* nftables static routing fails
@ 2020-01-13 21:13 david NEW
2020-01-13 21:28 ` Daniel
2020-01-13 21:40 ` Florian Westphal
0 siblings, 2 replies; 5+ messages in thread
From: david NEW @ 2020-01-13 21:13 UTC (permalink / raw)
To: netfilter
hi,
I am trying to route blocked ip set to IP:8080 where is info about "you
have been blocked"
table ip raw {
set bad_ip {'
type ipv4_addr
elements = { xxx.xxx.xxx.xxx }
}
chain prerouting {
type filter hook prerouting priority -500; policy accept;
nft add raw preroute ip saddr @bad_ip tcp dport { 80, 443 } ip
daddr set xxx.xxx.xxx.xxx tcp dport set 8080 notrack
}
}
netfilter doesn't complain about this rule but nothing
happens...connection timed out and nothing happened. I see no errors in
Apache2 logs.
I can see connection attempt in tcpdump but it is not redirected.
any suggestion, please?
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: nftables static routing fails
2020-01-13 21:13 nftables static routing fails david NEW
@ 2020-01-13 21:28 ` Daniel
2020-01-13 21:40 ` Florian Westphal
1 sibling, 0 replies; 5+ messages in thread
From: Daniel @ 2020-01-13 21:28 UTC (permalink / raw)
To: netfilter
Le 13/01/2020 à 22:13, david NEW a écrit :
> hi,
>
> I am trying to route blocked ip set to IP:8080 where is info about
> "you have been blocked"
>
> table ip raw {
> set bad_ip {'
> type ipv4_addr
> elements = { xxx.xxx.xxx.xxx }
> }
>
> chain prerouting {
>
> type filter hook prerouting priority -500; policy accept;
> nft add raw preroute ip saddr @bad_ip tcp dport { 80, 443 } ip
> daddr set xxx.xxx.xxx.xxx tcp dport set 8080 notrack
> }
>
> }
>
> netfilter doesn't complain about this rule but nothing
> happens...connection timed out and nothing happened. I see no errors
> in Apache2 logs.
>
> I can see connection attempt in tcpdump but it is not redirected.
>
> any suggestion, please?
With nft 0.8.2 I could'nt make redirect working, I used dnat insteed.
--
Daniel
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: nftables static routing fails
2020-01-13 21:13 nftables static routing fails david NEW
2020-01-13 21:28 ` Daniel
@ 2020-01-13 21:40 ` Florian Westphal
2020-01-13 21:59 ` david NEW
1 sibling, 1 reply; 5+ messages in thread
From: Florian Westphal @ 2020-01-13 21:40 UTC (permalink / raw)
To: david NEW; +Cc: netfilter
david NEW <david@hajes.org> wrote:
> hi,
>
> I am trying to route blocked ip set to IP:8080 where is info about "you have
> been blocked"
>
> table ip raw {
> set bad_ip {'
> type ipv4_addr
> elements = { xxx.xxx.xxx.xxx }
> }
>
> chain prerouting {
>
> type filter hook prerouting priority -500; policy accept;
> nft add raw preroute ip saddr @bad_ip tcp dport { 80, 443 } ip daddr set
> xxx.xxx.xxx.xxx tcp dport set 8080 notrack
> }
>
>
> netfilter doesn't complain about this rule but nothing happens...connection
> timed out and nothing happened. I see no errors in Apache2 logs.
>
> I can see connection attempt in tcpdump but it is not redirected.
How do you know from tcpdump? tcpdump occurs before port rewrite.
You should see syn to foo:80, then a syn-ack from xxx.xxx.xxx.xxx:8080.
As original client connected to foo:80, the syn-ack is dropped on client
side.
You need to add a reverse xlate rule if you really want this, or use
normal redirect via nat.
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: nftables static routing fails
2020-01-13 21:40 ` Florian Westphal
@ 2020-01-13 21:59 ` david NEW
2020-01-13 22:33 ` Florian Westphal
0 siblings, 1 reply; 5+ messages in thread
From: david NEW @ 2020-01-13 21:59 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter
I did run "tcpdump port 80" where I saw incoming packet. Then repeated
process but watching port 8080 this time but no packets have been
captured. I assumed it never went through.
