You are not logged in.
For whatever reason several modules necessary to nftables are missing (nf_tables_inet, nf_tables_ipv6, nf_tables_ipv4, nf_netlink, nf_chain).
After thrashing about the Internet it seems that this may be the way to restore them ...
$ git clone https://git.netfilter.org/libnftnl
$ cd libnftnl
$ sh autogen.sh
$ ./configure
$ make
$ sudo make install
The 'objects' downloaded all 9198 of them
I changed to libnftnl then $ sh autogen.sh but that returned an error "autogen.sh: 3: autoreconf: not found".
So, I'm not certain as to how best to proceed ...
NOTE 1: I tried to reload libmnl and libnftnl via Synaptic but it showed them as present and I didn't see a way to re-install them.
NOTE 2: I first ran $ git clone https://git.netfilter.org/libmnl and the 'objects' downloaded - because this site said libmnl was necessary https://wiki.nftables.org/wiki-nftables … om_sources
Last edited by dcolburn (2023-01-24 02:36:56)
Offline
May I suggest that you don't want to compile any netfilter components?
What is your objective?
edit: why do you think that anything is missing from nftables?
Offline
I'm not seeing nf_tables modules: nf_tables_inet, nf_tables_ip, nf_tables_ip6 when I run "lsmod | grep nf_tables" as shown here https://linux-audit.com/nftables-beginners-guide-to-traffic-filtering/
I can view realupnow.com/index.html from the server but not from another computer on the same network.
I can ssh in from another computer on the same network.
I'm not getting errors (nothing in the logs and nothing when I run "nginx -t") the system just isn't connecting from the outside (other than ssh).
Offline
Sounds like port-80 is blocked for external traffic. But of course, that would mean that nf_tables (or something) is running.
Sorry, but cannot help. I was competent with the old firewall, but know nothing about the new one(s).
Offline
This is in nftables.com ... which I thought would open 80 outbound?
chain OUTBOUND {
type filter hook output priority filter; policy drop;
# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }
# Allow loopback
oif "lo" accept
# Accepted ports out (DNS / DHCP / TIME / WEB for package updates / SMTP)
ct state new tcp dport {22, 80, 443} accept
log prefix "DROP_output: " limit rate 3/second
}
}
Offline
Try running a port scan (eg nmap) from another system on the same network. That should tell you what ports are open.
If you don't have a port scanner sudo traceroute -T -p 80 realupnow.com would test access to port 80, Then you could repeat for other ports, eg 443 (https) and 22 (sshd). That should tell what ports are blocked.
Edit: we cross posted.
You may need to allow *inbound* access to port 80 (and port 443 if you want to use https). Knowing what point of view inbound and outbound refer to can be confusing.
Last edited by chris2be8 (2023-01-24 17:20:52)
Offline
Is nftables actually running?
# nft list ruleset
I would just ignore that "guide". It looks like one of those shitty sites that farm forum & wiki content for ad revenue.
Brianna Ghey — Rest In Power
Offline
traceroute terminates at 66.172.90.106 (the static ip) for 22, 80, and 443.
22 shows one line, 80 and 443 two.
I can ssh in - so 22 is open.
Offline
To reiterate what others have said, opening port 80 does not require compiling nf_tables (or any other part of the kernel).
The output of the command given in post #7 will show your currently loaded configuration - please provide that.
Also, what exactly is your overall aim / ultimate goal?
(You have a lot of previous threads on topics that appear to overlap - have any of these given such a description yet?)
The IP in your most recent post is not a private address - it appears to belong to an ISP - indicating that you may be trying to run a public Internet-facing webserver from a machine on your home network...?
3.1415P265E589T932E846R64338
Offline
Try running a port scan (eg nmap) from another system on the same network. That should tell you what ports are open.
If you don't have a port scanner sudo traceroute -T -p 80 realupnow.com would test access to port 80, Then you could repeat for other ports, eg 443 (https) and 22 (sshd). That should tell what ports are blocked.
Edit: we cross posted.
