I find that those who attack the character and intentions of others - despite clear evidence to the contrary (the site was working and was successfully accessed by several on this Forum) are likely projecting something of their own troubles.

It's really easy to just ignore my requests for help and to leave it to those who are willing to answer some very simple questions - from knowledge, rather than conjecture.

I've asked, several times, about my concerns that my nftables install may be corrupted ...

So far, no one has offered a solution (I've looked, a lot, for myself) at how-to restore what I believe to be missing pieces of it (the lib modules, to be precise) - nor, has anyone offered an alternative explanation as to why nftables is not working.

I've been using Linux for a long time and have observed the toxic-assumptions problem before - it's always unhealthy to the community.

Answers to my questions should involve simple step-by-step advice ... false assumptions are, well, we all know about assumptions ... sigh.

@all: probably best to stop pandering to this person, I suspect they are trolling us.

@ HoaS the irrepressible cynic . . . I believe that the explanation is much simpler . . .

I am an old person. A very old person. Because I am an old person I took note that early on dcolburn mentioned he was also of a certain age. IIRC, I beat him by some years. When you are such an age . . . if the earth is still around by then . . . you will come to understand the challenges . . .

Marjorie wrote:

As he has a fixed IP from his ISP (though I recall he does describe it as immutable not fixed) that isn't necessarily an issue

I wasn't referring to dynamic IPs, but rather the security implications.

Given the level of experience/understanding displayed and the cherry-picking of responses, I don't want to contribute towards an eventual "My home network is compromised, how do I fix it?" situation.

My advice: stop trying to do this, host the site with an established provider.

Security is manageable - it's a step by step process.

I have web sites hosted on Bluehost, and have for a long time.

This is about the Linux spirit of independence and learning.

Again, this was working, but due to missing the hardware RAID toggle 'on', the system was unstable and had to be reconstructed.

If nftables would only play nicely it would seem we'd be rocking!

root@devuan1:/# service nftables status
nftables: unrecognized service
root@devuan1:/# service nftables restart
nftables: unrecognized service
root@devuan1:/# service nftables force-reload
nftables: unrecognized service
root@devuan1:/# nft list ruleset
root@devuan1:/# 

I suspected a potential conflict but that doesn't appear to be the case ...

root@devuan1:/# whereis ufw
ufw: /etc/ufw
root@devuan1:/# whereis iptables
iptables: /usr/sbin/iptables /usr/share/iptables /usr/share/man/man8/iptables.8.gz
root@devuan1:/# service ufw status
ufw: unrecognized service
root@devuan1:/# service iptables status
iptables: unrecognized service
root@devuan1:/# 

Just tried nft flush ruleset;nft -f /etc/nftables.conf - no change.

FYI ...

root@devuan1:/# nft -v
nftables v0.9.8 (E.D.S.)
root@devuan1:/# 

This remains a concern  ...

root@devuan1:/# whereis libmnl
libmnl:
root@devuan1:/# whereis libnftnl
libnftnl:
root@devuan1:/# 

As he has a fixed IP from his ISP (though I recall he does describe it as immutable not fixed) that isn't necessarily an issue

I wasn't referring to dynamic IPs, but rather the security implications.

Given the level of experience/understanding displayed and the cherry-picking of responses, I don't want to contribute towards an eventual "My home network is compromised, how do I fix it?" situation.

My advice: stop trying to do this, host the site with an established provider.

Love the gone "pear shaped" humor. You remind me of an old friend.

I swapped your nftables.conf code for mine - do I need to reboot for it to take effect?

EDIT 1:

Rebooted - no joy.

EDIT 2:

# nft -cf /etc/nftables.conf reports no errors.

(as root)

service nftables status

will tell you if its running.

service nftables restart
or
service  nftables force-reload

can be used to restart or just reload the conf file respectively. Or a reboot will also work.

as well as status run

nft list ruleset

and post it so we can check its working.

If it is working then I expect your problem is elsewhere.

Try a port scan from another machine on your network to see if ports 80 and 443 are open.

You could try this nftables.conf.

I did provide the OP with a workable nftable configuration for their use case but they don't appear to be using it. No idea why.

@all: probably best to stop pandering to this person, I suspect they are trolling us.

$ cd /home/user
$ rm -rf mygitworkspace

Technically, "rm" is the program to run, "-rf" asks for the command variation to delete stuff recursively and force deletion to apply also for read-only files/directories, and "mygitworkspace" identifies the top-level pathname of files and directories to remove.

May I suggest that you don't want to compile any netfilter components?

Can you point me to a reliable instructional as to how to have git remove the 'objects' it loaded, please?

The less clutter the better.

Thanks

I swapped your nftables.conf code for mine - do I need to reboot for it to take effect?

EDIT 1:

Rebooted - no joy.

EDIT 2:

# nft -cf /etc/nftables.conf reports no errors.

This is based on mine, which works, the only changes are that I've pruned the additional ports I've opened on mine for email, ntp, dns, monitoring.

#!/usr/sbin/nft -f
flush ruleset
table inet filter {
  chain input {
    type filter hook input priority 0; policy drop;

    iifname lo accept
    ct state established,related accept
    tcp dport ssh ct state new accept
    tcp dport http ct state new accept
    tcp dport https ct state new accept
    
     # ICMP: errors, pings
     ip protocol icmp icmp type { echo-request, echo-reply, destination-unreachable, time-exceeded, parameter-problem, router-solicitation, router-advertisement } accept
     # ICMPv6: errors, pings, routing
     ip6 nexthdr icmpv6 counter accept comment "accept all ICMP types"

     # Reject other packets
     ip protocol tcp reject with tcp reset
  }
}

# nft -cf /etc/nftables.conf

repeatedly, and each time look at and correct only the first error, until that command no longer gives any output.

Thereafter you apply the corrected rule set with

# nft -cf /etc/nftables.conf

Hint: you current nftables.conf has 3 syntax errors.

The IP in your most recent post is not a private address - it appears to belong to an ISP - indicating that you may be trying to run a public Internet-facing webserver from a machine on your home network...?

As he has a fixed IP from his ISP (though I recall he does describe it as immutable not fixed) that isn't necessarily an issue: I have a fixed IP from my ISP (Zen) and it hosts both an accessible (apache) website and my (postfix) family mail server.
And we were able to access his website too at one point before it all went pear-shaped.

But as your (dcolburn) server is on a network behind a router can I assume that you have opened the relevant ports on the router as well as your server's (nftables) firewall?

Is nftables actually running?

# nft list ruleset

I would just ignore that "guide". It looks like one of those shitty sites that farm forum & wiki content for ad revenue.

root@devuan1:~/libnftnl# nft list ruleset
table ip nat {
	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
		ip saddr 192.168.1.0/24 oif "eth0" snat to 1.2.3.4
	}
}
root@devuan1:~/libnftnl# 

What is this telling me about what's happening - and what's not happening that should be?