The officially official Devuan Forum!

You are not logged in.

#1 2019-06-11 20:35:18

d0nzag
Member
Registered: 2019-06-10
Posts: 9  

[Solved] How to load nftables rules at boot?

/etc/modules has all nf_tables* modules loaded
/etc/nftables.conf has no effect

what else could be done / checked ?

Last edited by d0nzag (2019-06-16 03:00:34)

Offline

#2 2019-06-11 21:22:57

ralph.ronnquist
Administrator
From: Clifton Hill, Victoria, AUS
Registered: 2016-11-30
Posts: 1,106  

Re: [Solved] How to load nftables rules at boot?

initrd ?

Online

#3 2019-06-12 09:57:52

d0nzag
Member
Registered: 2019-06-10
Posts: 9  

Re: [Solved] How to load nftables rules at boot?

This is too much. Aborting...

Offline

#4 2019-06-12 10:31:10

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: [Solved] How to load nftables rules at boot?

Try

# cp /usr/share/doc/nftables/examples/sysvinit/nftables.init /etc/init.d
# update-rc.d nftables defaults

Then reboot.


Brianna Ghey — Rest In Power

Offline

#5 2019-06-16 02:59:32

d0nzag
Member
Registered: 2019-06-10
Posts: 9  

Re: [Solved] How to load nftables rules at boot?

The answer is - same way as with https://wiki.debian.org/iptables

Create executable file /etc/network/if-pre-up.d/nftables with the content

 #!/bin/sh
 /sbin/nft -f  /<path_to>/my.nftables.rules

and that's it smile

Offline

#6 2020-04-21 22:07:05

Marjorie
Member
From: Teignmouth, UK
Registered: 2019-06-09
Posts: 219  

Re: [Solved] How to load nftables rules at boot?

I'm setting up a mailserver and I'm trying to use nftables on Beowulf rather than iptables and ufw.as I used to on ASCII.

Head_on_a_Stick wrote:

Try

# cp /usr/share/doc/nftables/examples/sysvinit/nftables.init /etc/init.d
# update-rc.d nftables defaults

Then reboot.

Assuming I want to start nftables as a service (in the same way that systemd imitates). I would have to change this slightly:

$ sudo cp /usr/share/doc/nftables/examples/sysvinit/nftables.init /etc/init.d/nftables
$ sudo chmod +x  /etc/init.d/nftables
$ sudo update-rc.d nftables defaults

When I run

$ sudo service nftables start

and then

$ sudo service nftables status 

there's no output from either and the process is not running.

I looks to me that the problem is that nftables, as supplied, isn't configured to start in any level:

/etc/init.d/nftables starts:

#!/bin/sh
### BEGIN INIT INFO
# Provides:          nftables
# Required-Start:    $local_fs $network $remote_fs $syslog
# Required-Stop:     $local_fs $remote_fs $syslog
# Default-Start:
# Default-Stop:      0 1 2 3 4 5 6
# Short-Description: nftables firewall service
# Description:       nftables firewall system service
### END INIT INFO

# Author: Arturo Borrero Gonzalez <arturo@debian.org>
....

So no start run levels are defined. Should this be amended before running update-rc.d, and should they be the 'standard'?

# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6

It would be nice if the package could be devuanated for Beowulf as it's systemd specific as supplied in Debian.
I note there was some discussion about how to enable running on sysvinit back in 2015 when Arturo decided to only supply nftables.init as an example - but then not document what needed to be done to enable it.

Offline

#7 2020-04-22 12:26:30

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: [Solved] How to load nftables rules at boot?

Marjorie wrote:

no start run levels are defined

Good spot, I missed that.

I've just run the sysd2v-0.2.sh script on the systemd nftables.service and it says

# Default-Start:  S
# Default-Stop:   0 6

So try that.

EDIT: perhaps open a bug report for this on the Debian package, the maintainer might correct it.

Last edited by Head_on_a_Stick (2020-04-22 12:27:20)


Brianna Ghey — Rest In Power

Offline

#8 2020-04-22 14:34:44

Marjorie
Member
From: Teignmouth, UK
Registered: 2019-06-09
Posts: 219  

Re: [Solved] How to load nftables rules at boot?

Thanks, Head-on-a-stick, that works.

Note for anyone else searching on this topic, having edited the default run level values in /etc/init.d/nftables you have to remove any existing rc.d symlinks before you reset them, so:

$ sudo update-rc.d nftables remove
$ sudo update-rc.d nftables defaults

If you don't do that it wont just overwrite the existing symlinks (you do get a warning).