You may need to allow *inbound* access to port 80 (and port 443 if you want to use https). Knowing what point of view inbound and outbound refer to can be confusing.
chain inbound {
type filter hook input priority filter; policy drop;
ct state established,related accept
ct state invalid drop
# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }
iif "lo" counter packets accept
ip protocol icmp accept
ip6 nexthdr ipv6-icmp accept
ip protocol igmp accept
# iif "lo" counter packets 0 bytes 0 accept
# ip protocol icmp limit rate 4/second accept
# ip6 nexthdr ipv6-icmp limit rate 4/second accept
# ip protocol igmp limit rate 4/second accept
tcp dport { 22, 80, 443 accept
log
}
Offline
Is nftables actually running?
# nft list ruleset
I would just ignore that "guide". It looks like one of those shitty sites that farm forum & wiki content for ad revenue.
root@devuan1:~/libnftnl# nft list ruleset
table ip nat {
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
ip saddr 192.168.1.0/24 oif "eth0" snat to 1.2.3.4
}
}
root@devuan1:~/libnftnl#
What is this telling me about what's happening - and what's not happening that should be?
Last edited by dcolburn (2023-01-24 19:35:58)
Offline
The IP in your most recent post is not a private address - it appears to belong to an ISP - indicating that you may be trying to run a public Internet-facing webserver from a machine on your home network...?
As he has a fixed IP from his ISP (though I recall he does describe it as immutable not fixed) that isn't necessarily an issue: I have a fixed IP from my ISP (Zen) and it hosts both an accessible (apache) website and my (postfix) family mail server.
And we were able to access his website too at one point before it all went pear-shaped.
But as your (dcolburn) server is on a network behind a router can I assume that you have opened the relevant ports on the router as well as your server's (nftables) firewall?
Last edited by Marjorie (2023-01-24 22:44:05)
Offline
You should run
# nft -cf /etc/nftables.conf
repeatedly, and each time look at and correct only the first error, until that command no longer gives any output.
Thereafter you apply the corrected rule set with
# nft -cf /etc/nftables.conf
Hint: you current nftables.conf has 3 syntax errors.
Offline
You could try this nftables.conf.
This is based on mine, which works, the only changes are that I've pruned the additional ports I've opened on mine for email, ntp, dns, monitoring.
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iifname lo accept
ct state established,related accept
tcp dport ssh ct state new accept
tcp dport http ct state new accept
tcp dport https ct state new accept
# ICMP: errors, pings
ip protocol icmp icmp type { echo-request, echo-reply, destination-unreachable, time-exceeded, parameter-problem, router-solicitation, router-advertisement } accept
# ICMPv6: errors, pings, routing
ip6 nexthdr icmpv6 counter accept comment "accept all ICMP types"
# Reject other packets
ip protocol tcp reject with tcp reset
}
}
Offline
Love the gone "pear shaped" humor. You remind me of an old friend.
I swapped your nftables.conf code for mine - do I need to reboot for it to take effect?
EDIT 1:
Rebooted - no joy.
EDIT 2:
# nft -cf /etc/nftables.conf reports no errors.
Last edited by dcolburn (2023-01-25 03:09:35)
Offline
May I suggest that you don't want to compile any netfilter components?
Can you point me to a reliable instructional as to how to have git remove the 'objects' it loaded, please?
The less clutter the better.
Thanks
Offline
If the git directory on your system has pathname /home/user/mygitworkspace you would remove that git directory with the terminal command sequence:
$ cd /home/user
$ rm -rf mygitworkspace
Technically, "rm" is the program to run, "-rf" asks for the command variation to delete stuff recursively and force deletion to apply also for read-only files/directories, and "mygitworkspace" identifies the top-level pathname of files and directories to remove.
Offline
You could try this nftables.conf.
I did provide the OP with a workable nftable configuration for their use case but they don't appear to be using it. No idea why.
@all: probably best to stop pandering to this person, I suspect they are trolling us.
Brianna Ghey — Rest In Power
Offline
Love the gone "pear shaped" humor. You remind me of an old friend.
I swapped your nftables.conf code for mine - do I need to reboot for it to take effect?
EDIT 1:
Rebooted - no joy.
EDIT 2:
# nft -cf /etc/nftables.conf reports no errors.
(as root)
service nftables status
will tell you if its running.
service nftables restart
or
service nftables force-reload
can be used to restart or just reload the conf file respectively. Or a reboot will also work.
as well as status run
nft list ruleset
and post it so we can check its working.
