You are not logged in.

Pages: 1

#1 2019-11-01 14:39:19

zoltix
Member
Registered: 2019-09-06
Posts: 11

How can I log packets dropped by policy in nftables?

hI,
I didn't understand  How can I log packets dropped by policy in nftables ?  

# ----- IPv4 -----
table ip filter {
	chain input {
		type filter hook input priority 0; policy drop;
		ct state invalid counter drop comment "early drop of invalid packets"
		ct state {established, related} counter accept comment "accept all connections related to connections made by us"
		iif lo accept comment "accept loopback"
		iif != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback"
		ip protocol icmp counter accept comment "accept all ICMP types"
		tcp dport 22 counter accept comment "accept SSH"
		counter comment "count dropped packets"
	}

	chain forward {
		type filter hook forward priority 0; policy drop log;
		counter comment "count dropped packets"
	}

	# If you're not counting packets, this chain can be omitted.
	chain output {
		type filter hook output priority 0; policy accept;
		counter comment "count accepted packets"
	}
}


# ----- IPv6 -----
table ip6 filter {
	chain input {
		type filter hook input priority 0; policy drop;
		ct state invalid counter drop comment "early drop of invalid packets"
		ct state {established, related} counter accept comment "accept all connections related to connections made by us"
		iif lo accept comment "accept loopback"
		iif != lo ip6 daddr ::1/128 counter drop comment "drop connections to loopback not coming from loopback"
		ip6 nexthdr icmpv6 counter accept comment "accept all ICMP types"
		tcp dport 22 counter accept comment "accept SSH"
		counter comment "count dropped packets"
	}

	chain forward {
		type filter hook forward priority 0; policy drop;
		counter comment "count dropped packets"
	}

	# If you're not counting packets, this chain can be omitted.
	chain output {
		type filter hook output priority 0; policy accept;
		counter comment "count accepted packets"
	}
}

thanks you for your help ?

Last edited by zoltix (2019-11-01 14:40:22)

Offline

#2 2019-11-02 13:15:55

nl6720
The Evil Wiki Admin
Registered: 2016-07-02
Posts: 595

Re: How can I log packets dropped by policy in nftables?

You need to use the log action. Add it to the rules that drop packets and, if the filter's policy is drop, also add it as the last rule in the filter.

See https://wiki.nftables.org/wiki-nftables … ng_traffic .

Offline

Pages: 1

Board footer

Powered by FluxBB