nftables script - configuration - errors

Message

zetetic · #1 Post by **zetetic** » 2024-04-24 04:04

I'm running Debian and I've made the switch from iptables to nftables.
Unfortunately, not everything is going smoothly. Some of the most important settings I had in my iptables script are not working in my nftables script (/etc/nftables.conf).

The settings I've transcribed below, and others like them, all contained in the /etc/nftables.conf file, are not working in nftables:

# ------------------------------------------------------------------------------------------------------- #

Code: Select all

#!/usr/sbin/nft -f

# ---------------------------------------------------- #
# Kernel settings                                        #
# ---------------------------------------------------- #

## For details see:
##   * http://www.securityfocus.com/infocus/1711

########## Enable IP spoofing protection (default is on) ##########
## i.e. drop spoofed packets coming in on an interface, which if replied to,
## would result in the reply going out a different interface.
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done

########## Ignore incoming ICMP echo-requests - i.e. disable ping (default is on) ##########
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

########## Enable broadcast/multicast echo protection (ignore broadcast/multicast pings) ##########
## i.e. ignore incoming ICMP echo-requests to broadcast/multicast addresses.
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

########## Disable IP forwarding (default is off) ##########
echo 0 > /proc/sys/net/ipv4/ip_forward

########## Disable TCP Selective ACK (default is on) ##########
echo 0 > /proc/sys/net/ipv4/tcp_sack

########## Disable source routed packets (default is off) ##########
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f; done

# ------------------------------------------------------------------------------------------------------- #

These settings do not work, resulting in errors of this type:

Code: Select all

  /etc/nftables.conf:102:67-67: Error: syntax error, unexpected newline, expecting string or last
  for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done

  /etc/nftables.conf:105:6-6: Error: syntax error, unexpected number, expecting string or last
  echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all

Supposedly nftables is superior to iptables...
I wonder if anyone can help me with this issue.
Thanks in advance!

#2 Post by **Aki** » 2024-04-24 06:11

Hello,

Please, use code tags to include commands and/or their logs in the body of a message. This time I modified it for you.

#3 Post by **fabien** » 2024-04-24 11:50

Hello,

zetetic wrote: ↑2024-04-24 04:04
Code: Select all
#!/usr/sbin/nft -f
[...]
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done

The interpreter for this script is /usr/sbin/nft which cannot interpret shell commands.

Note that the parameters you want to set are normally set via the /etc/sysctl.conf file. I personally use the custom file /etc/sysctl.d/98-networking.conf. These files do not accept shell commands though.
See man 5 sysctl.conf

zetetic · #4 Post by **zetetic** » 2024-04-24 14:23

Aki wrote: ↑2024-04-24 06:11 Hello,

Please, use code tags to include commands and/or their logs in the body of a message. This time I modified it for you.

Sorry, and thank you so much. Next time I will use code tags.

zetetic · #5 Post by **zetetic** » 2024-04-24 14:58

Mr. Blobby wrote: The interpreter for this script is /usr/sbin/nft which cannot interpret shell commands.
Note that the parameters you want to set are normally set via the /etc/sysctl.conf file. I personally use the custom file /etc/sysctl.d/98-networking.conf. These files do not accept shell commands though.
See man 5 sysctl.conf

Thank you for your reply.
Do you know if I can use the dash interpreter in the "/etc/nftables.conf file"?

If this is possible, it would be a way for me to use nftables in a script that can run shell commands...

#6 Post by **fabien** » 2024-04-24 21:55

zetetic wrote: ↑2024-04-24 14:58 Do you know if I can use the dash interpreter in the "/etc/nftables.conf file"?

The /etc/nftables.conf file is also interpreted by /usr/sbin/nft, so you cannot put shell commands there.

zetetic wrote: ↑2024-04-24 14:58 If this is possible, it would be a way for me to use nftables in a script that can run shell commands...

You can probably do the opposite, use a shell script that runs nft commands. The simplest would be to use nft -f in the script and have a separate file for the rules.

man 8 nft wrote:-f, --file filename
Read input from filename.

If the only reason you need a shell script is to set the parameters above, well, you don't need it.

Code: Select all

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 0 > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/tcp_sack
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f; done

can respectively be replaced with

Code: Select all

net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.icmp_echo_ignore_all=1
net.ipv4.icmp_echo_ignore_broadcasts=1
net.ipv4.ip_forward=0
net.ipv4.tcp_sack=0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_source_route = 0

in /etc/sysctl.d/98-networking.conf

Note: I'm not Mr. Blobby

Debian User Forums

nftables script - configuration - errors

nftables script - configuration - errors

Re: nftables script - configuration - errors

Re: nftables script - configuration - errors

Re: nftables script - configuration - errors

Re: nftables script - configuration - errors

Re: nftables script - configuration - errors