The officially official Devuan Forum!

You are not logged in.

#1 2023-01-24 02:36:15

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

git netfilter compile problem

For whatever reason several modules necessary to nftables are missing (nf_tables_inet, nf_tables_ipv6, nf_tables_ipv4, nf_netlink, nf_chain).

After thrashing about the Internet it seems that this may be the way to restore them ...

$ git clone https://git.netfilter.org/libnftnl
$ cd libnftnl
$ sh autogen.sh
$ ./configure
$ make
$ sudo make install

The 'objects' downloaded all 9198 of them

I changed to libnftnl then $ sh autogen.sh but that returned an error "autogen.sh: 3: autoreconf: not found".

So, I'm not certain as to how best to proceed ...

NOTE 1: I tried to reload libmnl and libnftnl via Synaptic but it showed them as present and I didn't see a way to re-install them.

NOTE 2: I first ran $ git clone https://git.netfilter.org/libmnl and the 'objects' downloaded - because this site said libmnl was necessary https://wiki.nftables.org/wiki-nftables … om_sources

Last edited by dcolburn (2023-01-24 02:36:56)

Offline

#2 2023-01-24 04:47:28

ralph.ronnquist
Administrator
From: Clifton Hill, Victoria, AUS
Registered: 2016-11-30
Posts: 859  

Re: git netfilter compile problem

May I suggest that you don't want to compile any netfilter components?

What is your objective?

edit: why do you think that anything is missing from nftables?

Offline

#3 2023-01-24 15:35:35

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: git netfilter compile problem

I'm not seeing nf_tables modules: nf_tables_inet, nf_tables_ip, nf_tables_ip6 when I run "lsmod | grep nf_tables" as shown here https://linux-audit.com/nftables-beginners-guide-to-traffic-filtering/

I can view realupnow.com/index.html from the server but not from another computer on the same network.

I can ssh in from another computer on the same network.

I'm not getting errors (nothing in the logs and nothing when I run "nginx -t") the system just isn't connecting from the outside (other than ssh).

Offline

#4 2023-01-24 16:42:59

alexkemp
Member
Registered: 2018-05-14
Posts: 79  

Re: git netfilter compile problem

Sounds like port-80 is blocked for external traffic. But of course, that would mean that nf_tables (or something) is running.

Sorry, but cannot help. I was competent with the old firewall, but know nothing about the new one(s).

Offline

#5 2023-01-24 17:16:24

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: git netfilter compile problem

This is in nftables.com ... which I thought would open 80 outbound?

    chain OUTBOUND {
       type filter hook output priority filter; policy drop;

       # Allow traffic from established and related packets, drop invalid
            ct state vmap { established : accept, related : accept, invalid : drop }
   
       # Allow loopback
            oif "lo" accept

       # Accepted ports out (DNS / DHCP / TIME / WEB for package updates / SMTP)
            ct state new tcp dport {22, 80, 443} accept
            log prefix "DROP_output: " limit rate 3/second
   }
}

Offline

#6 2023-01-24 17:17:10

chris2be8
Member
Registered: 2018-08-11
Posts: 175  

Re: git netfilter compile problem

Try running a port scan (eg nmap) from another system on the same network. That should tell you what ports are open.

If you don't have a port scanner sudo traceroute -T -p 80 realupnow.com would test access to port 80, Then you could repeat for other ports, eg 443 (https) and 22 (sshd). That should tell what ports are blocked.

Edit: we cross posted.

You may need to allow *inbound* access to port 80 (and port 443 if you want to use https). Knowing what point of view inbound and outbound refer to can be confusing.

Last edited by chris2be8 (2023-01-24 17:20:52)

Offline

#7 2023-01-24 17:21:25

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,053  
Website

Re: git netfilter compile problem

Is nftables actually running?

# nft list ruleset

I would just ignore that "guide". It looks like one of those shitty sites that farm forum & wiki content for ad revenue.


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII, 18.

Offline

#8 2023-01-24 17:22:09

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: git netfilter compile problem

traceroute terminates at 66.172.90.106 (the static ip) for 22, 80, and 443.

22 shows one line, 80 and 443 two.

I can ssh in - so 22 is open.