If it is working then I expect your problem is elsewhere.
Try a port scan from another machine on your network to see if ports 80 and 443 are open.
Last edited by Marjorie (2023-01-25 10:30:33)
Offline
As he has a fixed IP from his ISP (though I recall he does describe it as immutable not fixed) that isn't necessarily an issue
I wasn't referring to dynamic IPs, but rather the security implications.
Given the level of experience/understanding displayed and the cherry-picking of responses, I don't want to contribute towards an eventual "My home network is compromised, how do I fix it?" situation.
My advice: stop trying to do this, host the site with an established provider.
3.1415P265E589T932E846R64338
Offline
I powered-off the server overnight and just powered back up.
root@devuan1:/# service nftables status
nftables: unrecognized service
root@devuan1:/# service nftables restart
nftables: unrecognized service
root@devuan1:/# service nftables force-reload
nftables: unrecognized service
root@devuan1:/# nft list ruleset
root@devuan1:/#
I suspected a potential conflict but that doesn't appear to be the case ...
root@devuan1:/# whereis ufw
ufw: /etc/ufw
root@devuan1:/# whereis iptables
iptables: /usr/sbin/iptables /usr/share/iptables /usr/share/man/man8/iptables.8.gz
root@devuan1:/# service ufw status
ufw: unrecognized service
root@devuan1:/# service iptables status
iptables: unrecognized service
root@devuan1:/#
Just tried nft flush ruleset;nft -f /etc/nftables.conf - no change.
FYI ...
root@devuan1:/# nft -v
nftables v0.9.8 (E.D.S.)
root@devuan1:/#
This remains a concern ...
root@devuan1:/# whereis libmnl
libmnl:
root@devuan1:/# whereis libnftnl
libnftnl:
root@devuan1:/#
Last edited by dcolburn (2023-01-25 16:50:17)
Offline
Marjorie wrote:As he has a fixed IP from his ISP (though I recall he does describe it as immutable not fixed) that isn't necessarily an issue
I wasn't referring to dynamic IPs, but rather the security implications.
Given the level of experience/understanding displayed and the cherry-picking of responses, I don't want to contribute towards an eventual "My home network is compromised, how do I fix it?" situation.
My advice: stop trying to do this, host the site with an established provider.
Security is manageable - it's a step by step process.
I have web sites hosted on Bluehost, and have for a long time.
This is about the Linux spirit of independence and learning.
Again, this was working, but due to missing the hardware RAID toggle 'on', the system was unstable and had to be reconstructed.
If nftables would only play nicely it would seem we'd be rocking!
Offline
@all: probably best to stop pandering to this person, I suspect they are trolling us.
@ HoaS the irrepressible cynic . . . I believe that the explanation is much simpler . . .
I am an old person. A very old person. Because I am an old person I took note that early on dcolburn mentioned he was also of a certain age. IIRC, I beat him by some years. When you are such an age . . . if the earth is still around by then . . . you will come to understand the challenges . . .
Online
Thank you.
I find that those who attack the character and intentions of others - despite clear evidence to the contrary (the site was working and was successfully accessed by several on this Forum) are likely projecting something of their own troubles.
It's really easy to just ignore my requests for help and to leave it to those who are willing to answer some very simple questions - from knowledge, rather than conjecture.
I've asked, several times, about my concerns that my nftables install may be corrupted ...
So far, no one has offered a solution (I've looked, a lot, for myself) at how-to restore what I believe to be missing pieces of it (the lib modules, to be precise) - nor, has anyone offered an alternative explanation as to why nftables is not working.
I've been using Linux for a long time and have observed the toxic-assumptions problem before - it's always unhealthy to the community.
Answers to my questions should involve simple step-by-step advice ... false assumptions are, well, we all know about assumptions ... sigh.
Offline
@dcolburn . . . I think your expectations may be a bit unrealistic. You have been asking questions now for some time and had responses from knowledgeable users yet you haven't been able to get things working. Seems that somehow things are getting "lost in translation". Perhaps you could find a local Linux user to help you with hands on your machine. There used to be local Linux User Groups (LUGs) for that kind of interaction though I don't know quite how you would go about connecting with someone in 2023. Just a thought . . .
Online