git netfilter compile problem

dcolburn · 2023-01-24 02:36:15

For whatever reason several modules necessary to nftables are missing (nf_tables_inet, nf_tables_ipv6, nf_tables_ipv4, nf_netlink, nf_chain).

After thrashing about the Internet it seems that this may be the way to restore them ...

$ git clone https://git.netfilter.org/libnftnl
$ cd libnftnl
$ sh autogen.sh
$ ./configure
$ make
$ sudo make install

The 'objects' downloaded all 9198 of them

I changed to libnftnl then $ sh autogen.sh but that returned an error "autogen.sh: 3: autoreconf: not found".

So, I'm not certain as to how best to proceed ...

NOTE 1: I tried to reload libmnl and libnftnl via Synaptic but it showed them as present and I didn't see a way to re-install them.

NOTE 2: I first ran $ git clone https://git.netfilter.org/libmnl and the 'objects' downloaded - because this site said libmnl was necessary https://wiki.nftables.org/wiki-nftables … om_sources

Last edited by dcolburn (2023-01-24 02:36:56)

ralph.ronnquist · 2023-01-24 04:47:28

May I suggest that you don't want to compile any netfilter components?

What is your objective?

edit: why do you think that anything is missing from nftables?

dcolburn · 2023-01-24 15:35:35

I'm not seeing nf_tables modules: nf_tables_inet, nf_tables_ip, nf_tables_ip6 when I run "lsmod | grep nf_tables" as shown here https://linux-audit.com/nftables-beginners-guide-to-traffic-filtering/

I can view realupnow.com/index.html from the server but not from another computer on the same network.

I can ssh in from another computer on the same network.

I'm not getting errors (nothing in the logs and nothing when I run "nginx -t") the system just isn't connecting from the outside (other than ssh).

alexkemp · 2023-01-24 16:42:59

Sounds like port-80 is blocked for external traffic. But of course, that would mean that nf_tables (or something) is running.

Sorry, but cannot help. I was competent with the old firewall, but know nothing about the new one(s).

dcolburn · 2023-01-24 17:16:24

This is in nftables.com ... which I thought would open 80 outbound?

    chain OUTBOUND {
       type filter hook output priority filter; policy drop;

       # Allow traffic from established and related packets, drop invalid
            ct state vmap { established : accept, related : accept, invalid : drop }
   
       # Allow loopback
            oif "lo" accept

       # Accepted ports out (DNS / DHCP / TIME / WEB for package updates / SMTP)
            ct state new tcp dport {22, 80, 443} accept
            log prefix "DROP_output: " limit rate 3/second
   }
}

chris2be8 · 2023-01-24 17:17:10

Try running a port scan (eg nmap) from another system on the same network. That should tell you what ports are open.

If you don't have a port scanner sudo traceroute -T -p 80 realupnow.com would test access to port 80, Then you could repeat for other ports, eg 443 (https) and 22 (sshd). That should tell what ports are blocked.

Edit: we cross posted.

You may need to allow *inbound* access to port 80 (and port 443 if you want to use https). Knowing what point of view inbound and outbound refer to can be confusing.

Last edited by chris2be8 (2023-01-24 17:20:52)

Head_on_a_Stick · 2023-01-24 17:21:25

Is nftables actually running?

# nft list ruleset

I would just ignore that "guide". It looks like one of those shitty sites that farm forum & wiki content for ad revenue.

dcolburn · 2023-01-24 17:22:09

traceroute terminates at 66.172.90.106 (the static ip) for 22, 80, and 443.

22 shows one line, 80 and 443 two.

I can ssh in - so 22 is open.

boughtonp · 2023-01-24 18:02:08

To reiterate what others have said, opening port 80 does not require compiling nf_tables (or any other part of the kernel).

The output of the command given in post #7 will show your currently loaded configuration - please provide that.

Also, what exactly is your overall aim / ultimate goal?
(You have a lot of previous threads on topics that appear to overlap - have any of these given such a description yet?)

