
- if the ip source address is in the enemies set, the packet is dropped.
Thank you four your help!
Sig.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-01-23 19:25 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-01-20 14:48 nftables equivalent for iptables -m recent Sig Pam
2020-01-20 20:29 ` kfm
2020-01-23 19:25 ` AW: " Sig Pam
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.