Also

$ sudo service nftables start
$ sudo service nftables status 

don't provide any output. However I did check that the firewall was working as intended using nmap from a different pc on the network:

$ sudo nmap --top-ports 500 mail
Starting Nmap 7.70 ( https://nmap.org ) at 2020-04-22 15:17 BST
Nmap scan report for mail (192.168.1.xx)
Host is up (0.0054s latency).
Not shown: 493 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
80/tcp  open  http
143/tcp open  imap
443/tcp open  https
587/tcp open  submission
993/tcp open  imaps
MAC Address: 2D:70:6B:23:64:91

which are just the ports I had configured to be open.

Last edited by Marjorie (2020-04-22 14:37:07)

Offline

#9 2020-11-11 11:14:45

jdev
Member
Registered: 2020-06-09
Posts: 22  

Re: [Solved] How to load nftables rules at boot?

Marjorie wrote:

Also

$ sudo service nftables start
$ sudo service nftables status 

don't provide any output.

Add INIT_VERBOSE=yes to the definitions of environment variables in /etc/init.d/nftables.

Offline

#10 2020-11-12 13:36:50

Magnus
Member
From: Stockholm, Sweden
Registered: 2020-03-14
Posts: 51  
Website

Re: [Solved] How to load nftables rules at boot?

Or add a line in /etc/rc.local /usr/sbin/nft -f /etc/firewall.tables

Offline

#11 2020-11-12 18:03:15

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: [Solved] How to load nftables rules at boot?

Magnus wrote:

Or add a line in /etc/rc.local

Anything in /etc/rc.local is run late in the boot process so that would leave the network exposed, albeit very briefly. A proper init script is the best approach.


Brianna Ghey — Rest In Power

Offline

#12 2021-03-26 18:02:45

ifdv44
Member
Registered: 2021-01-03
Posts: 10  

Re: [Solved] How to load nftables rules at boot?

Can i just check something and im still leanring about nf tables so could be way off.

If nf_tables is a kernel level module and likely to be loaded at boot time and active(assuming not explicitly deactivated the modules) , then is there any need to have a init.d script to start it ? Wont it start up and load rules then ? What am i missing  ? Or is this just a belt and braces  step to make sure any rules really are included at boot time ?

Offline

#13 2021-03-26 18:15:29

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: [Solved] How to load nftables rules at boot?

There are several kernel modules that provide the firewall functionality but the init script (or systemd unit file) is needed to load the user space process that actually runs the firewall.


Brianna Ghey — Rest In Power

Offline

#14 2021-03-26 22:40:56

GlennW
Member
From: Brisbane, Australia
Registered: 2019-07-18
Posts: 582  

Re: [Solved] How to load nftables rules at boot?

Hi, my fw script is loaded by open-rc

It looks like this...

/home/glenn/build/firewall/fwautorun

#!/bin/bash
### BEGIN INIT INFO
# Provides:          scriptname
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start daemon at boot time
# Description:       Enable service provided by daemon.
### END INIT INFO

case "$1" in
  start)

    sh /home/glenn/bin/nftfw.sh

    echo "Nftables Firewall is now ON"
    ;;
  stop)
    nft flush table filter
    nft flush table ip6 filter
    echo "NFTABLES Firewall is OFF"
    ;;
  *)
        echo "Usage: /etc/init.d/fwautorun {start|stop}"
        exit 1
        ;;
esac

exit 0

I used gentoo, arch and debian guides when I set this up...
https://wiki.gentoo.org/wiki/Nftables/E … nd_IPv6.29
https://wiki.archlinux.org/index.php/Nf … l_firewall
https://linux-audit.com/nftables-beginn … filtering/
https://wiki.debian.org/nftables#Should … les_one.3F

I found this somewhere, ... repeat, my init script is called fwautorun.sh, yours may be different.

cp  <path to init file>...fwautorun /etc/init.d

# update-rc.d nftables defaults

rc-update add nftables defaults

reboot.

you may have this part sorted, but because it's mentioned in the start up script, I'll copy it here...

/home/glenn/bin/nftfw.sh

#!/bin/bash

# /home/glenn/build/firewalls/nftfw.sh

# load templates
#nft -f /usr/share/doc/nftables/examples/syntax/ipv4-filter       #loads the ipv4 template table (OS depandant address)
#nft -f /usr/share/doc/nftables/examples/syntax/ipv6-filter       #loads the ipv6 template table (OS depandant address)

# instead of using templates, we create our own.

nft add table filter
nft add table ip6 filter

nft add chain filter input { type filter hook input priority 0 \; }
nft add chain filter forward { type filter hook forward priority 0 \; }
nft add chain filter output { type filter hook output priority 0 \; }

nft add chain ip6 filter input { type filter hook input priority 0 \; }
nft add chain ip6 filter forward { type filter hook forward priority 0 \; }
nft add chain ip6 filter output { type filter hook output priority 0 \; }

# clean out any leftovers...

nft flush table filter
nft flush table ip6 filter

nft add rule filter input ct state established accept
nft add rule filter input ct state related accept
nft add rule filter input iif lo accept
nft add rule filter input tcp dport ssh counter log accept
nft add rule filter input counter log drop

nft add rule filter output ct state established accept
nft add rule filter output ct state related accept
nft add rule filter output oif lo accept
nft add rule filter output ct state new counter accept

nft add rule ip6 filter input ct state established accept
nft add rule ip6 filter input ct state related accept
nft add rule ip6 filter input iif lo accept
nft add rule ip6 filter input tcp dport ssh counter log accept

nft add rule ip6 filter input icmpv6 type nd-neighbor-solicit accept
nft add rule ip6 filter input icmpv6 type echo-request accept
nft add rule ip6 filter input icmpv6 type nd-router-advert accept
nft add rule ip6 filter input icmpv6 type nd-neighbor-advert accept

nft add rule ip6 filter input counter log drop

nft add rule ip6 filter output ct state established accept
nft add rule ip6 filter output ct state related accept
nft add rule ip6 filter output oif lo accept
nft add rule ip6 filter output ct state new counter accept

echo "Nftables Firewall is now ON ... relay"

exit 0

# /home/glenn/build/firewalls/nftfw-off.sh

#!/bin/bash

# /home/glenn/build/firewalls/nftfw-off.sh

nft -f /usr/share/doc/nftables/examples/syntax/ipv4-filter             #loads the ipv4 template table
nft -f /usr/share/doc/nftables/examples/syntax/ipv6-filter             #loads the ipv6 template table

nft flush table filter
nft flush table ip6 filter

echo "Nftables Firewall is now OFF"

exit 0

I hope this helps, Glenn


pic from 1993, new guitar day.

Offline

#15 2021-03-26 23:22:32

Marjorie
Member
From: Teignmouth, UK
Registered: 2019-06-09
Posts: 219  

Re: [Solved] How to load nftables rules at boot?

GlennW wrote:

Hi, my fw script is loaded by open-rc

It looks like this...

/home/glenn/build/firewall/fwautorun

#!/bin/bash
### BEGIN INIT INFO
# Provides:          scriptname
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start daemon at boot time
# Description:       Enable service provided by daemon.
### END INIT INFO
............

Glenn, If you check earlier in this thread e.g. contribution #7 you'll see that for Default-Start/stop you would normally (at least in sysvinit) use:

# Default-Start:  S
# Default-Stop:   0 6

The reason to use S rather than 2 is that it executes as early as possible, which is a desirable feature of a firewall.

Is there no S level in open-rc?

Offline

#16 2021-03-27 11:41:12

GlennW
Member
From: Brisbane, Australia
Registered: 2019-07-18
Posts: 582  

Re: [Solved] How to load nftables rules at boot?

Thank you for the correction...

As far as I'm aware open-rc run levels are "default, off, recovery and sysinit."

I thought the commented lines in the above script were left there from the sys-v script the file was used for.

I still not completely sure how this works... sorry for butting in.

I didn't see those other posts this morning when I added my 2 cents worth.

But, I'm glad I found out some more about run levels and open-rc.


pic from 1993, new guitar day.

Offline

#17 2021-03-27 11:53:55

ifdv44
Member
Registered: 2021-01-03
Posts: 10  

Re: [Solved] How to load nftables rules at boot?

Head_on_a_Stick wrote:

There are several kernel modules that provide the firewall functionality but the init script (or systemd unit file) is needed to load the user space process that actually runs the firewall.

That user space process being the nft "application" that reads in the rules and passes to the kernel part of nf_tables ?

Offline

#18 2021-03-27 18:00:42

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,125  
Website

Re: [Solved] How to load nftables rules at boot?

Yes, that's right.


Brianna Ghey — Rest In Power

Offline

#19 2021-03-27 20:09:20

ifdv44
Member
Registered: 2021-01-03
Posts: 10  

Re: [Solved] How to load nftables rules at boot?

Head_on_a_Stick wrote:

Yes, that's right.

Cool. Thanks for confirming that. Another thing i'm starting to get my head around is  fitting into place smile

Offline

#20 2021-10-12 19:55:39

einpoklum
Member
From: Haifa, Palestine
Registered: 2021-07-21
Posts: 52  
Website

Re: [Solved] How to load nftables rules at boot?

For other readers of this thread: Note you may have other packages which install firewall rules (via nft or iptables-legacy or otherwise), which would conflict with the nft tables you want to load.

Actually, I'd say that it's kind of a problem that nft is highly visible, on the one hand, via /etc/nftables.conf; and the nftables is installed on account of network-manager (assuming you've installed that), but on the other hand - there is no associated service you could even query for status. Nor do you get any indication about how things might conflict with its use.

Offline

Board footer