The IP in your most recent post is not a private address - it appears to belong to an ISP - indicating that you may be trying to run a public Internet-facing webserver from a machine on your home network...?

dcolburn · 2023-01-24 18:39:32

chris2be8 wrote:

Try running a port scan (eg nmap) from another system on the same network. That should tell you what ports are open.
If you don't have a port scanner sudo traceroute -T -p 80 realupnow.com would test access to port 80, Then you could repeat for other ports, eg 443 (https) and 22 (sshd). That should tell what ports are blocked.
Edit: we cross posted.
You may need to allow *inbound* access to port 80 (and port 443 if you want to use https). Knowing what point of view inbound and outbound refer to can be confusing.

    chain inbound {
        type filter hook input priority filter; policy drop;
        ct state established,related accept
        ct state invalid drop
       # Allow traffic from established and related packets, drop invalid
            ct state vmap { established : accept, related : accept, invalid : drop }
        iif "lo" counter packets accept
        ip protocol icmp accept
        ip6 nexthdr ipv6-icmp accept
        ip protocol igmp accept
#        iif "lo" counter packets 0 bytes 0 accept
#        ip protocol icmp limit rate 4/second accept
#        ip6 nexthdr ipv6-icmp limit rate 4/second accept
#        ip protocol igmp limit rate 4/second accept
        tcp dport { 22, 80, 443 accept
        log
    }

dcolburn · 2023-01-24 18:40:36

Head_on_a_Stick wrote:

Is nftables actually running?
# nft list ruleset
I would just ignore that "guide". It looks like one of those shitty sites that farm forum & wiki content for ad revenue.

root@devuan1:~/libnftnl# nft list ruleset
table ip nat {
	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
		ip saddr 192.168.1.0/24 oif "eth0" snat to 1.2.3.4
	}
}
root@devuan1:~/libnftnl#

What is this telling me about what's happening - and what's not happening that should be?

Last edited by dcolburn (2023-01-24 19:35:58)

Marjorie · 2023-01-24 22:14:44

boughtonp wrote:

The IP in your most recent post is not a private address - it appears to belong to an ISP - indicating that you may be trying to run a public Internet-facing webserver from a machine on your home network...?

As he has a fixed IP from his ISP (though I recall he does describe it as immutable not fixed) that isn't necessarily an issue: I have a fixed IP from my ISP (Zen) and it hosts both an accessible (apache) website and my (postfix) family mail server.
And we were able to access his website too at one point before it all went pear-shaped.

But as your (dcolburn) server is on a network behind a router can I assume that you have opened the relevant ports on the router as well as your server's (nftables) firewall?

Last edited by Marjorie (2023-01-24 22:44:05)

ralph.ronnquist · 2023-01-24 22:19:42

You should run

# nft -cf /etc/nftables.conf

repeatedly, and each time look at and correct only the first error, until that command no longer gives any output.

Thereafter you apply the corrected rule set with

# nft -cf /etc/nftables.conf

Hint: you current nftables.conf has 3 syntax errors.

Marjorie · 2023-01-24 22:41:52

You could try this nftables.conf.

This is based on mine, which works, the only changes are that I've pruned the additional ports I've opened on mine for email, ntp, dns, monitoring.

#!/usr/sbin/nft -f
flush ruleset
table inet filter {
  chain input {
    type filter hook input priority 0; policy drop;

    iifname lo accept
    ct state established,related accept
    tcp dport ssh ct state new accept
    tcp dport http ct state new accept
    tcp dport https ct state new accept
    
     # ICMP: errors, pings
     ip protocol icmp icmp type { echo-request, echo-reply, destination-unreachable, time-exceeded, parameter-problem, router-solicitation, router-advertisement } accept
     # ICMPv6: errors, pings, routing
     ip6 nexthdr icmpv6 counter accept comment "accept all ICMP types"

     # Reject other packets
     ip protocol tcp reject with tcp reset
  }
}

dcolburn · 2023-01-24 23:16:41

Love the gone "pear shaped" humor. You remind me of an old friend.

I swapped your nftables.conf code for mine - do I need to reboot for it to take effect?

EDIT 1:

Rebooted - no joy.

EDIT 2:

# nft -cf /etc/nftables.conf reports no errors.

Last edited by dcolburn (2023-01-25 03:09:35)

dcolburn · 2023-01-25 03:11:22

ralph.ronnquist wrote:

May I suggest that you don't want to compile any netfilter components?

Can you point me to a reliable instructional as to how to have git remove the 'objects' it loaded, please?

The less clutter the better.

Thanks

ralph.ronnquist · 2023-01-25 04:01:40

If the git directory on your system has pathname /home/user/mygitworkspace you would remove that git directory with the terminal command sequence:

$ cd /home/user
$ rm -rf mygitworkspace

Technically, "rm" is the program to run, "-rf" asks for the command variation to delete stuff recursively and force deletion to apply also for read-only files/directories, and "mygitworkspace" identifies the top-level pathname of files and directories to remove.

Head_on_a_Stick · 2023-01-25 07:08:29

Marjorie wrote:

You could try this nftables.conf.

I did provide the OP with a workable nftable configuration for their use case but they don't appear to be using it. No idea why.

@all: probably best to stop pandering to this person, I suspect they are trolling us.

Marjorie · 2023-01-25 10:25:20

dcolburn wrote:

Love the gone "pear shaped" humor. You remind me of an old friend.
I swapped your nftables.conf code for mine - do I need to reboot for it to take effect?
EDIT 1:
Rebooted - no joy.
EDIT 2:
# nft -cf /etc/nftables.conf reports no errors.

(as root)

service nftables status

will tell you if its running.

service nftables restart
or
service nftables force-reload

can be used to restart or just reload the conf file respectively. Or a reboot will also work.

as well as status run

nft list ruleset

and post it so we can check its working.

If it is working then I expect your problem is elsewhere.

Try a port scan from another machine on your network to see if ports 80 and 443 are open.

Last edited by Marjorie (2023-01-25 10:30:33)

boughtonp · 2023-01-25 15:47:04

Marjorie wrote:

As he has a fixed IP from his ISP (though I recall he does describe it as immutable not fixed) that isn't necessarily an issue

I wasn't referring to dynamic IPs, but rather the security implications.

Given the level of experience/understanding displayed and the cherry-picking of responses, I don't want to contribute towards an eventual "My home network is compromised, how do I fix it?" situation.

My advice: stop trying to do this, host the site with an established provider.

dcolburn · 2023-01-25 15:49:02

I powered-off the server overnight and just powered back up.

root@devuan1:/# service nftables status
nftables: unrecognized service
root@devuan1:/# service nftables restart
nftables: unrecognized service
root@devuan1:/# service nftables force-reload
nftables: unrecognized service
root@devuan1:/# nft list ruleset
root@devuan1:/#

I suspected a potential conflict but that doesn't appear to be the case ...

root@devuan1:/# whereis ufw
ufw: /etc/ufw
root@devuan1:/# whereis iptables
iptables: /usr/sbin/iptables /usr/share/iptables /usr/share/man/man8/iptables.8.gz
root@devuan1:/# service ufw status
ufw: unrecognized service
root@devuan1:/# service iptables status
iptables: unrecognized service
root@devuan1:/#

Just tried nft flush ruleset;nft -f /etc/nftables.conf - no change.

FYI ...

root@devuan1:/# nft -v
nftables v0.9.8 (E.D.S.)
root@devuan1:/#

This remains a concern ...

root@devuan1:/# whereis libmnl
libmnl:
root@devuan1:/# whereis libnftnl
libnftnl:
root@devuan1:/#

Last edited by dcolburn (2023-01-25 16:50:17)

dcolburn · 2023-01-25 16:35:38

boughtonp wrote:

Marjorie wrote:
As he has a fixed IP from his ISP (though I recall he does describe it as immutable not fixed) that isn't necessarily an issue
I wasn't referring to dynamic IPs, but rather the security implications.
Given the level of experience/understanding displayed and the cherry-picking of responses, I don't want to contribute towards an eventual "My home network is compromised, how do I fix it?" situation.
My advice: stop trying to do this, host the site with an established provider.

