You are not logged in.
Today is the first time that I have tried using nftables by configuring /etc/nftables.conf
For the emby-server to work, I would need to allow connections into port TCP 8096, 8092, and UDP 7359. I currently have no firewall because I want to allow connections to my emby-server
I am looking to allow connections to my Emby server from devices on my local network, TVs, and Androids. I wouldn't want to allow access to people outside of my network.
My current nftables.conf has a lot of copy&pasting, and I verified that it is valid with sudo nft -c -f /etc/nftables.conf
#!/usr/bin/nft -f
flush ruleset
# We declare an interface variable associated with our network card so that we can use $interface in our rules instead of "enp2s0".
define interface = { enp0s31f6, lo, Eddie }
# ----- IPv4 and IPv6 -----
table inet filter {
chain INPUT {
type filter hook input priority 0; policy drop;
# Emby-Server
iif != lo tcp dport 8096 accept
iif != lo tcp dport 8092 accept
iif != lo udp dport 7359 accept
# Local interface rules
ct state invalid counter drop comment "Drop invalid connections"
iif != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback"
iif != lo ip6 daddr ::1/128 counter drop comment "drop connections to loopback not coming from loopback"
iif lo accept comment "Accept any localhost traffic"
# ICMP traffic
ip protocol icmp counter accept comment "accept all ICMP types"
meta l4proto ipv6-icmp counter accept comment "accept all ICMPv6 types"
# Accept web traffic (ALL to PC : if related or established) : HTTP + HTTPS + HTTP/3 QUIC + DNS + NTP
iif $interface tcp sport { http, https, domain, ntp } ct state { related, established } counter accept comment "Accept Web Traffic TCP"
iif $interface udp sport { https, domain } ct state { related, established } counter accept comment "Accept Web Traffic UDP"
# Accept but trace all other INPUT traffic
log prefix "INPUT : " accept comment "log INPUT"
}
chain FORWARD {
type filter hook forward priority 0; policy drop;
# FORWARD traffic is dropped and logged. There should be no network frames if the Linux PC is not in router mode.
log prefix "FORWARD : " drop comment "log FORWARD"
}
chain OUTPUT {
type filter hook output priority 0; policy drop;
# Local interface rules
oif lo accept comment "Accept any localhost traffic"
# ICMP traffic
ip protocol icmp counter accept comment "accept all ICMP types"
meta l4proto ipv6-icmp counter accept comment "accept all ICMPv6 types"
# Accept web traffic (PC to ALL : new, related and established) : HTTP + HTTPS + HTTP/3 QUIC + DNS + NTP
oif $interface tcp dport { http, https, domain, ntp } ct state { new, related, established } counter accept comment "Accept Web Traffic"
oif $interface udp dport { https, domain } ct state { new, related, established } counter accept comment "Accept Web Traffic"
# Accept but trace all other OUTPUT traffic
log prefix "OUTPUT : " accept comment "log out of rules traffic"
}
}I've also tried sticking with the default .conf that comes with the arch package and adding these ports under the chain input
tcp dport ( 8096, 8092 ) accept
udp dport ( 7359 ) acceptOffline
Moderator Note
moving to Networking, Server, and Protection
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
clean chroot building not flexible enough ?
Try clean chroot manager by graysky
Offline
Is there a question?
Assuming "it does not work", please post the output of
nft list ruleset- preferably w/
I've also tried sticking with the default .conf that comes with the arch package and adding
that appraoch.
I currently have no firewall
nb. that nft is some form of "firewall", everything operates on the kernels netfilter stack and https://wiki.archlinux.org/title/Uncomplicated_Firewall would simply add some nft rules.
Offline
I wouldn't want to allow access to people outside of my network.
What is "your network"? LAN with private addresses behind NAT or subnet in global address space? IPv4 or IPv6 or both?
It is practically impossible to configure firewall without knowing topology of the network.
chain INPUT {
...
# Emby-Server
iif != lo tcp dport 8096 accept
iif != lo tcp dport 8092 accept
iif != lo udp dport 7359 acceptHere you already accepting incoming traffic from any source except from loopback. I suppose this is not what you want.
Offline
Is there a question?
Assuming "it does not work", please post the output ofnft list ruleset- preferably w/
I've also tried sticking with the default .conf that comes with the arch package and adding
that appraoch.
I currently have no firewall
nb. that nft is some form of "firewall", everything operates on the kernels netfilter stack and https://wiki.archlinux.org/title/Uncomplicated_Firewall would simply add some nft rules.
Ok I see how I didn't form the question. When the nftables service is running I cannot access my emby-server from my roku tv's. I was looking for help configuring my nftables for my emby-server. I need the tcp ports 8096, 8092 and udp 7359 available only on my local network.
I was hoping somebody would spot something wrong with my nftables or give me advice on how properly configure this.
the output of nft list ruleset is : https://paste.ofcode.org/nuPupFnYtYD4H9YwpYVLDm
I pasted it there because it was long and would take up a lot of space.
I was hoping to use nfttables instead of a front end like ufw because I have been trying to learn but ufw might be the simplest way for me.
Offline
You want to delete that file because it holds all the IPs of the pornsites you've been visiting - what it does *not* show is any of the suggested rules.
