[SOLVED] Nftables Issue
by permaroot from LinuxQuestions.org on (#4RDRY)
Hey all. Just trying to familiarize myself with nftables with a simple objective to start with.
I want to only allow ssh from one local LAN ip address. I edited the default configuration to do this, however it wont work. I set the config to only accept ssh from 192.168.2.224 yet 192.168.2.227 can ssh into the machine.
I get no errors when reloading (which shows syntax errors) and also flush iptables and ip6tables before starting nftables.
Not sure where to begin troubleshooting, as the nftables wiki troubleshooting page only talks about troubleshooting errors.
Code:#!/usr/bin/nft -f
# ipv4/ipv6 Simple & Safe Firewall
# you can find examples in /usr/share/nftables/
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# allow established/related connections
ct state {established, related} accept
# early drop of invalid connections
ct state invalid drop
# allow from loopback
iifname lo accept
# allow icmp
ip protocol icmp accept
ip6 nexthdr icmpv6 accept
# allow ssh
tcp dport ssh ip saddr 192.168.2.224/27 accept
drop
}
chain forward {
type filter hook forward priority 0;
drop
}
chain output {
type filter hook output priority 0;
}
}
# vim:set ts=2 sw=2 et:
Any help appreciated.
ETA: systemctl status nftables shows active: exited. I read that this is normal because it loads the rules then has no need to be running? Is this true?
I want to only allow ssh from one local LAN ip address. I edited the default configuration to do this, however it wont work. I set the config to only accept ssh from 192.168.2.224 yet 192.168.2.227 can ssh into the machine.
I get no errors when reloading (which shows syntax errors) and also flush iptables and ip6tables before starting nftables.
Not sure where to begin troubleshooting, as the nftables wiki troubleshooting page only talks about troubleshooting errors.
Code:#!/usr/bin/nft -f
# ipv4/ipv6 Simple & Safe Firewall
# you can find examples in /usr/share/nftables/
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# allow established/related connections
ct state {established, related} accept
# early drop of invalid connections
ct state invalid drop
# allow from loopback
iifname lo accept
# allow icmp
ip protocol icmp accept
ip6 nexthdr icmpv6 accept
# allow ssh
tcp dport ssh ip saddr 192.168.2.224/27 accept
drop
}
chain forward {
type filter hook forward priority 0;
drop
}
chain output {
type filter hook output priority 0;
}
}
# vim:set ts=2 sw=2 et:
Any help appreciated.
ETA: systemctl status nftables shows active: exited. I read that this is normal because it loads the rules then has no need to be running? Is this true?