I'm running Debian and I've made the switch from iptables to nftables.
Unfortunately, not everything is going smoothly. Some of the most important settings I had in my iptables script are not working in my nftables script (/etc/nftables.conf).
The settings I've transcribed below, and others like them, all contained in the /etc/nftables.conf file, are not working in nftables:
# ------------------------------------------------------------------------------------------------------- #
#!/usr/sbin/nft -f
# ---------------------------------------------------- #
# Kernel settings #
# ---------------------------------------------------- #
## For details see:
## * http://www.securityfocus.com/infocus/1711
########## Enable IP spoofing protection (default is on) ##########
## i.e. drop spoofed packets coming in on an interface, which if replied to,
## would result in the reply going out a different interface.
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done
########## Ignore incoming ICMP echo-requests - i.e. disable ping (default is on) ##########
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
########## Enable broadcast/multicast echo protection (ignore broadcast/multicast pings) ##########
## i.e. ignore incoming ICMP echo-requests to broadcast/multicast addresses.
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
########## Disable IP forwarding (default is off) ##########
echo 0 > /proc/sys/net/ipv4/ip_forward
########## Disable TCP Selective ACK (default is on) ##########
echo 0 > /proc/sys/net/ipv4/tcp_sack
########## Disable source routed packets (default is off) ##########
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f; done
# ------------------------------------------------------------------------------------------------------- #
These settings do not work, resulting in errors of this type:
/etc/nftables.conf:102:67-67: Error: syntax error, unexpected newline, expecting string or last
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done
/etc/nftables.conf:105:6-6: Error: syntax error, unexpected number, expecting string or last
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
Supposedly nftables is superior to iptables...
I wonder if anyone can help me with this issue.
Thanks in advance!
Unfortunately, not everything is going smoothly. Some of the most important settings I had in my iptables script are not working in my nftables script (/etc/nftables.conf).
The settings I've transcribed below, and others like them, all contained in the /etc/nftables.conf file, are not working in nftables:
# ------------------------------------------------------------------------------------------------------- #
#!/usr/sbin/nft -f
# ---------------------------------------------------- #
# Kernel settings #
# ---------------------------------------------------- #
## For details see:
## * http://www.securityfocus.com/infocus/1711
########## Enable IP spoofing protection (default is on) ##########
## i.e. drop spoofed packets coming in on an interface, which if replied to,
## would result in the reply going out a different interface.
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done
########## Ignore incoming ICMP echo-requests - i.e. disable ping (default is on) ##########
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
########## Enable broadcast/multicast echo protection (ignore broadcast/multicast pings) ##########
## i.e. ignore incoming ICMP echo-requests to broadcast/multicast addresses.
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
########## Disable IP forwarding (default is off) ##########
echo 0 > /proc/sys/net/ipv4/ip_forward
########## Disable TCP Selective ACK (default is on) ##########
echo 0 > /proc/sys/net/ipv4/tcp_sack
########## Disable source routed packets (default is off) ##########
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f; done
# ------------------------------------------------------------------------------------------------------- #
These settings do not work, resulting in errors of this type:
/etc/nftables.conf:102:67-67: Error: syntax error, unexpected newline, expecting string or last
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done
/etc/nftables.conf:105:6-6: Error: syntax error, unexpected number, expecting string or last
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
Supposedly nftables is superior to iptables...
I wonder if anyone can help me with this issue.
Thanks in advance!
Statistics: Posted by zetetic — 2024-04-24 04:04 — Replies 0 — Views 19