TCP Stealth scan rules in nftables [solved]

[Lecram]

I'm currrently using Debian buster 64 bit. I'm testing nftables rules for my desktop. I want to add rules for TCP stealth scan and I got the following code from

https://github.com/yoramvandevelde/nfta ... init.rules which gives the error

Code: Select all

nft add rule  ip filter input iifname enp2s0 tcp flags & (ack|fin) == fin drop  
-bash: syntax error near unexpected token `==' 

but if I do the following code it gets accepted

Code: Select all

nft add rule  inet filter input iifname enp2s0 tcp flags ack,fin,fin drop

I also checked the ruleset

Code: Select all

root@debian:~# nft list ruleset
table inet filter {
	chain input {
		type filter hook input priority 0; policy drop;
		iifname "enp2s0" tcp flags != syn ct state new drop
		iifname "enp2s0" udp length { 28-32 } drop
		iifname "enp2s0" tcp flags fin,ack drop
		iifname "lo" ct state established,related accept
		iifname "enp2s0" ct state established,related accept
		iifname "enp2s0" ct state invalid,untracked drop
	}
}

How do i know if the code i added works; in Iptables i can always check with

Code: Select all

 iptables -L -v 

what is the similar command for nftables? is my nftables rule for tcp stealth scan correct?
P.S i checked the book Linux Firewalls ® Enhancing Security with nftables and Beyond fourth edition by Steve Suehring it only mentions TCP stealth scan rules for iptables only.

[reinob]

I'm currrently using Debian buster 64 bit. I'm testing nftables rules for my desktop. I want to add rules for TCP stealth scan and I got the following code from

https://github.com/yoramvandevelde/nfta ... init.rules which gives the error

Code: Select all

nft add rule  ip filter input iifname enp2s0 tcp flags & (ack|fin) == fin drop  
-bash: syntax error near unexpected token `==' 

Did you just run that script with bash or what?
The page/file you linked tells you to:

Code: Select all

sudo nft -f nftables-init.rules

What's the output of running that?

(note also that you should NOT use that script as is.. but you probably know what you're doing do you? :)

[Lecram]

(note also that you should NOT use that script as is.. but you probably know what you're doing do you?

I did not run the script as it is. I typed every command in the terminal. I have the found the solution to my question it was in
arch linux wiki https://wiki.archlinux.org/index.php/Nf ... and_tricks
in the terminal it should be run like this

Code: Select all

 nft add rule  inet filter input iifname enp2s0 tcp flags \& \(syn\|fin\) == \(syn\|fin\) drop 

There are some idiiosyncrancies to nftables. For example if we give the command for icmp type in the braces without spaces like this

Code: Select all

nft add rule  inet filter input iifname enp2s0 icmp type {echo-reply,destination-unreachable,time-exceeded} limit rate 1/second  accept 

it will give the following error

Code: Select all

Error: No symbol type information
add rule inet filter input iifname enp2s0 icmp type echo-reply destination-unreachable time-exceeded limit rate 1/second accept
                                                                                             ^^^^^^^^^^^^^^^^^^^^^^^

Also for null scan we can't give commands like

Code: Select all

nft add rule  inet filter input iifname enp2s0 tcp flags \& \(fin\|syn\|rst\|psh\|ack\|urg\) == 0 drop or
nft add rule  inet filter input iifname enp2s0 tcp flags \& \(all\) ==  \(none\) drop or 

it has to be like this

Code: Select all

nft add rule  inet filter input iifname enp2s0 tcp flags \& \(fin\|syn\|rst\|psh\|ack\|urg\)  \<  fin drop

Apparently most of them who wrote tutorials in the blogs and websites ran iptables-> nftables translator or just posted the exported ruleset.

[reinob]

Apparently most of them who wrote tutorials in the blogs and websites ran iptables-> nftables translator or just posted the exported ruleset.

The example you've shown, and probably others, place the rules in a file, which is then fed to nft, with

Code: Select all

# nft -t /path/to/the/file

If you run each line from the shell, prepending "nft add rule" you have to make sure that the shell doesn't interpret things it shouldn't do, like "(", ")" and "&".

Best is in any case to put your rules in a file and use "nft -t".

[theblueplll]

There is a lot of information about how these types of scans and others work on https://nmap.org/book/man.html.

Also other places on their site.

It would be a good idea in my opinion to read and research that as much as you can since that is the most used port scanner there is.

Also keep in mind that there is techniques that you can not fully defend against.
Some even I imagine that aren't public knowledge.