My ISP web site is blocked

[Harpper]

I have not noticed this with any other web sites but when I have geo-nft enabled to block traffic from Russia,China and Iran my canadian ISP web site is blocked. When I disable geo-nft the web site is avaialble. I can however access the site (geo-nft enabled )through TOR browser. The web site is teksavvy.com. Here is my config
`#!/usr/bin/nft -f

flush ruleset

Include all country code set files to make things easier to configure.

nftables >= v0.9.4 can include all sets with: include "/etc/nftables/geo-nft/countrysets/*"

include "/etc/nftables/geo-nft/include-all.ipv4"
include "/etc/nftables/geo-nft/include-all.ipv6"

table netdev filter {

set geo-netdev4 {
type ipv4_addr
flags interval
# Add IPv4 country code elements for the United States and Great Britain.
elements = { $IR.ipv4, $RU.ipv4, $CN.ipv4 }
}

set geo-netdev6 {
type ipv6_addr
flags interval
# Add IPv6 country code elements for the United States, Great Britain and Antarctica.
elements = { $IR.ipv6, $RU.ipv6, $CN.ipv6 }
}

chain ingress {
# Replace <device_name> below with the name of your WAN network interface from "ifconfig".
type filter hook ingress device enp2s0 priority 0; policy accept;
# Count and drop IPv4 traffic from the United States and Great Britain.
ip saddr @geo-netdev4 counter drop
# Count IPv6 traffic from the United States, Great Britain and Antarctica.
ip6 saddr @geo-netdev6 counter drop
}
}

Your other ruleset content here...

drop Iran Russia and China`

[wirefalls]

Hello,

I would need to see all of your nftables.conf file to see what's wrong, but it looks like you have some configuration problems. Check the rules in your output chain to see if traffic is blocked to your country or site. Also, there shouldn't be any set elements defined in the nftables.conf file, that should be done in the /etc/nftables/geo-nft/refill-sets.conf file per the setup instructions in the Installation Guide and the User Guide. Defining set elements in your nftables.conf file can prevent nftables from loading if any of the country set files are not found, so it's not recommended. If you could post your full nftables.conf file that would help the troubleshooting process. I'm going to convert this Issue to a discussion after you read this and respond so that we can continue to discuss the configuration problems. Thanks.

[Harpper]

#!/usr/bin/nft -f

flush ruleset

Include all country code set files to make things easier to configure.

nftables >= v0.9.4 can include all sets with: include "/etc/nftables/geo-nft/countrysets/*"

include "/etc/nftables/geo-nft/include-all.ipv4"
include "/etc/nftables/geo-nft/include-all.ipv6"

table netdev filter {

set geo-netdev4 {
type ipv4_addr
flags interval
# Add IPv4 country code elements for the United States and Great Britain.
elements = { $IR.ipv4, $RU.ipv4, $CN.ipv4 }
}

set geo-netdev6 {
type ipv6_addr
flags interval
# Add IPv6 country code elements for the United States, Great Britain and Antarctica.
elements = { $IR.ipv6, $RU.ipv6, $CN.ipv6 }
}

chain ingress {
# Replace <device_name> below with the name of your WAN network interface from "ifconfig".
type filter hook ingress device enp2s0 priority 0; policy accept;
# Count and drop IPv4 traffic from the United States and Great Britain.
ip saddr @geo-netdev4 counter drop
# Count IPv6 traffic from the United States, Great Britain and Antarctica.
ip6 saddr @geo-netdev6 counter drop
}
}

Your other ruleset content here...

drop Iran Russia and China

That's the entire nfttables.config file

[wirefalls]

I would recommend creating an nftables.conf file with a main inet table in addition to the netdev table so that you can add logging rules to help with troubleshooting. You can start with the example IPv4-IPv6 ruleset in the wiki. Additionally, I would recommend setting it up and testing per the instructions in the Installation Guide and User Guide. Thanks.

[Harpper]

For the time being I have removed geo-nft. I will try reinstalling at a later time. It might be helpful to publish uninstall directions on the wiki for failed installs. I was left following instructions I found on another thread for a different version than I had

Edit:Found the uninstall directions on the installation page directions. I will try installing again later. Thanks the service is useful

[Harpper]

OK after the uninstall I tried installing again and this time had good results. I followed the directions more carefully and even added a rule to nftables.conf that allows one of my wireless devices to work (it is dependent on ports 9000 and 3483. I added these rules:

`# Accept LMS on port 9000.
tcp dport 9000 counter accept comment "Accept LMS on port 9000"

# Accept LMS on port 3483.
 tcp dport 3483 counter accept comment "Accept LMS on port 3483"

`

However I can not seem to get it to work with SAMBA connections. I tried these rules in nftables.conf :

` # Accept SAMBA on port 137
udp dport 137 counter accept comment "Accept SAMBA on port 137"

# Accept SAMBA on port 138
 udp dport 138 counter accept comment "Accept SAMBA on port 138"

# Accept SAMBA on port 139
 tcp dport 139 counter accept comment "Accept SAMBA on port 139"

# Accept SAMBA on port 445
 tcp dport 445 counter accept comment "Accept SAMBA on port 445"`

[wirefalls]

I don't have any experience setting up a Samba share. However, the ArchWiki is a great resource to check for example rules for services such as Samba/smbd/nmbd.

https://wiki.archlinux.org/title/Nftables#Server

Add a counter to any rules that don't have one so that you can see if they're matching traffic. Once everything is working you can remove the counters if you no longer need them.

[Harpper]

Thanks for that but it appeared to be simply a matter of turning off GUFW