Re: How can I block all traffic from an IP range, irrespective of origin, going to, or coming from, using nftables in Debian 10

["Neal P. Murphy" <neal.p.murphy@alum.wpi.edu>]

On Fri, 4 Oct 2019 17:10:05 +0200
Reindl Harald <h.reindl@thelounge.net> wrote:

> Am 04.10.19 um 16:28 schrieb Jags:
> >> not sure about nftables but with iptables i would just place the drop
> >> stuff for 123.0.0.0/8 in -t raw PREROUTING because it's before conntrack
> >> and consider place it in a ipset for the case the list becomes longer
> >> because then you have only one rule and a lightning fast hash-lookup no
> >> matter how much entries  
> > 
> > 
> > Yes, I noticed CPU spikes, and removed drop/reject rules immediately. Thought I would re-enable these rules only when I run a torrent client.
> > 
> > So should I just add a new table "raw" (and place this table at the top):
> > 
> > xxxxxxxxx
> > table inet raw {
> >         chain prerouting {
> >                 type filter hook prerouting priority 0; policy accept;
> >                 ip saddr 123.0.0.0/8 counter drop
> >         }
> >         chain output {
> >                 type filter hook output priority 0; policy accept;
> >                 ip daddr 123.0.0.0/8 counter reject
> >         }
> > xxxxxxxxx
> > 
> > 
> > Now do I need POSTROUTING chain in there too?
> > 
> > From Gentoo wiki for Nftables: https://wiki.gentoo.org/wiki/Nftables#Tables
> > 
> > "postrouting: This hook comes after the routing decision has been made, all packets leaving the machine hit this hook"  
> you don't need chains where you don't place rules
> 
> disclaimer: i use iptables and plan to switch to iptables-nft over the
> long, so nftables may have sbtle different behavior
> 
> however, it turned out to have way better performance for a big firewall
> setup place as much as possible in "-t mangle PREROUTING" (ct state
> invalid) and "-t raw PREROUTING" because less processing of packets

The top of mangle:PREROUTING is the best place to DROP packets you already know you never want to process, route or forward, such as INVALID packets, TEST net addresses, and blacklisted public IPs and IP ranges. But remember that you might not know all addresses until table filter when NAT is involved.

> 
> not sure if "table inet raw" hast the same semantic (before conntrack,
> before routing)" but if it can have a postrouting hook i doubt because
> that's not possible for "-t raw" in iptables given that in this table
> there is no routing decision possible
> 
> look at the image to get a picture, i can't help with nfstables itself
> https://stuffphilwrites.com/wp-content/uploads/2014/09/FW-IDS-iptables-Flowchart-v2019-04-30-1.png