You are not logged in.

Pages: 1

#1 2019-08-21 22:26:13

RJGarch
Member
Registered: 2019-08-21
Posts: 4

nftable

Hello,

I am trying to watch IPTV behind my firewall.

a) works without firewall

sudo systemctl stop nftables.service

b) works with suggested firewall, but commented out last command

https://wiki.archlinux.org/index.php/Nf … orkstation

/etc/nftables.conf

flush ruleset

table inet filter {
        chain input {
                type filter hook input priority 0;

                # accept any localhost traffic
                iif lo accept

                # accept traffic originated from us
                ct state established,related accept

		# accept ICMP & IGMP
		ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
		ip protocol icmp icmp type { destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept
		ip protocol igmp accept

                # activate the following line to accept common local services
                #tcp dport { 22, 80, 443 } ct state new accept

                # count and drop any other traffic
--> comment out next line
#                counter drop
        }
}

c) does not work with suggested firewall

https://wiki.archlinux.org/index.php/Nf … orkstation

/etc/nftables.conf

flush ruleset

table inet filter {
        chain input {
                type filter hook input priority 0;

                # accept any localhost traffic
                iif lo accept

                # accept traffic originated from us
                ct state established,related accept

        # accept ICMP & IGMP
        ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept
        ip protocol icmp icmp type { destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept
        ip protocol igmp accept

                # activate the following line to accept common local services
                #tcp dport { 22, 80, 443 } ct state new accept

                # count and drop any other traffic
                counter drop
        }
}

Thanks for a hint.

Greetings,

RJGarch

Last edited by RJGarch (2019-08-22 11:08:27)

Offline

#2 2019-08-21 23:04:06

loqs
Member
Registered: 2014-03-06
Posts: 17,321

Re: nftable

Welcome to the arch linux forums RJGarch.  Please use code tags for commands and their outputs,  code listings e.t.c.

Are you asking for help understanding the final rule which drops all remaining incoming traffic and keeps a count of the number of times that rule is matched
or finding the traffic the rule is dropping which the IPTV would seem to require?
Edit:
For the later lsof or ss may help you identify the ports a process is using.

Last edited by loqs (2019-08-21 23:10:51)

Offline

#3 2019-08-25 19:29:48

RJGarch
Member
Registered: 2019-08-21
Posts: 4

Re: nftable

Hello,

I am trying to watch IPTV behind the firewall. I could not find any HOWTO on the internet, which rules should applied to let it works.

IGMP is sure part of the solution.

Thanks in advance for any help.

Greetings,

RJGarch

Last edited by RJGarch (2019-08-25 19:30:14)

Offline

#4 2019-08-25 20:29:21

jasonwryan
Anarchist
From: .nz
Registered: 2009-05-09
Posts: 30,424
Website

Re: nftable

Don't hijack threads, especially with an empty post:  https://wiki.archlinux.org/index.php/Co … _hijacking

https://wiki.archlinux.org/index.php/Co … mpty_posts

Arch + dwm   •   Mercurial repos  •   Surfraw

Registered Linux User #482438

Offline

#5 2019-08-25 20:47:18

loqs
Member
Registered: 2014-03-06
Posts: 17,321

Re: nftable

RJGarch wrote:

I am trying to watch IPTV behind the firewall. I could not find any HOWTO on the internet, which rules should applied to let it works.

This repeats your first post without adding anything.

RJGarch wrote:

IGMP is sure part of the solution.

Both configurations you posted allow IGMP.
What application is used for this IPTV service?  Did you try my suggestions to identify ports that application is using?
Have you tried allowing icmpv6,  icmp,  tcp or udp to identify if it is one of those protocols?

ip protocol PROTOCOL accept

Offline

#6 2019-08-26 20:57:36

RJGarch
Member
Registered: 2019-08-21
Posts: 4

Re: nftable

Thank you loqs,

I have tried to find out more with 

lsof -i udp

.

I got the protocol (udp), the ip-address and the port (commplex-main = 5000).

These two lines I have added to my config file:

ip daddr XXX.XX.X.XX accept
udp dport 5000 ct state new accept

I am not sure, if this is the best solution.

/etc/nftables.conf

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
        chain input {
                type filter hook input priority 0;

                # accept any localhost traffic
                iif lo accept

                # accept traffic originated from us
                ct state established,related accept

                # accept ICMP & IGMP
                ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packe>
                ip protocol icmp icmp type { destination-unreachable, router-so>
                ip protocol igmp accept
                # activate the following line to accept common local services
                #tcp dport { 22, 80, 443 } ct state new accept

                # IPTV
                ip daddr XXX.XX.X.XX accept
                udp dport 5000 ct state new accept

                # count and drop any other traffic
                counter drop
        }
}

Offline

#7 2019-08-28 15:02:10

Lone_Wolf
Member
From: Netherlands, Europe
Registered: 2005-10-04
Posts: 11,911

Re: nftable

Not sure, but those lines look like
A any traffic from XXX.XX.X.XX will be accepted and
B traffic on udp port 5000 will always be accepted, regargardless of who sends it.
I doubt that's your intention.


Simple statefull firewall creates a chain specifically for udp connections and sets things up in that new chain.

These snippets from  my own config should clarify that method.

# Input chain snippet
ip protocol udp ct state new jump UDP
ip protocol udp reject
        chain UDP {
                udp dport some-port accept
        }

Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.


(A works at time B)  && (time C > time B ) ≠  (A works at time C)

Offline

#8 2019-08-30 07:12:30

RJGarch
Member
Registered: 2019-08-21
Posts: 4

Re: nftable

Hello Lone_Wolf,

thanks for the hint!

I have implemented it right now.

#!/usr/bin/nft -f
flush ruleset

table inet filter {
        chain input {
                type filter hook input priority 0;

                # accept any localhost traffic
                iif lo accept

                # accept traffic originated from us
                ct state established,related accept

                # accept ICMP & IGMP
                ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packe>
                ip protocol icmp icmp type { destination-unreachable, router-so>
                ip protocol igmp accept

                # IPTV
                ip protocol udp ct state new jump UDP
                ip protocol udp reject

                # count and drop any other traffic
                counter drop
        }
        chain UDP {
                udp dport 5000 accept
        }
}

Offline

Pages: 1

Board footer

Powered by FluxBB