I was hoping to use nfttables instead of a front end like ufw because I have been trying to learn
https://wiki.archlinux.org/title/Nftables#Usage
flush the ruleset and reload /etc/nftables.conf after the suggested trivial extension of the SSFW, then dump the rules again.
Offline
well theres no porn sites to be found. Nothing I'd be embarrassed about. but if its not helpful ill delete it
You want to delete that file because it holds all the IPs of the pornsites you've been visiting - what it does *not* show is any of the suggested rules.
I was hoping to use nfttables instead of a front end like ufw because I have been trying to learn
https://wiki.archlinux.org/title/Nftables#Usage
flush the ruleset and reload /etc/nftables.conf after the suggested trivial extension of the SSFW, then dump the rules again.
Offline
It was helpful in showing that there was actually no relevant rule.
=> try to focus on the non-porn related stuff ![]()
Offline
its kind of funny, I didnt have the nftables.service running. Sometimes I just have to take a break and try again later. Heres the output of nft list ruleset
table inet filter {
chain INPUT {
type filter hook input priority filter; policy drop;
iif != "lo" tcp dport 8096 accept
iif != "lo" tcp dport 8092 accept
iif != "lo" udp dport 7359 accept
ct state invalid counter packets 0 bytes 0 drop comment "Drop invalid connections"
iif != "lo" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 drop comment "drop connections to loopback not coming from loopback"
iif != "lo" ip6 daddr ::1 counter packets 0 bytes 0 drop comment "drop connections to loopback not coming from loopback"
iif "lo" accept comment "Accept any localhost traffic"
ip protocol icmp counter packets 32 bytes 4510 accept comment "accept all ICMP types"
meta l4proto ipv6-icmp counter packets 6 bytes 1200 accept comment "accept all ICMPv6 types"
iif { "lo", "enp0s31f6", "tun0" } tcp sport { 53, 80, 123, 443 } ct state { established, related } counter packets 404 bytes 451189 accept comment "Accept Web Traffic TCP"
iif { "lo", "enp0s31f6", "tun0" } udp sport { 53, 443 } ct state { established, related } counter packets 8204 bytes 1891694 accept comment "Accept Web Traffic UDP"
log prefix "INPUT : " accept comment "log INPUT"
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
log prefix "FORWARD : " drop comment "log FORWARD"
}
chain OUTPUT {
type filter hook output priority filter; policy drop;
oif "lo" accept comment "Accept any localhost traffic"
ip protocol icmp counter packets 12 bytes 2751 accept comment "accept all ICMP types"
meta l4proto ipv6-icmp counter packets 0 bytes 0 accept comment "accept all ICMPv6 types"
oif { "lo", "enp0s31f6", "tun0" } tcp dport { 53, 80, 123, 443 } ct state { established, related, new } counter packets 204 bytes 49281 accept comment "Accept Web Traffic"
oif { "lo", "enp0s31f6", "tun0" } udp dport { 53, 443 } ct state { established, related, new } counter packets 12254 bytes 8027773 accept comment "Accept Web Traffic"
log prefix "OUTPUT : " accept comment "log out of rules traffic"
}
}Offline
I would need to allow connections into port TCP 8096, 8092, and UDP 7359
Documentation says that it should be TCP port 8920, not 8092.
Offline
However, you already have
chain INPUT {
...
log prefix "INPUT : " accept comment "log INPUT"
}
...
chain OUTPUT {
...
log prefix "OUTPUT : " accept comment "log out of rules traffic"
}So any incoming and outgoing traffic should pass (except invalid connstate and weird bogus loopback).
Is there any logged traffic in dmesg output?
Run
# dmesg -wand try to connect to the server. Do you see any messages with INPUT or OUTPUT prefix?
Also you can add temporary logging for new rules, i.e.
tcp dport { 8096, 8920 } accept log prefix "emby-server "
udp dport 7359 accept log prefix "emby-server "and check dmesg.
Just for clarification, are you configuring firewall on the same machine where emby-server run?
Offline
As "dimich" already hinted on: This nftables ruleset is mostly garbage.
A good starting point is the installation default:
#!/usr/bin/nft -f
# vim:set ts=2 sw=2 et:
# IPv4/IPv6 Simple & Safe firewall ruleset.
# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/.
destroy table inet filter
table inet filter {
chain input {
type filter hook input priority filter
policy drop
ct state invalid drop comment "early drop of invalid connections"
ct state {established, related} accept comment "allow tracked connections"
iif lo accept comment "allow from loopback"
meta l4proto { icmp, icmpv6 } accept comment "allow icmp"
tcp dport ssh accept comment "allow sshd"
pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
counter
}
chain forward {
type filter hook forward priority filter
policy drop
}
}Tidying it up would lead you to:
#!/usr/bin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
ct state invalid drop
ct state {established, related} accept
iif lo accept
meta l4proto { icmp, icmpv6 } accept
counter log prefix "denied by input: "
}
chain forward {
type filter hook forward priority filter; policy drop;
counter log prefix "denied by forward: "
}
}This ruleset simply allows no new (incoming/forwarding) connections of any kind (except incoming ICMP and loopback traffic). It logs everything that's not allowed. Analyzing the logs will show you new incoming or new forwarding requests and you can decide to let them pass.
Offline