Security is manageable - it's a step by step process.

I have web sites hosted on Bluehost, and have for a long time.

This is about the Linux spirit of independence and learning.

Again, this was working, but due to missing the hardware RAID toggle 'on', the system was unstable and had to be reconstructed.

If nftables would only play nicely it would seem we'd be rocking!

golinux · 2023-01-25 17:00:59

Head_on_a_Stick wrote:

@all: probably best to stop pandering to this person, I suspect they are trolling us.

@ HoaS the irrepressible cynic . . . I believe that the explanation is much simpler . . .

I am an old person. A very old person. Because I am an old person I took note that early on dcolburn mentioned he was also of a certain age. IIRC, I beat him by some years. When you are such an age . . . if the earth is still around by then . . . you will come to understand the challenges . . .

dcolburn · 2023-01-25 17:48:55

Thank you.

I find that those who attack the character and intentions of others - despite clear evidence to the contrary (the site was working and was successfully accessed by several on this Forum) are likely projecting something of their own troubles.

It's really easy to just ignore my requests for help and to leave it to those who are willing to answer some very simple questions - from knowledge, rather than conjecture.

I've asked, several times, about my concerns that my nftables install may be corrupted ...

So far, no one has offered a solution (I've looked, a lot, for myself) at how-to restore what I believe to be missing pieces of it (the lib modules, to be precise) - nor, has anyone offered an alternative explanation as to why nftables is not working.

I've been using Linux for a long time and have observed the toxic-assumptions problem before - it's always unhealthy to the community.

Answers to my questions should involve simple step-by-step advice ... false assumptions are, well, we all know about assumptions ... sigh.

golinux · 2023-01-26 01:57:11

@dcolburn . . . I think your expectations may be a bit unrealistic. You have been asking questions now for some time and had responses from knowledgeable users yet you haven't been able to get things working. Seems that somehow things are getting "lost in translation". Perhaps you could find a local Linux user to help you with hands on your machine. There used to be local Linux User Groups (LUGs) for that kind of interaction though I don't know quite how you would go about connecting with someone in 2023. Just a thought . . .

The officially official Devuan Forum!

#1 2023-01-24 02:36:15

git netfilter compile problem

#2 2023-01-24 04:47:28

Re: git netfilter compile problem

#3 2023-01-24 15:35:35

Re: git netfilter compile problem

#4 2023-01-24 16:42:59

Re: git netfilter compile problem

#5 2023-01-24 17:16:24

Re: git netfilter compile problem

#6 2023-01-24 17:17:10

Re: git netfilter compile problem

#7 2023-01-24 17:21:25

Re: git netfilter compile problem

#8 2023-01-24 17:22:09

Re: git netfilter compile problem

#9 2023-01-24 18:02:08

Re: git netfilter compile problem

#10 2023-01-24 18:39:32

Re: git netfilter compile problem

#11 2023-01-24 18:40:36

Re: git netfilter compile problem

#12 2023-01-24 22:14:44

Re: git netfilter compile problem

#13 2023-01-24 22:19:42

Re: git netfilter compile problem

#14 2023-01-24 22:41:52

Re: git netfilter compile problem

#15 2023-01-24 23:16:41

Re: git netfilter compile problem

#16 2023-01-25 03:11:22

Re: git netfilter compile problem

#17 2023-01-25 04:01:40

Re: git netfilter compile problem

#18 2023-01-25 07:08:29

Re: git netfilter compile problem

#19 2023-01-25 10:25:20

Re: git netfilter compile problem

#20 2023-01-25 15:47:04

Re: git netfilter compile problem

#21 2023-01-25 15:49:02

Re: git netfilter compile problem

#22 2023-01-25 16:35:38

Re: git netfilter compile problem

#23 2023-01-25 17:00:59

Re: git netfilter compile problem

#24 2023-01-25 17:48:55

Re: git netfilter compile problem

#25 2023-01-26 01:57:11

Re: git netfilter compile problem

Board footer