top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

how to replace the next iptables rule with nft?

+2 votes

Can someone help on how to replace the next iptables rule with nft:

iptables -t raw -A PREROUTING -i eth0 -j CT --notrack

Is this possible with nft or not?

posted Feb 18, 2015 by anonymous

Looking for an answer?  Promote on:
Facebook Share Button Twitter Share Button LinkedIn Share Button

Similar Questions
+2 votes

I would like to DNAT IPv4 to IPv6. Is this currently possible maybe with nftables?
I'm looking for something similiar to:

iptables -t nat -A PREROUTING -p tcp --dport 4001 -d -j DNAT --to '[fd00::fffa:1]:22'
+1 vote

Recent versions of the Linux kernel and the libnftnl library define nft expression types with the names "match" and "target". However, I could not find any reference to these expression types in the code of the nft user space utility, but only in the code for iptables.

Is it possible to access iptables matches and targets from rules defined with nft, or is this not intended?

+3 votes

I want to use network ranges and host IP's in named maps. Using them in anonymous maps works:

# nft add rule filter output ip daddr vmap { : drop, : accept}

However, in named maps it failes:

# nft -i
nft> add map filter verdict_map { type ipv4_address : verdict; }
nft> add element filter verdict_map { : drop}
nft> add element filter verdict_map { : accept}
BUG: invalid data expression type prefix

How do i use ranges or more complex expressions like IP + Port in maps?

0 votes

I have been using denyhosts for almost a year. To date I have only prevented one person logging in and that is ME ( I used the wrong login name).
Also, I know of no successful break-ins.

My iptables is as follows:

-N block
-A INPUT -j block
-A FORWARD -j block
-A block -i wifi_card -p tcp -m tcp --dport 12123 -j ACCEPT
-A block -i Nic_external -p tcp -m tcp --dport 12123 -j ACCEPT
-A block -i Nic_enternal -j ACCEPT
-A block -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A block -i lo -m conntrack --ctstate NEW -j ACCEPT
-A block -j DROP

First, I think that the above will keep the bad guys out, Is that a true statement?

Sencondly, I have added a LOG rule just above the DROP rule and I have been monitoring it for about 1 1/2 weeks. As each entry is logged I have been adding it to /etc/hosts.deny. Currently there are 4318 ip adresses in the file and the number of packets that have been logged is 51592.

Denyhosts is for stopping ssh attempts and nothing else as I understand it.

Having over 4300 lines in /etc/hosts.deny causes almost no delay in logging in remotely.

Am I being to paranoid about keeping the bad guys out or is the iptable above completely adequate?

I would very much like to here your opinion on this,

+1 vote

If you have an 'accept' rule for a service that is not currently running, is it possible to have iptables to simply not respond instead of reporting the port as 'closed'? During a port scan at, if the router doesn't reply the port will be reported as 'stealth'.