Offline

#9 2023-01-24 18:02:08

boughtonp
Member
From: UK
Registered: 2023-01-19
Posts: 9  
Website

Re: git netfilter compile problem

To reiterate what others have said, opening port 80 does not require compiling nf_tables (or any other part of the kernel).

The output of the command given in post #7 will show your currently loaded configuration - please provide that.

Also, what exactly is your overall aim / ultimate goal?
(You have a lot of previous threads on topics that appear to overlap - have any of these given such a description yet?)

The IP in your most recent post is not a private address - it appears to belong to an ISP - indicating that you may be trying to run a public Internet-facing webserver from a machine on your home network...?


3.1415P265E589T932E846R64338

Offline

#10 2023-01-24 18:39:32

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: git netfilter compile problem

chris2be8 wrote:

Try running a port scan (eg nmap) from another system on the same network. That should tell you what ports are open.

If you don't have a port scanner sudo traceroute -T -p 80 realupnow.com would test access to port 80, Then you could repeat for other ports, eg 443 (https) and 22 (sshd). That should tell what ports are blocked.

Edit: we cross posted.

You may need to allow *inbound* access to port 80 (and port 443 if you want to use https). Knowing what point of view inbound and outbound refer to can be confusing.

    chain inbound {
        type filter hook input priority filter; policy drop;
        ct state established,related accept
        ct state invalid drop
       # Allow traffic from established and related packets, drop invalid
            ct state vmap { established : accept, related : accept, invalid : drop }
        iif "lo" counter packets accept
        ip protocol icmp accept
        ip6 nexthdr ipv6-icmp accept
        ip protocol igmp accept
#        iif "lo" counter packets 0 bytes 0 accept
#        ip protocol icmp limit rate 4/second accept
#        ip6 nexthdr ipv6-icmp limit rate 4/second accept
#        ip protocol igmp limit rate 4/second accept
        tcp dport { 22, 80, 443 accept
        log
    }

Offline

#11 2023-01-24 18:40:36

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: git netfilter compile problem

Head_on_a_Stick wrote:

Is nftables actually running?

# nft list ruleset

I would just ignore that "guide". It looks like one of those shitty sites that farm forum & wiki content for ad revenue.

root@devuan1:~/libnftnl# nft list ruleset
table ip nat {
	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
		ip saddr 192.168.1.0/24 oif "eth0" snat to 1.2.3.4
	}
}
root@devuan1:~/libnftnl# 

What is this telling me about what's happening - and what's not happening that should be?

Last edited by dcolburn (2023-01-24 19:35:58)

Offline

#12 2023-01-24 22:14:44

Marjorie
Member
From: Teignmouth, UK
Registered: 2019-06-09
Posts: 184  

Re: git netfilter compile problem

boughtonp wrote:

The IP in your most recent post is not a private address - it appears to belong to an ISP - indicating that you may be trying to run a public Internet-facing webserver from a machine on your home network...?

As he has a fixed IP from his ISP (though I recall he does describe it as immutable not fixed) that isn't necessarily an issue: I have a fixed IP from my ISP (Zen) and it hosts both an accessible (apache) website and my (postfix) family mail server.
And we were able to access his website too at one point before it all went pear-shaped.

But as your (dcolburn) server is on a network behind a router can I assume that you have opened the relevant ports on the router as well as your server's (nftables) firewall?

Last edited by Marjorie (2023-01-24 22:44:05)

Offline

#13 2023-01-24 22:19:42

ralph.ronnquist
Administrator
From: Clifton Hill, Victoria, AUS
Registered: 2016-11-30
Posts: 859  

Re: git netfilter compile problem

You should run

# nft -cf /etc/nftables.conf

repeatedly, and each time look at and correct only the first error, until that command no longer gives any output.

Thereafter you apply the corrected rule set with

# nft -cf /etc/nftables.conf

Hint: you current nftables.conf has 3 syntax errors.

Offline

#14 2023-01-24 22:41:52

Marjorie
Member
From: Teignmouth, UK
Registered: 2019-06-09
Posts: 184  

Re: git netfilter compile problem

You could try this nftables.conf.

This is based on mine, which works, the only changes are that I've pruned the additional ports I've opened on mine for email, ntp, dns, monitoring.

