1. Forum
  2. Usenet
  3. LINUX.DEBIAN.MAINT.FIREWA

  • nftables on openmediavault

    From =?UTF-8?Q?Fran=c3=a7ois_Patte?=@21:1/5 to All on Sun Jan 10 19:30:01 2021
    This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --jMHHVFRFLklxfmynDmJKprgVAfxiUgNNp
    Content-Type: multipart/mixed;
    boundary="------------4989E57D126E483744B0F405"
    Content-Language: fr-FR

    This is a multi-part message in MIME format. --------------4989E57D126E483744B0F405
    Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable

    Bonjour,

    I installed openmediavault -- which a debian based distro --- on a
    server in order to build a NAS.

    I would like to use nftables as firewall, but I cannot get it working
    with my own rules.

    Whatever I write in the /etc/nftables.conf file, when I launch nftables

    nft -f /etc/nftables.conf
    or
    systemctl start nftables

    The command
    nft list ruleset -a
    returns:
    table inet filter { # handle 56
    chain input { # handle 1
    type filter hook input priority 0; policy accept;
    }

    chain forward { # handle 2
    type filter hook forward priority 0; policy accept;
    }

    chain output { # handle 3
    type filter hook output priority 0; policy accept;
    }
    }
    table ip filter { # handle 57
    chain INPUT { # handle 1
    type filter hook input priority 0; policy accept;
    }

    chain FORWARD { # handle 2
    type filter hook forward priority 0; policy accept;
    }

    chain OUTPUT { # handle 3
    type filter hook output priority 0; policy accept;
    }
    }

    So, I think that some script, somewhere, intercepts the nftables config
    but I don't understand how.

    Is there somebody here who knows that mediavault system or somebody who
    could give me a clue to find what is wrong?

    Thank you.

    PS. I asked this question on the openmediavault forum but can't get any answer.

    --
    François Patte
    UFR de mathématiques et informatique
    Laboratoire CNRS MAP5, UMR 8145
    Université Paris Descartes
    45, rue des Saints Pères
    F-75270 Paris Cedex 06
    Tél. +33 (0)6 7892 5822
    http://www.math-info.univ-paris5.fr/~patte
    FSF https://www.fsf.org/blogs/community/presenting-shoetool-happy-holidays-from-the-fsf

    --------------4989E57D126E483744B0F405
    Content-Type: application/pgp-keys;
    name="OpenPGP_0x744E82D9D855D895.asc"
    Content-Transfer-Encoding: quoted-printable
    Content-Disposition: attachment;
    filename="OpenPGP_0x744E82D9D855D895.asc"

    -----BEGIN PGP PUBLIC KEY BLOCK-----

    xsDiBEI1fdMRBACpPxrD/B2pHUPHchL+8QAOFZX35wLqvE5mUxUxLU6E0FvwXJ+A9R4FfpHelXiC aeO27hW4g3owes6eWEtZS1f6tXCoUWvLttLCodQcC/JQtnW72YujgvygjQKMKBWNRk+9YNGZ0an+ +BOarOSZDt+7xqvJXgSmJiwvUkO1T4362wCg2ER+jQO1M56UdFmhHaS/77jMEfUD/i26BuZu+RLl Q5bpiZIUOBsvegcXxL6sXi/uQy18bfhiKh4+5DDhfoQ+qOvmCSt227U+c8Qk+3KD2lDMrOqXfcX2 F+FVx1OOGr5tfIfgS1VXh4ED8Q2QxgwZIEqWmHpHTLOJq1Ant3HYhV7/52zOjB/uTXtg/tnhpB19 H/o1EhxoBACpOLfM
  • From Dennis Filder@21:1/5 to All on Sun Jan 10 20:40:01 2021
    On Sun, Jan 10, 2021 at 07:12:04PM +0100, François Patte wrote:
    So, I think that some script, somewhere, intercepts the nftables config but
    I don't understand how.

    I suspect you're running into the legacy compatibility converter for
    the old iptables rules (iptables-nft). IIRC that may kick in if it
    detects that some old iptables kernel modules have been loaded and
    overwrite your rules with the autoconverted old rules. If they are
    loaded you may have to manually unload them first.

    I run nftables and on my system the command

    lsmod | grep 'x_\|table\|nft'

    gives this output:

    iptable_filter 16384 0
    nft_fib_inet 16384 1
    nft_fib_ipv4 16384 1 nft_fib_inet
    nft_fib_ipv6 16384 1 nft_fib_inet
    nft_fib 16384 3 nft_fib_ipv6,nft_fib_ipv4,nft_fib_inet nft_counter 16384 28
    nft_redir_ipv6 16384 1
    nft_chain_nat_ipv6 16384 1
    nf_nat_ipv6 16384 1 nft_chain_nat_ipv6
    nft_redir_ipv4 16384 1
    nft_redir 16384 2 nft_redir_ipv6,nft_redir_ipv4
    nft_objref 16384 4
    nft_log 16384 13
    nf_tables_set 32768 28
    nft_ct 20480 92
    nft_chain_nat_ipv4 16384 1
    nf_nat_ipv4 16384 1 nft_chain_nat_ipv4
    nf_nat 36864 4 nf_nat_ipv6,nf_nat_ipv4,nft_redir_ipv6,nft_redir_ipv4
    nf_conntrack 172032 9 nf_nat,nft_ct,nf_nat_ipv6,nf_nat_ipv4,nf_conntrack_sip,nft_redir,nf_conntrack_netlink,nft_redir_ipv6,nft_redir_ipv4
    nf_tables 143360 448 nft_ct,nft_log,nft_chain_nat_ipv6,nft_chain_nat_ipv4,nft_fib_ipv6,nft_objref,nft_redir,nft_fib_ipv4,nft_counter,nft_redir_ipv6,nft_redir_ipv4,nf_tables_set,nft_fib,nft_fib_inet
    nfnetlink 16384 8 nf_conntrack_netlink,nf_tables
    ip_tables 28672 1 iptable_filter
    x_tables 45056 2 iptable_filter,ip_tables

    If you have e.g. iptable_mangle or any other of the ipt_ modules listed by

    ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_*

    loaded, unload them first with rmmod. For that you have to first
    flush the tables with iptables -F as otherwise the rules might prevent
    a module from being unloaded.

    Also some scripts may be thrown off if some symlinks are configured in
    a certain way through the update-alternatives subsystem.

    On my system

    update-alternatives --list iptables

    gives:

    /usr/sbin/iptables-legacy
    /usr/sbin/iptables-nft

    My symlink still points to iptables-legacy (which was probably the
    version that worked as I needed it during the migration), but since I
    no longer use that and have forgotten exactly how it affected all of
    this you may have to figure that out on your own. If all else fails
    you may have to uninstall any iptables packages altogether to
    eliminate all possible sources of interference.

    Good luck,
    Dennis.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)