nftables static routing fails

nftables static routing fails

[david NEW]

hi,

I am trying to route blocked ip set to IP:8080 where is info about "you 
have been blocked"

table ip raw {
     set bad_ip {'
         type ipv4_addr
         elements = { xxx.xxx.xxx.xxx }
     }

chain prerouting {

     type filter hook prerouting priority -500; policy accept;
     nft add raw preroute ip saddr @bad_ip tcp dport { 80, 443 } ip 
daddr set xxx.xxx.xxx.xxx tcp dport set 8080 notrack
}

}

netfilter doesn't complain about this rule but nothing 
happens...connection timed out and nothing happened. I see no errors in 
Apache2 logs.

I can see connection attempt in tcpdump but it is not redirected.

any suggestion, please?

Re: nftables static routing fails

[Daniel]

Le 13/01/2020 à 22:13, david NEW a écrit :
> hi,
>
> I am trying to route blocked ip set to IP:8080 where is info about 
> "you have been blocked"
>
> table ip raw {
>     set bad_ip {'
>         type ipv4_addr
>         elements = { xxx.xxx.xxx.xxx }
>     }
>
> chain prerouting {
>
>     type filter hook prerouting priority -500; policy accept;
>     nft add raw preroute ip saddr @bad_ip tcp dport { 80, 443 } ip 
> daddr set xxx.xxx.xxx.xxx tcp dport set 8080 notrack
> }
>
> }
>
> netfilter doesn't complain about this rule but nothing 
> happens...connection timed out and nothing happened. I see no errors 
> in Apache2 logs.
>
> I can see connection attempt in tcpdump but it is not redirected.
>
> any suggestion, please?


With nft 0.8.2 I could'nt make redirect working, I used dnat insteed.

-- 
Daniel

Re: nftables static routing fails

[Florian Westphal]

david NEW <david@hajes.org> wrote:
> hi,
> 
> I am trying to route blocked ip set to IP:8080 where is info about "you have
> been blocked"
> 
> table ip raw {
>     set bad_ip {'
>         type ipv4_addr
>         elements = { xxx.xxx.xxx.xxx }
>     }
> 
> chain prerouting {
> 
>     type filter hook prerouting priority -500; policy accept;
>     nft add raw preroute ip saddr @bad_ip tcp dport { 80, 443 } ip daddr set
> xxx.xxx.xxx.xxx tcp dport set 8080 notrack
> }
> 
> 
> netfilter doesn't complain about this rule but nothing happens...connection
> timed out and nothing happened. I see no errors in Apache2 logs.
> 
> I can see connection attempt in tcpdump but it is not redirected.

How do you know from tcpdump?  tcpdump occurs before port rewrite.

You should see syn to foo:80, then a syn-ack from xxx.xxx.xxx.xxx:8080.

As original client connected to foo:80, the syn-ack is dropped on client
side.

You need to add a reverse xlate rule if you really want this, or use
normal redirect via nat.

Re: nftables static routing fails

[david NEW]

I did run "tcpdump port 80" where I saw incoming packet. Then repeated 
process but watching port 8080 this time but no packets have been 
captured. I assumed it never went through.

I have never worked with tcpdump before so there may be some mistakes on 
my side.

I do not know what is "reverse xlate rule" - can you show me how would 
you write this rule, please?

I do not care how it is written as long as netfilter rule checks source 
address (from set) that asks for connection to port 80, 443...and 
redirects it to IP:8080 where web server error page awaits.

It is ip or cidr set/list of repeated attackers from netfilter log but I 
run "commercial" web site and I wanna inform blocked people who may be 
legit vistiors.

Sadly, IPv4 blocking is joke and most Internet users are unaware that 
they became part of botnet and their shared IP is blocked.


On 13/01/2020 22:40, Florian Westphal wrote:
> david NEW <david@hajes.org> wrote:
>> hi,
>>
>> I am trying to route blocked ip set to IP:8080 where is info about "you have
>> been blocked"
>>
>> table ip raw {
>>      set bad_ip {'
>>          type ipv4_addr
>>          elements = { xxx.xxx.xxx.xxx }
>>      }
>>
>> chain prerouting {
>>
>>      type filter hook prerouting priority -500; policy accept;
>>      nft add raw preroute ip saddr @bad_ip tcp dport { 80, 443 } ip daddr set
>> xxx.xxx.xxx.xxx tcp dport set 8080 notrack
>> }
>>
>>
>> netfilter doesn't complain about this rule but nothing happens...connection
>> timed out and nothing happened. I see no errors in Apache2 logs.
>>
>> I can see connection attempt in tcpdump but it is not redirected.
> How do you know from tcpdump?  tcpdump occurs before port rewrite.
>
> You should see syn to foo:80, then a syn-ack from xxx.xxx.xxx.xxx:8080.
>
> As original client connected to foo:80, the syn-ack is dropped on client
> side.
>
> You need to add a reverse xlate rule if you really want this, or use
> normal redirect via nat.

Re: nftables static routing fails

[Florian Westphal]

david NEW <david@hajes.org> wrote:
> I did run "tcpdump port 80" where I saw incoming packet. Then repeated
> process but watching port 8080 this time but no packets have been captured.
> I assumed it never went through.
> 
> I have never worked with tcpdump before so there may be some mistakes on my
> side.
> 
> I do not know what is "reverse xlate rule" - can you show me how would you
> write this rule, please?

It won't work for your use case.

> I do not care how it is written as long as netfilter rule checks source
> address (from set) that asks for connection to port 80, 443...and redirects
> it to IP:8080 where web server error page awaits.

Use nat + redirect.

Stateless nat only works for simple use cases, like this for instance:
table inet crap {
        chain prerouting {
                type filter hook prerouting priority -500; policy accept;
                ip saddr 192.168.7.10 tcp dport { 80, 443 } ip daddr set 192.168.0.7 tcp dport set 8080 notrack
        }

        chain output {
                type route hook output priority -500; policy accept;
                tcp sport 8080 tcp sport set 80 ip saddr set 192.168.7.1
        }
}

This works, client connects to 192.168.7.1 80, but really talks to 192.168.0.7:8080.
The output rule is needed to reverse translate 192.168.0.7 to 192.168.7.1 and 8080 to 80.
Without it, you get

 192.168.7.10.39472 > 192.168.7.1.80: Flags [S], seq 16468682, win 64..
 192.168.0.7.8080 > 192.168.7.10.39472: Flags [S.], seq 47272, ack 16468683, win 65 ..
 192.168.7.10.39472 > 192.168.0.7.8080: Flags [R], seq 16468683

In your case, you don't have the original address anymore so you can't create the reverse rule.

table ip nat {
        chain prerouting {
                type nat hook prerouting priority dstnat; policy accept;
                ip saddr @bad tcp dport { 80, 443 } redirect to :8080
        }
}

will work because conntrack/nat handles the reverse translation.