NFTables Knocking
by glennbtn from LinuxQuestions.org on (#4XRMC)
Hi All
Just trying to get my head around nftables and wanted to implement the knocking feature for ssh access. I found the following on a wiki but whenever I restart nftables I get the following errors and hoping someone can advise
/etc/nftables.conf:39:70-72: Error: syntax error, unexpected add, expecting newline or semicolon
tcp dport 456 ip saddr . tcp dport @candidates_ipv4 add @clients_ipv4 {ip saddr timeout 10s}
^^^
/etc/nftables.conf:40:70-72: Error: syntax error, unexpected add, expecting newline or semicolon
tcp dport 456 ip6 saddr . tcp dport @candidates_ipv6 add @clients_ipv6 {ip6 saddr timeout 10s}
This is the script of course wont use these ports in production
table inet portknock {
set clients_ipv4 {
type ipv4_addr
flags timeout
}
set clients_ipv6 {
type ipv6_addr
flags timeout
}
set candidates_ipv4 {
type ipv4_addr . inet_service
flags timeout
}
set candidates_ipv6 {
type ipv6_addr . inet_service
flags timeout
}
chain input {
type filter hook input priority -10; policy accept;
iifname "lo" return
tcp dport 123 add @candidates_ipv4 {ip saddr . 234 timeout 1s}
tcp dport 123 add @candidates_ipv6 {ip6 saddr . 234 timeout 1s}
tcp dport 234 ip saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 {ip saddr . 345 timeout 1s}
tcp dport 234 ip6 saddr . tcp dport @candidates_ipv6 add @candidates_ipv6 {ip6 saddr . 345 timeout 1s}
tcp dport 345 ip saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 {ip saddr . 456 timeout 1s}
tcp dport 345 ip6 saddr . tcp dport @candidates_ipv6 add @candidates_ipv6 {ip6 saddr . 456 timeout 1s}
tcp dport 456 ip saddr . tcp dport @candidates_ipv4 add @clients_ipv4 {ip saddr timeout 10s} log prefix "Successful portknock: "
tcp dport 456 ip6 saddr . tcp dport @candidates_ipv6 add @clients_ipv6 {ip6 saddr timeout 10s} log prefix "Successful portknock: "
tcp dport $guarded_ports ip saddr @clients_ipv4 counter accept
tcp dport $guarded_ports ip6 saddr @clients_ipv6 counter accept
tcp dport $guarded_ports ct state established,related counter accept
tcp dport $guarded_ports counter reject with tcp reset
}
}
Thanks
Glenn
Just trying to get my head around nftables and wanted to implement the knocking feature for ssh access. I found the following on a wiki but whenever I restart nftables I get the following errors and hoping someone can advise
/etc/nftables.conf:39:70-72: Error: syntax error, unexpected add, expecting newline or semicolon
tcp dport 456 ip saddr . tcp dport @candidates_ipv4 add @clients_ipv4 {ip saddr timeout 10s}
^^^
/etc/nftables.conf:40:70-72: Error: syntax error, unexpected add, expecting newline or semicolon
tcp dport 456 ip6 saddr . tcp dport @candidates_ipv6 add @clients_ipv6 {ip6 saddr timeout 10s}
This is the script of course wont use these ports in production
table inet portknock {
set clients_ipv4 {
type ipv4_addr
flags timeout
}
set clients_ipv6 {
type ipv6_addr
flags timeout
}
set candidates_ipv4 {
type ipv4_addr . inet_service
flags timeout
}
set candidates_ipv6 {
type ipv6_addr . inet_service
flags timeout
}
chain input {
type filter hook input priority -10; policy accept;
iifname "lo" return
tcp dport 123 add @candidates_ipv4 {ip saddr . 234 timeout 1s}
tcp dport 123 add @candidates_ipv6 {ip6 saddr . 234 timeout 1s}
tcp dport 234 ip saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 {ip saddr . 345 timeout 1s}
tcp dport 234 ip6 saddr . tcp dport @candidates_ipv6 add @candidates_ipv6 {ip6 saddr . 345 timeout 1s}
tcp dport 345 ip saddr . tcp dport @candidates_ipv4 add @candidates_ipv4 {ip saddr . 456 timeout 1s}
tcp dport 345 ip6 saddr . tcp dport @candidates_ipv6 add @candidates_ipv6 {ip6 saddr . 456 timeout 1s}
tcp dport 456 ip saddr . tcp dport @candidates_ipv4 add @clients_ipv4 {ip saddr timeout 10s} log prefix "Successful portknock: "
tcp dport 456 ip6 saddr . tcp dport @candidates_ipv6 add @clients_ipv6 {ip6 saddr timeout 10s} log prefix "Successful portknock: "
tcp dport $guarded_ports ip saddr @clients_ipv4 counter accept
tcp dport $guarded_ports ip6 saddr @clients_ipv6 counter accept
tcp dport $guarded_ports ct state established,related counter accept
tcp dport $guarded_ports counter reject with tcp reset
}
}
Thanks
Glenn