You are not logged in.

Pages: 1

#1 2025-05-15 16:32:23

t-sourcemaker
Member
Registered: 2015-02-01
Posts: 12

nftables - log all dropped packets

Can someone explain to me how I can log all dropped packets?

#!/bin/nft

# Flush ruleset
flush ruleset

# Definitions
table inet filter {
  # Outgoing connections
  chain output {
    type filter hook output priority filter; policy accept; counter        comment "Accept outgoing connections"
  }
  # Forwarding connections
  chain forward {
    type filter hook forward priority filter; policy drop;  counter        comment "Drop forwarding connections"
  }
  # Incoming connections
  chain input {
    type filter hook input priority filter; policy drop;    counter        comment "Drop incoming connections"
    iif lo                                                  counter accept comment "Accept any localhost traffic"
    ct state established,related                            counter accept comment "Accept traffic originated from us"
    ct state invalid                                        counter drop   comment "Drop invalid connections"
                                                        log counter drop   comment "Drop any other traffic" 

  }
}

The last line with log does not work.

Last edited by t-sourcemaker (2025-05-15 16:32:48)

Offline

#2 2025-05-15 19:52:40

espresso
Member
From: Pale Blue Dot, US
Registered: 2023-05-15
Posts: 58

Re: nftables - log all dropped packets

Not extensively tested, but something like this?

edit: formatting

#!/bin/nft

# Flush ruleset
flush ruleset

# Definitions
table inet filter {

  # IP set for limiting log repetitions
  set log_limit {
    type ipv4_addr
    flags dynamic, timeout
    timeout 1m
    size 65536
  }
  
  # Outgoing connections
  chain output {
    type filter hook output priority filter; policy accept; counter        comment "Accept outgoing connections"
  }
  
  # Forwarding connections
  chain forward {
    type filter hook forward priority filter; policy drop;  counter        comment "Drop forwarding connections"
  }
  
  # Incoming connections
  chain input {
    type filter hook input priority filter; policy drop;    counter        comment "Drop incoming connections"
    
    iif lo                                                  counter accept comment "Accept any localhost traffic"
    ct state established,related                            counter accept comment "Accept traffic originated from us"
    ct state invalid                                        counter drop   comment "Drop invalid connections"

    ip saddr @log_limit                                     counter return comment "Avoid logging repeats for 1 minute"
    log prefix "dropped: " add @log_limit { ip saddr }      counter drop   comment "Drop and log new connection attempts"
  }
}

Last edited by espresso (2025-05-15 20:49:52)

Offline

#3 2025-05-16 05:25:53

-thc
Member
Registered: 2017-03-15
Posts: 890

Re: nftables - log all dropped packets

t-sourcemaker wrote:

The last line with log does not work.

It should - the syntax is O.K.

What is the live status of that rule:

sudo nft list table inet filter

Offline

Pages: 1

Board footer

Powered by FluxBB