#!/usr/sbin/nft -f
flush ruleset
table inet filter {
  chain input {
    type filter hook input priority 0; policy drop;

    iifname lo accept
    ct state established,related accept
    tcp dport ssh ct state new accept
    tcp dport http ct state new accept
    tcp dport https ct state new accept
    
     # ICMP: errors, pings
     ip protocol icmp icmp type { echo-request, echo-reply, destination-unreachable, time-exceeded, parameter-problem, router-solicitation, router-advertisement } accept
     # ICMPv6: errors, pings, routing
     ip6 nexthdr icmpv6 counter accept comment "accept all ICMP types"

     # Reject other packets
     ip protocol tcp reject with tcp reset
  }
}

Offline

#15 2023-01-24 23:16:41

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: git netfilter compile problem

Love the gone "pear shaped" humor. You remind me of an old friend.

I swapped your nftables.conf code for mine - do I need to reboot for it to take effect?

EDIT 1:

Rebooted - no joy.

EDIT 2:

# nft -cf /etc/nftables.conf reports no errors.

Last edited by dcolburn (2023-01-25 03:09:35)

Offline

#16 2023-01-25 03:11:22

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: git netfilter compile problem

ralph.ronnquist wrote:

May I suggest that you don't want to compile any netfilter components?

Can you point me to a reliable instructional as to how to have git remove the 'objects' it loaded, please?

The less clutter the better.

Thanks

Offline

#17 2023-01-25 04:01:40

ralph.ronnquist
Administrator
From: Clifton Hill, Victoria, AUS
Registered: 2016-11-30
Posts: 859  

Re: git netfilter compile problem

If the git directory on your system has pathname /home/user/mygitworkspace you would remove that git directory with the terminal command sequence:

$ cd /home/user
$ rm -rf mygitworkspace

Technically, "rm" is the program to run, "-rf" asks for the command variation to delete stuff recursively and force deletion to apply also for read-only files/directories, and "mygitworkspace" identifies the top-level pathname of files and directories to remove.

Offline

#18 2023-01-25 07:08:29

Head_on_a_Stick
Member
From: London
Registered: 2019-03-24
Posts: 3,053  
Website

Re: git netfilter compile problem

Marjorie wrote:

You could try this nftables.conf.

I did provide the OP with a workable nftable configuration for their use case but they don't appear to be using it. No idea why.

@all: probably best to stop pandering to this person, I suspect they are trolling us.


“Et ignotas animum dimittit in artes.” — Ovid, Metamorphoses, VIII, 18.

Offline

#19 2023-01-25 10:25:20

Marjorie
Member
From: Teignmouth, UK
Registered: 2019-06-09
Posts: 184  

Re: git netfilter compile problem

dcolburn wrote:

Love the gone "pear shaped" humor. You remind me of an old friend.

I swapped your nftables.conf code for mine - do I need to reboot for it to take effect?

EDIT 1:

Rebooted - no joy.

EDIT 2:

# nft -cf /etc/nftables.conf reports no errors.

(as root)

service nftables status

will tell you if its running.

service nftables restart
or
service  nftables force-reload

can be used to restart or just reload the conf file respectively. Or a reboot will also work.

as well as status run

nft list ruleset

and post it so we can check its working.

If it is working then I expect your problem is elsewhere.

Try a port scan from another machine on your network to see if ports 80 and 443 are open.

Last edited by Marjorie (2023-01-25 10:30:33)

Offline

#20 2023-01-25 15:47:04

boughtonp
Member
From: UK
Registered: 2023-01-19
Posts: 9  
Website

Re: git netfilter compile problem

Marjorie wrote:

As he has a fixed IP from his ISP (though I recall he does describe it as immutable not fixed) that isn't necessarily an issue

I wasn't referring to dynamic IPs, but rather the security implications.

Given the level of experience/understanding displayed and the cherry-picking of responses, I don't want to contribute towards an eventual "My home network is compromised, how do I fix it?" situation.

My advice: stop trying to do this, host the site with an established provider.


3.1415P265E589T932E846R64338

Offline

#21 2023-01-25 15:49:02

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: git netfilter compile problem

I powered-off the server overnight and just powered back up.

root@devuan1:/# service nftables status
nftables: unrecognized service
root@devuan1:/# service nftables restart
nftables: unrecognized service
root@devuan1:/# service nftables force-reload
nftables: unrecognized service
root@devuan1:/# nft list ruleset
root@devuan1:/# 

I suspected a potential conflict but that doesn't appear to be the case ...

root@devuan1:/# whereis ufw
ufw: /etc/ufw
root@devuan1:/# whereis iptables
iptables: /usr/sbin/iptables /usr/share/iptables /usr/share/man/man8/iptables.8.gz
root@devuan1:/# service ufw status
ufw: unrecognized service
root@devuan1:/# service iptables status
iptables: unrecognized service
root@devuan1:/# 

Just tried nft flush ruleset;nft -f /etc/nftables.conf - no change.

FYI ...

root@devuan1:/# nft -v
nftables v0.9.8 (E.D.S.)
root@devuan1:/# 

This remains a concern  ...

root@devuan1:/# whereis libmnl
libmnl:
root@devuan1:/# whereis libnftnl
libnftnl:
root@devuan1:/# 

Last edited by dcolburn (2023-01-25 16:50:17)

Offline

#22 2023-01-25 16:35:38

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: git netfilter compile problem

boughtonp wrote:
Marjorie wrote:

As he has a fixed IP from his ISP (though I recall he does describe it as immutable not fixed) that isn't necessarily an issue

I wasn't referring to dynamic IPs, but rather the security implications.

Given the level of experience/understanding displayed and the cherry-picking of responses, I don't want to contribute towards an eventual "My home network is compromised, how do I fix it?" situation.

My advice: stop trying to do this, host the site with an established provider.

Security is manageable - it's a step by step process.

I have web sites hosted on Bluehost, and have for a long time.

This is about the Linux spirit of independence and learning.

Again, this was working, but due to missing the hardware RAID toggle 'on', the system was unstable and had to be reconstructed.

If nftables would only play nicely it would seem we'd be rocking!

Offline

#23 2023-01-25 17:00:59

golinux
Administrator
Registered: 2016-11-25
Posts: 2,707  

Re: git netfilter compile problem

Head_on_a_Stick wrote:

@all: probably best to stop pandering to this person, I suspect they are trolling us.

@ HoaS the irrepressible cynic . . . I believe that the explanation is much simpler . . .

I am an old person. A very old person. Because I am an old person I took note that early on dcolburn mentioned he was also of a certain age. IIRC, I beat him by some years. When you are such an age . . . if the earth is still around by then . . . you will come to understand the challenges . . .

Online

#24 2023-01-25 17:48:55

dcolburn
Member
Registered: 2022-11-02
Posts: 280  

Re: git netfilter compile problem

Thank you.

I find that those who attack the character and intentions of others - despite clear evidence to the contrary (the site was working and was successfully accessed by several on this Forum) are likely projecting something of their own troubles.

It's really easy to just ignore my requests for help and to leave it to those who are willing to answer some very simple questions - from knowledge, rather than conjecture.

I've asked, several times, about my concerns that my nftables install may be corrupted ...

So far, no one has offered a solution (I've looked, a lot, for myself) at how-to restore what I believe to be missing pieces of it (the lib modules, to be precise) - nor, has anyone offered an alternative explanation as to why nftables is not working.

I've been using Linux for a long time and have observed the toxic-assumptions problem before - it's always unhealthy to the community.

Answers to my questions should involve simple step-by-step advice ... false assumptions are, well, we all know about assumptions ... sigh.

Offline

#25 Yesterday 01:57:11

golinux
Administrator
Registered: 2016-11-25
Posts: 2,707  

Re: git netfilter compile problem

@dcolburn . . . I think your expectations may be a bit unrealistic. You have been asking questions now for some time and had responses from knowledgeable users yet you haven't been able to get things working. Seems that somehow things are getting "lost in translation". Perhaps you could find a local Linux user to help you with hands on your machine. There used to be local Linux User Groups (LUGs) for that kind of interaction though I don't know quite how you would go about connecting with someone in 2023. Just a thought . . .

Online

Board footer