This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --UevvUGqidaNbCCXZfVHdukMp7JKAjOAwz
Content-Type: multipart/mixed;
boundary="------------AC40019453B25BB483A3C374"
Content-Language: fr-FR

This is a multi-part message in MIME format. --------------AC40019453B25BB483A3C374
Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: quoted-printable

Bonjour,

I begin to use nftables and wrote thes rules:
chain input { # handle 1
type filter hook input priority 0; policy drop;
ct state established,related accept # handle 4
ip saddr 192.168.1.0/24 accept # handle 5
ip6 saddr fe80::/10 accept # handle 6
ct state invalid drop # handle 7
iifname "lo" accept # handle 8
tcp dport 22222 accept # handle 9
log # handle 10
}

I expect to block all traffic from anywhere except on the local network (192.168.1.0/24)

Is "fe80::/10" the ipv6 corresponding syntax for ipv4 192.168.1.0/24?

I expect too accept connections from the internet to port 22222

The last line "log" is (for me) supposed to log all dropped packets, am
I right?

For this last line, logwatch reports "logged packets on interface".
logwatch with iptables reports "drop packets on the interface"

Are these packets dropped or only logged?

Thank you for your explanations.

Regards.

--
François Patte
UFR de mathématiques et informatique
Laboratoire CNRS MAP5, UMR 8145
Université Paris Descartes
45, rue des Saints Pères
F-75270 Paris Cedex 06
Tél. +33 (0)6 7892 5822
http://www.math-info.univ-paris5.fr/~patte
FSF https://www.fsf.org/blogs/community/presenting-shoetool-happy-holidays-from-the-fsf

--------------AC40019453B25BB483A3C374
Content-Type: application/pgp-keys;
name="OpenPGP_0x744E82D9D855D895.asc"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="OpenPGP_0x744E82D9D855D895.asc"

-----BEGIN PGP PUBLIC KEY BLOCK-----

xsDiBEI1fdMRBACpPxrD/B2pHUPHchL+8QAOFZX35wLqvE5mUxUxLU6E0FvwXJ+A9R4FfpHelXiC aeO27hW4g3owes6eWEtZS1f6tXCoUWvLttLCodQcC/JQtnW72YujgvygjQKMKBWNRk+9YNGZ0an+ +BOarOSZDt+7xqvJXgSmJiwvUkO1T4362wCg2ER+jQO1M56UdFmhHaS/77jMEfUD/i26BuZu+RLl Q5bpiZIUOBsvegcXxL6sXi/uQy18bfhiKh4+5DDhfoQ+qOvmCSt227U+c8Qk+3KD2lDMrOqXfcX2 F+FVx1OOGr5tfIfgS1VXh4ED8Q2QxgwZIEqWmHpHTLOJq1Ant3HYhV7/52zOjB/uTXtg/tnhpB19 H/o1EhxoBACpOLfM

Le 13/01/2021 à 17:40, François Patte a écrit :

I begin to use nftables and wrote thes rules:
    chain input { # handle 1
        type filter hook input priority 0; policy drop;
        ct state established,related accept # handle 4
        ip saddr 192.168.1.0/24 accept # handle 5
        ip6 saddr fe80::/10 accept # handle 6
        ct state invalid drop # handle 7
        iifname "lo" accept # handle 8
        tcp dport 22222 accept # handle 9
        log # handle 10
    }

I expect to block all traffic from anywhere except on the local network (192.168.1.0/24)

"on the local network" does not make any sense, and, this ruleset fails
to drop all traffic from anywhere but 192.168.1.0/24 :

ct state established,related accept # handle 4

accepts traffic from any address, and

iifname "lo" accept # handle 8

accepts traffic from 127.0.0.0/8 and any local (host) address.

Is "fe80::/10" the ipv6 corresponding syntax for ipv4 192.168.1.0/24?

No. 192.168.1.0/24 is a private prefix. Addresses can be configured by
any conventional method (static, DHCP...). They are routable.

fe80::/10 is the link local prefix. Addresses are automatically assigned
by the kernel itself. They are not routable.

The last line "log" is (for me) supposed to log all dropped packets, am
I right?

No. It does not log packets already dropped by

ct state invalid drop # handle 7

For this last line, logwatch reports "logged packets on interface".
logwatch with iptables reports "drop packets on the interface"

I wonder how logwatch knows the logged packets are dropped.

Are these packets dropped or only logged?

What do you trust more ? The chain default policy "drop" or logwatch ?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Jan 13, 2021 at 05:40:20PM +0100, François Patte wrote:

Is "fe80::/10" the ipv6 corresponding syntax for ipv4 192.168.1.0/24?

That is the address range for link-local addresses assigned via
stateless address autoconfiguration. Think of it as an IP address
derived from the unique MAC address that gets automatically assigned.
It's not routable, i.e. you can only communicate with computers on the
local network, so you'd usually assign other IPv6 addresses that are
routable.

I expect too accept connections from the internet to port 22222

I would specify the incoming interface here, too, just for clarity.

The last line "log" is (for me) supposed to log all dropped packets, am I right?

Yes.

For this last line, logwatch reports "logged packets on interface".
logwatch with iptables reports "drop packets on the interface"

Are these packets dropped or only logged?

Both. The log messages should show up in the output of "dmesg". I
usually use rules like this:

log prefix "filter_inet:c_f_in " flags all

This tells my which chain caused that log entry and some more details.
You could also use:

counter log prefix "filter_inet:c_f_in " flags all

It should add a counter of how often that rule was matched. You can
inspect it with "list ruleset" or by listing that rule by its handle.

Regards,
Dennis.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)