Re: How can I block all traffic from an IP range, irrespective of origin, going to, or coming from, using nftables in Debian 10

From: Jags <TheJags@protonmail.com>
To: Reindl Harald <h.reindl@thelounge.net>
Cc: zrm <zrm@trustiosity.com>,
	"netfilter@vger.kernel.org" <netfilter@vger.kernel.org>,
	"neal.p.murphy@alum.wpi.edu" <neal.p.murphy@alum.wpi.edu>
Subject: Re: How can I block all traffic from an IP range, irrespective of origin, going to, or coming from, using nftables in Debian 10
Date: Fri, 04 Oct 2019 16:25:42 +0000	[thread overview]
Message-ID: <gqJSE9iGsixrV5lbpV2VVj_N-pdkB59YlfOJlH-VsKhUYHsgXJ2MlY62LPso375cRc0k2X4tXD7744rB6UYKqeJGA-KB6AmpqnBpvlvsmTE=@protonmail.com> (raw)
In-Reply-To: <4fc65dba-dff0-4075-6ead-c63cd52efb36@thelounge.net>

Could someone please clarify RAW/MANGLE tables in regards to Nftables.

I could not find any details in Nftables wiki specifically for RAW/MANGLE tables. While I find Gentoo wiki for Nftables much more friendlier: https://wiki.gentoo.org/wiki/Nftables#Tables

xxx
Tables: A table is nothing more than a container for your chains. With nftables there are no predefined tables (filter, raw, mangle...) anymore. You are free to recreate an iptables-like structure, but anything might do.

Currently there are 5 different families of tables: ip, ip6, arp, bridge, inet
xxx

My question is, since Nftables doesn't have predefined tables, just by naming a table: "table inet raw", does it becomes a RAW table or not? If not, what do I have to do?

I thank you all so much.

For now I have added this to my nftables.conf

xxxxx
table inet raw {
        chain prerouting {
                type filter hook prerouting priority 0; policy accept;
                ip saddr 123.0.0.0/8 counter drop
          }
        chain output {
                type filter hook output priority 0; policy accept;
                ip daddr 123.0.0.0/8 counter reject
         }
}
xxxxx

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Friday, October 4, 2019 3:10 PM, Reindl Harald <h.reindl@thelounge.net> wrote:

> Am 04.10.19 um 16:28 schrieb Jags:
>
> > > not sure about nftables but with iptables i would just place the drop
> > > stuff for 123.0.0.0/8 in -t raw PREROUTING because it's before conntrack
> > > and consider place it in a ipset for the case the list becomes longer
> > > because then you have only one rule and a lightning fast hash-lookup no
> > > matter how much entries
> >
> > Yes, I noticed CPU spikes, and removed drop/reject rules immediately. Thought I would re-enable these rules only when I run a torrent client.
> > So should I just add a new table "raw" (and place this table at the top):
> > xxxxxxxxx
> > table inet raw {
> > chain prerouting {
> > type filter hook prerouting priority 0; policy accept;
> > ip saddr 123.0.0.0/8 counter drop
> > }
> > chain output {
> > type filter hook output priority 0; policy accept;
> > ip daddr 123.0.0.0/8 counter reject
> > }
> > xxxxxxxxx
> > Now do I need POSTROUTING chain in there too?
> > From Gentoo wiki for Nftables: https://wiki.gentoo.org/wiki/Nftables#Tables
> > "postrouting: This hook comes after the routing decision has been made, all packets leaving the machine hit this hook"
>
> you don't need chains where you don't place rules
>
> disclaimer: i use iptables and plan to switch to iptables-nft over the
> long, so nftables may have sbtle different behavior
>
> however, it turned out to have way better performance for a big firewall
> setup place as much as possible in "-t mangle PREROUTING" (ct state
> invalid) and "-t raw PREROUTING" because less processing of packets
>
> not sure if "table inet raw" hast the same semantic (before conntrack,
> before routing)" but if it can have a postrouting hook i doubt because
> that's not possible for "-t raw" in iptables given that in this table
> there is no routing decision possible
>
> look at the image to get a picture, i can't help with nfstables itself
> https://stuffphilwrites.com/wp-content/uploads/2014/09/FW-IDS-iptables-Flowchart-v2019-04-30-1.png