prefix len confusion

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Randy Bush <randy@psg.com>
To: netfilter@vger.kernel.org
Subject: prefix len confusion
Date: Tue, 09 Jun 2026 17:10:47 -0700	[thread overview]
Message-ID: <m233yv2r20.wl-randy@psg.com> (raw)

[ old dog but new to this list.  apologies for fleas ]

amd64 hardware, not vm
debian 13, very current
nftables v1.1.3 (Commodore Bullmoose #4)

tl;dr:
  o ipv4 ssh dict attacker getting through
  o i am not an nftables guru; but a few of this have stared at this
    for many days
  o do i not understand cidr prefix notation?

essentially, i am seeing the traditional ssh dict attcak to
42.642.11.82, when i think i am filtering 42.642.11.80/30, which should
cover 42.642.11.82

the attack sources, at least as logged, are not within the allowed $JUMP
or other allow lists

the equivalent of this is happening in more than one pop

here is an anonymized copy of `/etc/nftables.conf`.  i hope the ip addy
mangling did not screw things up.  sorry for the length.

randy

#!/usr/sbin/nft -f

flush ruleset

define IFACE = enp4s0f1

define JUMP4 = {
    42.666.0.0/23,
    42.642.11.0/24,
    42.642.12.0/24
}

define JUMP6 = {
    2001:841:1::0/48,
    2001:841:3806::0/48,
    2001:841:8006::0/48
    }

define EXTv4 = {
    250.12.129.20/30, 
    238.224.157.204/30
}

define EXTv6 = {
    2001:841:3800:5000::20/126,
    2001:841:3800:5000::/126
}

define INTv4 = {
    42.642.11.0/24,
    250.12.129.20/30,
    238.224.157.204/30
}

define INTv6 = {
    2001:841:7830::0/48,
    2001:841:3800:5000::20/126, # NTT
    2001:841:3800:5000::/126    # NTT
}

define BOGONS4 = {
    42.642.11.0/24,
    10.0.0.0/8,
    127.0.0.0/8,
    172.16.0.0/12,
    192.168.0.0/16,
    169.254.0.0/16
}

define BOGONS6 = {
    ::/128,
    ::1/128,
    ::ffff:0:0/96,
    ::/96,
    100::/64,
    2001:10::/28,
    2001:db8::/32,
    3fff::/20,
    fc00::/7,
    fe80::/10,
    fec0::/10,
    ff00::/8
    }

define SNMP = {
    250.32.129.0/24,
    250.42.129.0/26,
    42.642.11.9,
    42.642.11.17
}

define VULN4 = {
    42.642.11.34/31,
    42.642.11.36/31,
    42.642.11.40/29,
    42.642.11.48/29,
    42.642.11.80/30   # <<<====
}

define PROX4 = {
    42.642.11.30/31,
    42.642.11.32/32
    }
    
define PROX6 = {
    2001:841:7830::30/127,
    2001:841:7830::32/128
    }

table ip filter {
    chain forward {
        type filter hook forward priority filter;
        iifname "lo" accept
        ip protocol icmp accept
        iifname $IFACE goto wan-in
        # so is LAN
        ip saddr $INTv4 accept
        drop
    }
    chain wan-in {
        ip saddr $BOGONS4 drop
        ip protocol icmp accept
        ip saddr $JUMP4 accept
        ip saddr $EXTv4 accept
        tcp dport 8006 ip daddr $PROX4 drop   # block proxmox web login
        ip daddr $VULN4 drop
        udp dport snmp ip saddr $SNMP accept
        tcp dport snmp ip saddr $SNMP accept
        udp dport { 111, 425, 137, 138, 139, 161, 445, 514, 515, 11211 } drop
        tcp dport { 111, 135, 137, 138, 139, 161, 445, 514, 515, 11211 } drop
        accept
    }
}

table ip6 filter {
    chain forward {
        type filter hook forward priority filter;
        iifname "lo" accept
        ip6 nexthdr icmpv6 accept
        iifname $IFACE goto wan-in
        # so is LAN
        ip6 saddr $INTv6 accept
        drop
    }
    chain wan-in {
        ip6 saddr $BOGONS6 drop
        ip6 nexthdr icmpv6 accept
        ip6 saddr $JUMP6 accept
        ip6 saddr $EXTv6 accept
        tcp dport 8006 ip6 daddr $PROX6 drop
        udp dport { 111, 425, 137, 138, 139, 161, 445, 514, 515, 631, 11211 } drop
        tcp dport { 111, 135, 137, 138, 139, 161, 445, 514, 515, 631, 11211 } drop
        accept
    }
}

next             reply	other threads:[~2026-06-10  0:10 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-10  0:10 Randy Bush [this message]
2026-06-10  0:51 ` prefix len confusion Kerin Millar
2026-06-10  1:01   ` Randy Bush
2026-06-10  1:26     ` Kerin Millar
2026-06-10  1:32       ` Randy Bush
2026-06-10  1:38         ` Kerin Millar
2026-06-10 16:33       ` Randy Bush
2026-06-10 16:53         ` Kerin Millar
2026-06-10 17:19           ` Randy Bush
2026-06-10 18:02             ` Kerin Millar
2026-06-10 23:51               ` Sunny73Cr
2026-06-10 23:57                 ` Randy Bush
2026-06-11  0:06                   ` Sunny73Cr
2026-06-11  0:25                     ` Randy Bush
2026-06-10  6:20     ` Reindl Harald
2026-06-10 10:09       ` Kerin Millar
2026-06-10 16:01       ` Randy Bush

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=m233yv2r20.wl-randy@psg.com \
    --to=randy@psg.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox