Difficulties to configure

[Arnaudduluoz]

Hello !

I am trying to make geo-nft working on my server. The software works quite well : I have followed all the instructions of the User Guide and face no error at all. My problem is related to the adaptation of the configuration file to my needs.

I am running a machine which is hosting a web server (http + https ports) and an email server (imap2, imaps, submission, smtp ports).

I want to specify the rules regarding the usage of the ports :

• imap2/imaps/submission/smtp ports opened input+output in order to permit emails to enter and leave the server ;
• ssh/http/https opened on output but only opened from some countries (FR, DE) on input in order to limit access to my webserver and avoid spam and bots ;
• http, https, imaps, imap2, submission & smtp free for localhost in order to permit my server to communicate freely ;
• all other ports closed.

My goal is to block attacks coming from other countries on my web server and ssh.

I've tried several solutions to make my configuration working but do not succeed to find the best solution. I am not very familiar with nftables and firewall rules and only achieve degrading the suggested template without any efficience...
When I use the raw suggested template, all my connections are blocked...

Can anyone help me to write the best solution for nftables.conf ?

Thank you in advance for your precious help !

Best regards,

Arnaud

[wirefalls]

I'm probably not the best person to help you with writing general firewall rules for your server. However, I can point you to a few resources to get you started. The nftables wiki is a great source of information, and contains firewall examples. The ArchWiki also has some nice firewall examples. Red Hat has a useful nftables guide that can help you. Red Hat also has an excellent SSH article entitled "Eight ways to protect SSH access on your system" that has good tips. Another great resource of information is Linuxsecurity.com. You can also request help on the nftables mailing list.

I'm not sure if you're using IPv4, IPv6 or both. If you can let us know which IP protocol(s) you're using then it will help others to provide more specific answers.

SSH

For your SSH firewall rule, see this post for an example. If using IPv4, then add a new empty SSH set at the top of your main table in your nftables.conf file:

# Define empty set to store IPv4 country code specific address ranges for SSH.
set geo-ssh {
	type ipv4_addr
	flags interval
	# Elements for this set are defined in /etc/nftables/geo-nft/refill-sets.conf
}

If using IPv6, then add a new empty SSH set at the top of your main table in your nftables.conf file:

# Define empty set to store IPv6 country code specific address ranges for SSH.
set geo-ssh6 {
	type ipv6_addr
	flags interval
	# Elements for this set are defined in /etc/nftables/geo-nft/refill-sets.conf
}

Next, add a rule to your input chain in nftables.conf to replace the current SSH rule (adjust dport number to match the port that you're using for SSH). I'm going by memory here, so you'll need to test these rules:

If using IPv4, add this line to the input chain in your nftables.conf file to replace the current SSH rule:

ip saddr @geo-ssh tcp dport 22 counter accept comment "Accept SSH on port 22 from addresses in set @geo-ssh"

If using IPv6, add this line to the input chain in your nftables.conf file to replace the current SSH rule:

ip6 saddr @geo-ssh6 tcp dport 22 counter accept comment "Accept SSH on port 22 from addresses in set @geo-ssh6"

If using both IPv4 and IPv6, then add both of the above rules to replace the existing SSH rule.

Save your nftables.conf file, then restart nftables:

sudo systemctl restart nftables

Next, add define line(s) to /etc/nftables/geo-nft/refill-sets.conf:

If using IPv4 only, add this line to refill-sets.conf:

define-ipv4 ip filter geo-ssh FR,DE

If using IPv6 only, add this line to refill-sets.conf:

define-ipv6 ip6 filter geo-ssh6 FR,DE

If using both IPv4 and IPv6, add these two lines to refill-sets.conf:

define-ipv4 inet filter geo-ssh FR,DE
define-ipv6 inet filter geo-ssh6 FR,DE

Save the refill-sets.conf file, then run geo-nft to fill the new sets you created:

sudo geo-nft

Make sure that you have an alternate way to access your server in case you lock yourself out with any of the above rules. :)

HTTP/HTTPS

For HTTP/HTTPS you can create new empty sets as you did for SSH, or you can just use the existing SSH sets that you created since you'll be using the same country codes for both SSH and HTTP/HTTPS. Assuming that you use the SSH sets for HTTP/HTTPS as well, add a rule to your input chain in nftables.conf just above the current SSH rule. I'm going by memory here, so you'll need to test these rules:

If using IPv4, add this line to the input chain in your nftables.conf file just above the current SSH rule:

ip saddr @geo-ssh tcp dport { 80, 443 } ct state new counter accept comment "Accept HTTP/HTTPS on ports 80,443 from addresses in set @geo-ssh"

If using IPv6, add this line to the input chain in your nftables.conf file just above the current SSH rule:

ip6 saddr @geo-ssh6 tcp dport { 80, 443 } ct state new counter accept comment "Accept HTTP/HTTPS on ports 80,443 from addresses in set @geo-ssh6"

Save your nftables.conf file, then restart nftables:

sudo systemctl restart nftables

All of the sample firewall rulesets in the wiki have a rule in the input and output chain to accept localhost traffic, so that part should work.

All of the sample firewall rulesets in the wiki have an output rule to allow outgoing HTTP/HTTPS packets. You'll need to comment out the rule in the output chain that's just above the rule allowing outgoing HTTP/HTTPS packets so that it works the way you want it to. Comment these rules out by placing a '#' mark at the beginning of the rule in your nftables.conf file as shown:

    # Reject outgoing IPv4 packets to destination address ranges (elements) in the
    # geo-inet4 set. Outgoing packets are rejected rather than dropped to prevent
    # local apps and clients from having to wait for the connection to time out.
    #ip daddr @geo-inet4 counter reject comment "Reject destination addresses in set geo-inet4"

    # Reject outgoing IPv6 packets to destination address ranges (elements) in the
    # geo-inet6 set. Outgoing packets are rejected rather than dropped to prevent
    # local apps and clients from having to wait for the connection to time out.
    #ip6 daddr @geo-inet6 counter reject comment "Reject destination addresses in set geo-inet6"

To close all other outgoing ports you'll need to change the last rule in the output chain to drop all other outgoing traffic rather than accepting it. Change the last rule in the output chain to look like this:

    # Drop all other outgoing traffic.
    counter drop comment "Drop all other outgoing traffic"

Also change the default policy at the top of the output chain to 'drop', so that it looks like this:

chain output {
    type filter hook output priority 0; policy drop;

Save your nftables.conf file, then restart nftables:

sudo systemctl restart nftables

You'll probably want to test the server now to make sure that everything works, and that your server can get operating system updates, correct time, etc.

I don't have experience with email server rules, so maybe someone else can answer that part. That was a long post, please let me know if there are any typos or information that needs to be corrected.

I hope this helps you out. Thanks.

[Arnaudduluoz]

Dear @wirefalls,

Thank you very much for your very precise answer. I really appreciate your help.
I have tried a new configuration. It has been made with the wiki template and your above recommendations:

flush ruleset                                                                    
                                                                                 
# Add an inet table to allow both IPv4 and IPv6 traffic.
table inet filter {

# Define empty set to store IPv4 country code specific address ranges for SSH.
  set geo-ssh {
	type ipv4_addr
	flags interval
	# Elements for this set are defined in /etc/nftables/geo-nft/refill-sets.conf
  }

# Define empty set to store IPv6 country code specific address ranges for SSH.
  set geo-ssh6 {
	type ipv6_addr
	flags interval
	# Elements for this set are defined in /etc/nftables/geo-nft/refill-sets.conf
  }

  chain ingress {
    # Replace 'device_name' below with the name of your WAN network interface
    # from running "ip a" or "ifconfig" in a terminal.
    type filter hook ingress device eth0 priority 0; policy accept;

    # Count and drop IPv4 traffic from source address ranges (elements) in the geo-ssh4
    # set defined above.
    ip saddr @geo-ssh counter drop comment "Drop source addresses in set geo-ssh4"

    # Count and drop IPv6 traffic from source address ranges (elements) in the geo-ssh6
    # set defined above.
    ip6 saddr @geo-ssh6 counter drop comment "Drop source addresses in set geo-ssh6"

  }

  chain input {
    type filter hook input priority 0; policy drop;

    # Accept incoming traffic from connections we originated.
    ct state established,related counter accept comment "Accept established and related traffic"

    # Accept localhost traffic.
    iif lo counter accept comment "Accept localhost traffic"

    # Drop invalid state packets.
    ct state invalid counter drop comment "Drop invalid state packets"

    # Accept HTTP//HTTPS on ports 80 & 43
    ip saddr @geo-ssh tcp dport { http, https } ct state new counter accept comment "Accept HTTP/HTTPS on ports 80,443 from addresses in set @geo-ssh"
    ip6 saddr @geo-ssh6 tcp dport { http, https } ct state new counter accept comment "Accept HTTP/HTTPS on ports 80,443 from addresses in set @geo-ssh6"

