Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

Wireguard and NFTables question

Linux Kernel, Network, and Services configuration.
Post Reply
Message
Author
tmick
Posts: 53
Joined: 2012-05-27 21:31
Has thanked: 5 times

Wireguard and NFTables question

#1 Post by tmick »

So I started using a VPN that has a Wireguard configuration file and launch it with the wg-quick command.
I've noticed that my logs are getting multiple reports of this:

Code: Select all

May 26 07:02:03 DebianTim kernel: [204567.275982] FW6 REJECT (input): IN=enp1s0 OUT= MAC=33:33:00:00:00:01:48:4e:fc:f0:69:b8:86:dd SRC=fe80:0000:0000:0000:4a4e:fcff:fef0:69b8 DST=ff02:0000:0000:0000:0000:0000:0000:0001 LEN=168 TC=0 HOPLIMIT=255 FLOWLBL=1007108 PROTO=ICMPv6 TYPE=134 CODE=0
I found in the examples section of nftables a workstation config that contains this line:

Code: Select all

# ICMPv6 packets which must not be dropped, see https://tools.ietf.org/html/rfc4890#section-4.4.1
		meta nfproto ipv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, echo-request, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, 148, 149 } accept
		ip6 saddr fe80::/10 icmpv6 type { 130, 131, 132, 134, 143, 151, 152, 153 } accept
If I try using that to make enp1s0 stop rejecting the IP6 Neighbor Discovery stuff I get errors about unexpected meta and if I try to change it to

Code: Select all

# ICMPv6 packets which must not be dropped, see https://tools.ietf.org/html/rfc4890#section-4.4.1
		ip6 nexthdr ipv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, echo-request, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, 148, 149 } accept
		ip6 saddr fe80::/10 icmpv6 type { 130, 131, 132, 134, 143, 151, 152, 153 } accept
it tells me unexpected IP6.
So how do I shut these messages up?

Code: Select all

nft list ruleset
table ip6 wg-quick-tun0 {
	chain preraw {
		type filter hook prerouting priority raw; policy accept;
		iifname != "tun0" ip6 daddr fd7d:76ee:e68f:a993:6c33:1401:f02c:98a8 fib saddr type != local drop
	}

	chain premangle {
		type filter hook prerouting priority mangle; policy accept;
		meta l4proto udp meta mark set ct mark
	}

	chain postmangle {
		type filter hook postrouting priority mangle; policy accept;
		meta l4proto udp meta mark 0x0000ca6c ct mark set meta mark
	}
}
table ip wg-quick-tun0 {
	chain preraw {
		type filter hook prerouting priority raw; policy accept;
		iifname != "tun0" ip daddr 10.0.0.0 fib saddr type != local drop
	}

	chain premangle {
		type filter hook prerouting priority mangle; policy accept;
		meta l4proto udp meta mark set ct mark
	}

	chain postmangle {
		type filter hook postrouting priority mangle; policy accept;
		meta l4proto udp meta mark 0x0000ca6c ct mark set meta mark
	}
}
table ip sshguard {
	set attackers {
		type ipv4_addr
		flags interval
	}

	chain blacklist {
		type filter hook input priority filter - 10; policy accept;
		ip saddr @attackers drop
	}
}
table ip6 sshguard {
	set attackers {
		type ipv6_addr
		flags interval
	}

	chain blacklist {
		type filter hook input priority filter - 10; policy accept;
		ip6 saddr @attackers drop
	}
}
and this is what ip route displays:

Code: Select all

ip route
default via 192.168.0.0 dev enp1s0 proto dhcp src 192.168.0.0 metric 100 
10.128.0.0/10 dev tun0 proto kernel scope link src 10.0.0.0 
192.168.0.0/24 dev enp1s0 proto kernel scope link src 192.168.0.0 metric 100 
How do I get the packets to be dropped and WHERE do I put it (which table rule and section)
Thanks, I'm sure it's something simple to someone more familiar with NFTables

User avatar
Uptorn
Posts: 209
Joined: 2022-01-22 01:07
Has thanked: 177 times
Been thanked: 45 times

Re: Wireguard and NFTables question

#2 Post by Uptorn »

Does Wireguard write changes to your nftables.conf when you run it? I have always used nftable's inet category so that I don't need to worry about distinguishing between v4 and v6.

tmick
Posts: 53
Joined: 2012-05-27 21:31
Has thanked: 5 times

Re: Wireguard and NFTables question

#3 Post by tmick »

No it creates it's own Table, tun0
And when I disconnect the VPN it stops that table. The example I was trying to use is this one called Workstation.nft

Code: Select all

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
	chain input {
		type filter hook input priority 0;

		# accept any localhost traffic
		iif lo accept

		# accept traffic originated from us
		ct state established,related accept

		# activate the following line to accept common local services
		#tcp dport { 22, 80, 443 } ct state new accept

		# ICMPv6 packets which must not be dropped, see https://tools.ietf.org/html/rfc4890#section-4.4.1
		meta nfproto ipv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, echo-request, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, 148, 149 } accept
		ip6 saddr fe80::/10 icmpv6 type { 130, 131, 132, 143, 151, 152, 153 } accept

		# count and drop any other traffic
		counter drop
	}
}
My current nftables.conf looks like:

Code: Select all

#!/usr/sbin/nft -f

flush ruleset

table inet filter {

chain base_checks {
        # Drop invalid connections and allow established/related connections
                ct state invalid drop
                ct state {established, related} accept
    }

        chain input {
                type filter hook input priority 0; policy drop;

        jump base_checks

        # Allow from loopback
                iifname lo accept
        iifname != lo ip daddr 127.0.0.1/8 drop

        # New UDP traffic will jump to the UDP chain
                ip protocol udp ct state new jump UDP
        # New TCP traffic will jump to the TCP chain
                tcp flags & (fin | syn | rst | ack) == syn ct state new jump TCP

        # Everything else
                ip protocol udp reject
                ip protocol tcp reject with tcp reset
        reject with icmpx type port-unreachable
        }

        chain forward {
                type filter hook forward priority 0; policy drop;
        } 

        chain output {
                type filter hook output priority 0; policy accept;
        }
		# ICMPv6 packets which must not be dropped, see https://tools.ietf.org/html/rfc4890#section-4.4.1
		ip6 nexthdr ipv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, echo-request, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, 148, 149 } accept
		ip6 saddr fe80::/10 icmpv6 type { 130, 131, 132, 143, 151, 152, 153 } accept

		# count and drop any other traffic
		counter drop

# ---------------------------------------------------------------------------------
		##CHAIN RULES

    # TCP chain
    set TCP_accepted {
        type inet_service; flags interval; 
        elements = {1714-1764}
    }
        chain TCP {
        tcp dport @TCP_accepted accept
        } 

    # UDP chain
    set UDP_accepted {
        type inet_service; flags interval;
         elements = {1714-1764}
    }
        chain UDP {
        udp dport @UDP_accepted accept
        }
}
I also have a nftables thtat fail2ban made:

Code: Select all

# Fail2Ban configuration file
#
# Author: Daniel Black
# Author: Cyril Jaquier
# Modified: Yaroslav O. Halchenko <debian@onerussian.com>
# 			made active on all ports from original iptables.conf
# Modified: Alexander Belykh <albel727@ngs.ru>
#                       adapted for nftables
#
# This is a included configuration file and includes the definitions for the nftables
# used in all nftables based actions by default.
#
# The user can override the defaults in nftables-common.local
# Example: redirect flow to honeypot
#
# [Init]
# table_family = ip
# chain_type = nat
# chain_hook = prerouting
# chain_priority = -50
# blocktype = counter redirect to 2222

[INCLUDES]

after = nftables-common.local

[Definition]

# Option:  type
# Notes.:  type of the action.
# Values:  [ multiport | allports ]  Default: multiport
#
type = multiport

rule_match-custom =
rule_match-allports = meta l4proto \{ <protocol> \}
rule_match-multiport = $proto dport \{ $(echo '<port>' | sed s/:/-/g) \}
match = <rule_match-<type>>

# Option:  rule_stat
# Notes.:  statement for nftables filter rule.
#          leaving it empty will block all (include udp and icmp)
# Values:  nftables statement
#
rule_stat = %(match)s <addr_family> saddr @<addr_set> <blocktype>

# optional interator over protocol's:
_nft_for_proto-custom-iter =
_nft_for_proto-custom-done =
_nft_for_proto-allports-iter =
_nft_for_proto-allports-done =
_nft_for_proto-multiport-iter = for proto in $(echo '<protocol>' | sed 's/,/ /g'); do
_nft_for_proto-multiport-done = done

_nft_list = <nftables> -a list chain <table_family> <table> <chain>
_nft_get_handle_id = grep -oP '@<addr_set>\s+.*\s+\Khandle\s+(\d+)$'

_nft_add_set = <nftables> add set <table_family> <table> <addr_set> \{ type <addr_type>\; \}
              <_nft_for_proto-<type>-iter>
              <nftables> add rule <table_family> <table> <chain> %(rule_stat)s
              <_nft_for_proto-<type>-done>
_nft_del_set = { %(_nft_list)s | %(_nft_get_handle_id)s; } | while read -r hdl; do
               <nftables> delete rule <table_family> <table> <chain> $hdl; done
              <nftables> delete set <table_family> <table> <addr_set>

# Option:  _nft_shutdown_table
# Notes.:  command executed after the stop in order to delete table (it checks that no sets are available):
# Values:  CMD
#
_nft_shutdown_table = { <nftables> list table <table_family> <table> | grep -qP '^\s+set\s+'; } || {
                        <nftables> delete table <table_family> <table>
                      }

# Option:  actionstart
# Notes.:  command executed on demand at the first ban (or at the start of Fail2Ban if actionstart_on_demand is set to false).
# Values:  CMD
#
actionstart = <nftables> add table <table_family> <table>
              <nftables> -- add chain <table_family> <table> <chain> \{ type <chain_type> hook <chain_hook> priority <chain_priority> \; \}
              %(_nft_add_set)s

# Option:  actionflush
# Notes.:  command executed once to flush IPS, by shutdown (resp. by stop of the jail or this action);
#          uses `nft flush set ...` and as fallback (e. g. unsupported) recreates the set (with references)
# Values:  CMD
#
actionflush = { <nftables> flush set <table_family> <table> <addr_set> 2> /dev/null; } || {
              %(_nft_del_set)s
              %(_nft_add_set)s
              }

# Option:  actionstop
# Notes.:  command executed at the stop of jail (or at the end of Fail2Ban)
# Values:  CMD
#
actionstop = %(_nft_del_set)s
             <_nft_shutdown_table>

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = <nftables> list chain <table_family> <table> <chain> | grep -q '@<addr_set>[ \t]'

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = <nftables> add element <table_family> <table> <addr_set> \{ <ip> \}

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban = <nftables> delete element <table_family> <table> <addr_set> \{ <ip> \}

[Init]

# Option:  table
# Notes.:  main table to store chain and sets (automatically created on demand)
# Values:  STRING  Default: f2b-table
table = f2b-table

# Option:  table_family
# Notes.:  address family to work in
# Values:  [ip | ip6 | inet]  Default: inet
table_family = inet

# Option:  chain
# Notes.:  main chain to store rules
# Values:  STRING  Default: f2b-chain
chain = f2b-chain

# Option:  chain_type
# Notes.:  refers to the kind of chain to be created
# Values:  [filter | route | nat]  Default: filter
#
chain_type = filter

# Option:  chain_hook
# Notes.:  refers to the kind of chain to be created
# Values:  [ prerouting | input | forward | output | postrouting ]  Default: input
#
chain_hook = input

# Option:  chain_priority
# Notes.:  priority in the chain.
# Values:  NUMBER  Default: -1
#
chain_priority = -1

# Option:  addr_type
# Notes.:  address type to work with
# Values:  [ipv4_addr | ipv6_addr]  Default: ipv4_addr
#
addr_type = ipv4_addr

# Default name of the filtering set
#
name = default

# Option:  port
# Notes.:  specifies port to monitor
# Values:  [ NUM | STRING ]  Default:
#
port = ssh

# Option:  protocol
# Notes.:  internally used by config reader for interpolations.
# Values:  [ tcp | udp ] Default: tcp
#
protocol = tcp

# Option:  blocktype
# Note:    This is what the action does with rules. This can be any jump target
#          as per the nftables man page (section 8). Common values are drop,
#          reject, reject with icmpx type host-unreachable, redirect to 2222
# Values:  STRING
blocktype = reject

# Option:  nftables
# Notes.:  Actual command to be executed, including common to all calls options
# Values:  STRING
nftables = nft

# Option: addr_set
# Notes.: The name of the nft set used to store banned addresses
# Values: STRING
addr_set = addr-set-<name>

# Option: addr_family
# Notes.: The family of the banned addresses
# Values: [ ip | ip6 ]
addr_family = ip

[Init?family=inet6]
addr_family = ip6
addr_type = ipv6_addr
addr_set = addr6-set-<name>
fail2ban also made nftables-allports.conf and a nftables-multiports.conf but they reside in /etc/nftables/fail2ban/action.d
As I showed earlier in this post the only two tables that show if I run the command to show all my tables are sshguard and wg-quick.
So I'm not sure what is actually pulling things into my Network stack

tmick
Posts: 53
Joined: 2012-05-27 21:31
Has thanked: 5 times

Re: Wireguard and NFTables question [SOLVED]

#4 Post by tmick »

So I got tired of trying to find the answer online and opened a Bug in Debian. My NFTABLES.conf now looks like:

Code: Select all

#!/usr/sbin/nft -f

flush ruleset

table inet filter {

chain base_checks {
        # Drop invalid connections and allow established/related connections
                ct state invalid drop
                ct state {established, related} accept
    }
    


        chain input {
                type filter hook input priority 0; policy drop;
# ICMPv6 packets which must not be dropped, see https://tools.ietf.org/html/rfc4890#section-4.4.1
		meta nfproto ipv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, echo-request, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, 148, 149 } accept
		#ipv6 saddr fe80::/10 
		icmpv6 type { 130, 131, 132, 134, 143, 151, 152, 153 } accept
        jump base_checks

        # Allow from loopback
                iifname lo accept
        iifname != lo ip daddr 127.0.0.0/32 drop

        # New UDP traffic will jump to the UDP chain
                ip protocol udp ct state new jump UDP
        # New TCP traffic will jump to the TCP chain
                tcp flags & (fin | syn | rst | ack) == syn ct state new jump TCP

        # Everything else
                ip protocol udp reject
                ip protocol tcp reject with tcp reset
        reject with icmpx type port-unreachable
        }

        chain forward {
                type filter hook forward priority 0; policy drop;
        } 

        chain output {
                type filter hook output priority 0; policy accept;
        }
		
		# count and drop any other traffic
		counter enp1s0{}

# ---------------------------------------------------------------------------------
		##CHAIN RULES

    # TCP chain
    set TCP_accepted {
        type inet_service; flags interval; 
        elements = {1714-1764}
    }
        chain TCP {
        tcp dport @TCP_accepted accept
        } 

    # UDP chain
    set UDP_accepted {
        type inet_service; flags interval;
         elements = {1714-1764}
    }
        chain UDP {
        udp dport @UDP_accepted accept
        }
}
I had to change the line

Code: Select all

# ICMPv6 packets which must not be dropped, see https://tools.ietf.org/html/rfc4890#section-4.4.1
		meta nfproto ipv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, echo-request, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, 148, 149 } accept
		#ipv6 saddr fe80::/10 
		icmpv6 type { 130, 131, 132, 134, 143, 151, 152, 153 } accept
I'm unsure why I had to comment out the IPv6 loopback address but it's working now. :D :mrgreen:

Post Reply