Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
and it doesn't like that either, I get errors about an unexpected meta.
My nftables.conf looks like this
Code:
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain base_checks {
# Drop invalid connections and allow established/related connections
ct state invalid drop
ct state {established, related} accept
}
chain input {
type filter hook input priority 0; policy drop;
jump base_checks
# Allow from loopback
iifname lo accept
iifname != lo ip daddr 127.0.0.1/8 drop
# New UDP traffic will jump to the UDP chain
ip protocol udp ct state new jump UDP
# New TCP traffic will jump to the TCP chain
tcp flags & (fin | syn | rst | ack) == syn ct state new jump TCP
# Everything else
ip protocol udp reject
ip protocol tcp reject with tcp reset
reject with icmpx type port-unreachable
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
}
# ICMPv6 packets which must not be dropped, see https://tools.ietf.org/html/rfc4890#section-4.4.1
ip6 nexthdr ipv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, echo-request, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, 148, 149 } accept
ip6 saddr fe80::/10 icmpv6 type { 130, 131, 132, 143, 151, 152, 153 } accept
# count and drop any other traffic
counter drop
# ---------------------------------------------------------------------------------
##CHAIN RULES
# TCP chain
set TCP_accepted {
type inet_service; flags interval;
elements = {1714-1764}
}
chain TCP {
tcp dport @TCP_accepted accept
}
# UDP chain
set UDP_accepted {
type inet_service; flags interval;
elements = {1714-1764}
}
chain UDP {
udp dport @UDP_accepted accept
}
}
I'd love to know what I did wrong here, help is appreciated.
I also want to have enp1s0 (usually called eth0) and tun0 (my VPN) be able to trust each other but I can't find anything for the syntax of that any ideas?
I'm trying to get rid of these messages in my logs:
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