    # Accept SSH on port 1926.
    ip saddr @geo-ssh tcp dport 1926 counter accept comment "Accept SSH on port 1926 from addresses in set @geo-ssh"
    ip6 saddr @geo-ssh6 tcp dport 1926 counter accept comment "Accept SSH on port 1926 from addresses in set @geo-ssh6"
    ip saddr 192.168.0.0/16 tcp dport 1926 counter accept comment "Accept SSH on port 1926 from local network"

    # Accept ICMP traffic.
    ip protocol icmp limit rate 5/second counter accept comment "Accept ICMP traffic"

    # Accept IGMP traffic.
    ip protocol igmp limit rate 5/second counter accept comment "Accept IGMP traffic"

    # Accept IPv6 neighbor discovery traffic, otherwise connectivity will break.
    ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, echo-request } \
      limit rate 5/second counter accept comment "Accept IPv6 neighbor discovery traffic"

    # Allow mailserver input connections without restriction
    tcp dport { imap2, imaps, smtp, submission } counter accept comment "Accept SMTP, IMAP, SMTPS, IMAPS without restriction"

    # Drop all other incoming traffic.
    counter drop comment "Drop all other incoming traffic"
  }

  chain forward {
    type filter hook forward priority 0; policy drop;
    counter drop comment "Drop forwarded packets since this isn't a router"
  }

  chain output {
    type filter hook output priority 0; policy drop;

    # Accept outgoing traffic to connections we originated.
    ct state established,related counter accept comment "Accept established and related traffic"

    # Accept localhost traffic.
    oif lo counter accept comment "Accept localhost traffic"

    # Drop invalid state packets.
    ct state invalid counter drop comment "Drop invalid state packets"

    # Allow new outgoing UDP and TCP packets to port 53 for DNS resolution during
    # testing. Enables URL's to resolve if you block traffic to your own country.
    meta l4proto { udp, tcp } @th,16,16 53 ct state new counter accept comment "Allow new DNS out"

    # Reject outgoing IPv4 packets to destination address ranges (elements) in the
    # geo-inet4 set. Outgoing packets are rejected rather than dropped to prevent
    # local apps and clients from having to wait for the connection to time out.
    #ip daddr @geo-inet4 counter reject comment "Reject destination addresses in set geo-inet4"

    # Reject outgoing IPv6 packets to destination address ranges (elements) in the
    # geo-inet6 set. Outgoing packets are rejected rather than dropped to prevent
    # local apps and clients from having to wait for the connection to time out.
    #ip6 daddr @geo-inet6 counter reject comment "Reject destination addresses in set geo-inet6"

    # Allow outgoing HTTP/HTTPS packets.
    meta l4proto { tcp, udp } @th,16,16 { http, https } counter accept comment "Allow outgoing HTTP/HTTPS packets"

    # Allow mailserver input connections without restriction
    tcp sport { imap2, imaps, smtp, submission } counter accept comment "accept SMTP, IMAP, SMTPS, IMAPS"

    # Drop all other outgoing traffic.
    counter drop comment "Drop all other outgoing traffic"
  }

}

# Include the refill-sets.nft script at the end of your nftables.conf file to
# fill empty geolocation sets during system startup. The filename includes an
# asterisk to allow nftables to load in case the file isn't found. Uncomment the
# next line after your refill-sets.nft script is manually tested and working.
include "/etc/nftables/geo-nft/*refill-sets.nft"

At first, I had a problem to connect to SSH from my local network. Entering ip saddr 192.168.0.0/16 tcp dport 1926 counter accept comment "Accept SSH on port 1926 from local network" solved the problem.
Apart from that, I notice the following problems:

• Impossible to establish HTTP/HTTPS connection ;
• I can connect to my mailserver, but no message can circulate on it, every try became a fail.

I wonder there is something I do wrong, but couldn't understand what - my knowledge is too limited...

Do you have any idea of what could help me solving this problem ?

Thank you again for your precious help !

Best regards,

Arnaud

[wirefalls]

I see an issue with your ruleset that might be causing problems. The ingress chain is part of the netdev table, which you removed, so you can also remove the ingress chain. Test to see if things are working after that change. I'll probably remove the netdev table from the Wiki examples since it's confusing for many who may be new to nftables.

HTTP/HTTPS

If HTTP/HTTPS still isn't working, place a basic rule just above the existing HTTP/HTTPS rule in your input chain to allow all Web traffic in to ports 80 and 443. This allows you to verify that the Web server is working with all of your other rules.

# Allow TCP HTTP/HTTPS to ports 80 and 443, for both IPv4 and IPv6.
tcp dport { 80, 443 } counter accept comment "Allow all HTTP/HTTPS to ports 80/443, remove this rule after testing"

Then list your input chain using the command shown in the troubleshooting section below. See if the new HTTP/HTTPS rule that you just added is matching packets.

Also check that your geo-ssh and geo-ssh6 sets have address range elements in them using the commands in the troubleshooting section below.

Mail Server

I don't have any experience with email server rules, but you can check a few general things. Verify that the service names in your email rule are correct, or replace them with the actual port numbers as a test. Also check which ports that your email server is listening to using commands in the troubleshooting section below.

General Note

You'll also want to add rules to protect against port scans and other types of attacks too numerous to list here. Search online for help with that, as I'm not an expert by any means.

Troubleshooting

The following commands can help you troubleshoot your nftables ruleset. They will allow you to see how many packets match each firewall rule that uses a counter. Since you're using both IPv4 and IPv6, the example commands below use the inet table family. Others reading this can replace inet with ip or ip6 if you're using IPv4 only or IPv6 only, respectively.

To list your input chain:

sudo nft list chain inet filter input

To list your output chain:

sudo nft list chain inet filter output

To list the set geo-ssh in table inet filter:

sudo nft list set inet filter geo-ssh

To list the set geo-ssh6 in table inet filter:

sudo nft list set inet filter geo-ssh6

To list all sets in table inet filter:

sudo nft list sets inet filter

To list your entire ruleset including set elements:

sudo nft list ruleset

To list your entire ruleset without displaying set elements:

sudo nft -t list ruleset

---

If you want to see which packets don't match any of the rules in your input chain, add a rule just above the final rule so that it logs some of those packets (with a prefix) to your system log. Then you can grep your system log using the prefix to see which packets don't match your input chain rules. This is the rule to add, which also shows the existing final rule in your input chain:

# Log some of the packets (using a prefix) that don't match any rules in the input chain.
limit rate 3/second log prefix "[nft] input no match: " counter comment "Log and rate limit packets that don't match any input rules"

# Drop all other incoming traffic.
counter drop comment "Drop all other incoming traffic"

Then grep your system log for a list of packets that don't match any input rules. Substitute the pathname of your system log if different from the example below.

sudo grep -i -F '[nft] input no match:' /var/log/syslog

You can also add a similar rule to other chains, changing 'input' in the prefix to match the chain name.

---

Another good troubleshooting tip is to list all of the ports that your server is listening to, so that you can verify that your firewall rules match those ports, and protect all of them.

sudo netstat -ltup

You can print service names instead of port numbers by adding the -n flag.

sudo netstat -lntup

Nmap can also be used to give information about your server ports.

sudo nmap -n -PN -sT -sU -p- localhost

---

If you find iptables firewall rules online that you would like to use with nftables, you can sometimes convert those rules to nftables format automatically using the iptables-tranlate or ip6tables-translate tools.

Hopefully that gets you going in the right direction. Thanks.

[Arnaudduluoz]

Dear @wirefalls,

Thank you very much for your help. Thanks to your recommendations, things are going better. Thanks to logging, I have been able to find that local connections to HTTP/HTTPS from my router were blocked, so I wrote a special rule which solved it. I have removed the "chain ingress" block. I also decided to set up a special set in order to ban connexions from certain countries from connexions on my mailserver. Thanks to logging, I noticed that my server was trying to connect 5353 and 5355 and that allowing such connexions improve its speed in treating emails, so I decided to create a special rule for that (I hope it is not a bad idea).

Now, everything works quite well for input for HTTP/HTTPS as well as for IMAP/IMAPS/SUBMISSION/SMTP. I have tried to connect from foreign countries through a VPN connexion and it appears that thanks to your software and help, it works pretty well.

Unfortunately, I have not been able, till then, to get the same results regarding the output section. For some reason I must figure out thanks to your directives, something is wrong and all of my connexions from my server are blocked (I can't even ping). For now, I decided to remove the whole output section, thinking that there are not big risks doing that since I know what is installed on my server. But I think I have to do better and will take some time next week to do some more testing.

For now, and if it can help someone, here is my current nftables.conf file:

#!/usr/sbin/nft -f
flush ruleset

# Add an inet table to allow both IPv4 and IPv6 traffic.
table inet filter {

# Define empty set to store IPv4 country code specific address ranges for SSH/HTTP/HTTPS.
  set geo-ssh {
	type ipv4_addr
	flags interval
	# Elements for this set are defined in /etc/nftables/geo-nft/refill-sets.conf
  }

# Define empty set to store IPv6 country code specific address ranges for SSH/HTTP/HTTPS.
  set geo-ssh6 {
	type ipv6_addr
	flags interval
	# Elements for this set are defined in /etc/nftables/geo-nft/refill-sets.conf
  }

# Define empty set to store IPv4 country code specific address ranges for IMAP2/IMAPS/SUBMISSION/SMTP.
  set geo-imap2 {
        type ipv4_addr
        flags interval
        # Elements for this set are defined in /etc/nftables/geo-nft/refill-sets.conf
  }

# Define empty set to store IPv6 country code specific address ranges for IMAP2/IMAPS/SUBMISSION/SMTP.
  set geo-imap26 {
        type ipv6_addr
        flags interval
        # Elements for this set are defined in /etc/nftables/geo-nft/refill-sets.conf
  }

  chain input {
    type filter hook input priority 0; policy drop;

    # Accept incoming traffic from connections we originated.
    ct state established,related counter accept comment "Accept established and related traffic"

    # Accept localhost traffic.
    iif lo counter accept comment "Accept localhost traffic"

    # Drop invalid state packets.
    ct state invalid counter drop comment "Drop invalid state packets"

    # Accept HTTP//HTTPS on ports 80 & 43
    ip saddr @geo-ssh tcp dport { http, https } ct state new counter accept comment "Accept HTTP/HTTPS on ports 80,443 from addresses in set @geo-ssh"
    ip6 saddr @geo-ssh6 tcp dport { http, https } ct state new counter accept comment "Accept HTTP/HTTPS on ports 80,443 from addresses in set @geo-ssh6"
    ip saddr 192.168.0.0/16 tcp dport { http, https } ct state new counter accept comment "Accept SSH on port HTTP/HTTPS from local network"

    # Accept SSH on port 1926.
    ip saddr @geo-ssh tcp dport 1926 counter accept comment "Accept SSH on port 1926 from addresses in set @geo-ssh"
    ip6 saddr @geo-ssh6 tcp dport 1926 counter accept comment "Accept SSH on port 1926 from addresses in set @geo-ssh6"
    ip saddr 192.168.0.0/16 tcp dport 1926 counter accept comment "Accept SSH on port 1926 from local network"

    # Accept mDNS & bonjour
    ip saddr 192.168.0.0/16 udp dport 5353 counter accept comment "Accept mDNS from local network"
    ip saddr 192.168.0.0/16 udp dport 5355 counter accept comment "Accept mDNS from local network"

    # Accept ICMP traffic.
    ip protocol icmp limit rate 5/second counter accept comment "Accept ICMP traffic"

    # Accept IGMP traffic.
    ip protocol igmp limit rate 5/second counter accept comment "Accept IGMP traffic"

    # Accept IPv6 neighbor discovery traffic, otherwise connectivity will break.
    ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, echo-request } \
      limit rate 5/second counter accept comment "Accept IPv6 neighbor discovery traffic"

    # Drop certain connections on mailserver then allow other input connections
    ip saddr @geo-imap2 tcp dport { imap2, imaps, submission, smtp } counter drop comment "Drop SMTP, IMAP, SMTPS, IMAPS from certain countries"
    ip6 saddr @geo-imap26 tcp dport { imap2, imaps, submission, smtp } counter drop comment "Drop SMTP, IMAP, SMTPS, IMAPS from certain countries"
    tcp dport { imap2, imaps, submission, smtp } counter accept comment "Accept SMTP, IMAP, SMTPS, IMAPS without restriction"

    # Log some of the packets (using a prefix) that don't match any rules in the input chain (debug mode)
    limit rate 3/second log prefix "[nft] input no match: " counter comment "Log and rate limit packets that don't match any input rules"

    # Drop all other incoming traffic.
    counter drop comment "Drop all other incoming traffic"
  }

  chain forward {
    type filter hook forward priority 0; policy drop;
    counter drop comment "Drop forwarded packets since this isn't a router"
  }

}

# Include the refill-sets.nft script at the end of your nftables.conf file to
# fill empty geolocation sets during system startup. The filename includes an
# asterisk to allow nftables to load in case the file isn't found. Uncomment the
# next line after your refill-sets.nft script is manually tested and working.
include "/etc/nftables/geo-nft/*refill-sets.nft"
include "/etc/nftables/fail2ban.conf"

Thanks again for your help. I really appreciate that you take so much time to help a newbie.
Best,

Arnaud

[wirefalls]

I'm glad that you were able to get things working. One thing I would recommend for your ruleset is to add an asterisk '*' to your fail2ban.conf filename that you include at the end of the ruleset. That will allow nftables to load if the fail2ban.conf file is not found. Good luck with your testing next week and thanks for sharing your results. If you find Geolocation for nftables useful, please consider giving the project a star at the top of the main project page. Thanks.