I have never worked with tcpdump before so there may be some mistakes on
my side.
I do not know what is "reverse xlate rule" - can you show me how would
you write this rule, please?
I do not care how it is written as long as netfilter rule checks source
address (from set) that asks for connection to port 80, 443...and
redirects it to IP:8080 where web server error page awaits.
It is ip or cidr set/list of repeated attackers from netfilter log but I
run "commercial" web site and I wanna inform blocked people who may be
legit vistiors.
Sadly, IPv4 blocking is joke and most Internet users are unaware that
they became part of botnet and their shared IP is blocked.
On 13/01/2020 22:40, Florian Westphal wrote:
> david NEW <david@hajes.org> wrote:
>> hi,
>>
>> I am trying to route blocked ip set to IP:8080 where is info about "you have
>> been blocked"
>>
>> table ip raw {
>> set bad_ip {'
>> type ipv4_addr
>> elements = { xxx.xxx.xxx.xxx }
>> }
>>
>> chain prerouting {
>>
>> type filter hook prerouting priority -500; policy accept;
>> nft add raw preroute ip saddr @bad_ip tcp dport { 80, 443 } ip daddr set
>> xxx.xxx.xxx.xxx tcp dport set 8080 notrack
>> }
>>
>>
>> netfilter doesn't complain about this rule but nothing happens...connection
>> timed out and nothing happened. I see no errors in Apache2 logs.
>>
>> I can see connection attempt in tcpdump but it is not redirected.
> How do you know from tcpdump? tcpdump occurs before port rewrite.
>
> You should see syn to foo:80, then a syn-ack from xxx.xxx.xxx.xxx:8080.
>
> As original client connected to foo:80, the syn-ack is dropped on client
> side.
>
> You need to add a reverse xlate rule if you really want this, or use
> normal redirect via nat.
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: nftables static routing fails
2020-01-13 21:59 ` david NEW
@ 2020-01-13 22:33 ` Florian Westphal
0 siblings, 0 replies; 5+ messages in thread
From: Florian Westphal @ 2020-01-13 22:33 UTC (permalink / raw)
To: david NEW; +Cc: Florian Westphal, netfilter
david NEW <david@hajes.org> wrote:
> I did run "tcpdump port 80" where I saw incoming packet. Then repeated
> process but watching port 8080 this time but no packets have been captured.
> I assumed it never went through.
>
> I have never worked with tcpdump before so there may be some mistakes on my
> side.
>
> I do not know what is "reverse xlate rule" - can you show me how would you
> write this rule, please?
It won't work for your use case.
> I do not care how it is written as long as netfilter rule checks source
> address (from set) that asks for connection to port 80, 443...and redirects
> it to IP:8080 where web server error page awaits.
Use nat + redirect.
Stateless nat only works for simple use cases, like this for instance:
table inet crap {
chain prerouting {
type filter hook prerouting priority -500; policy accept;
ip saddr 192.168.7.10 tcp dport { 80, 443 } ip daddr set 192.168.0.7 tcp dport set 8080 notrack
}
chain output {
type route hook output priority -500; policy accept;
tcp sport 8080 tcp sport set 80 ip saddr set 192.168.7.1
}
}
This works, client connects to 192.168.7.1 80, but really talks to 192.168.0.7:8080.
The output rule is needed to reverse translate 192.168.0.7 to 192.168.7.1 and 8080 to 80.
Without it, you get
192.168.7.10.39472 > 192.168.7.1.80: Flags [S], seq 16468682, win 64..
192.168.0.7.8080 > 192.168.7.10.39472: Flags [S.], seq 47272, ack 16468683, win 65 ..
192.168.7.10.39472 > 192.168.0.7.8080: Flags [R], seq 16468683
In your case, you don't have the original address anymore so you can't create the reverse rule.
table ip nat {
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
ip saddr @bad tcp dport { 80, 443 } redirect to :8080
}
}
will work because conntrack/nat handles the reverse translation.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-01-13 22:33 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-01-13 21:13 nftables static routing fails david NEW
2020-01-13 21:28 ` Daniel
2020-01-13 21:40 ` Florian Westphal
2020-01-13 21:59 ` david NEW
2020-01-13 22:33 ` Florian Westphal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox