Linux Netfilter discussions
 help / color / mirror / Atom feed
From: Randy Bush <randy@psg.com>
To: "Kerin Millar" <kfm@plushkava.net>
Cc: netfilter@vger.kernel.org
Subject: Re: prefix len confusion
Date: Tue, 09 Jun 2026 18:32:36 -0700	[thread overview]
Message-ID: <m2zf1318p7.wl-randy@psg.com> (raw)
In-Reply-To: <6fcf67b9-4fee-4b1c-85f1-597afff788ba@app.fastmail.com>

>> sorry for being insufficiently explicit
>>
>> the ssh attacker is getting through to 42.642.11.82, which is a piece of
>> hardware, not a vm.  it is the ssh port of a hardware switch whose
>> security profile i prefer not to expose to attackers.
>>
>>     define VULN4 = {
>> 	42.642.11.34/31,
>> 	42.642.11.36/31,
>> 	42.642.11.40/29,
>> 	42.642.11.48/29,
>> 	42.642.11.80/30   # <<<====
>>     }
>>
>>         ip daddr $VULN4 drop

> 
> In that case, the question becomes one of whether your nftables host
> is responsible for forwarding packets to "42.642.11.82" (as you put
> it) at all. And, just as importantly, from which source address.

the nftables is on the border router.  and traceroute showed the path
in.

the sources of the attacks are a ddos, /82 logs the ssh attack as from a
jillion source addresses.

> Try incorporating the following table into your existing ruleset.
> 
> table ip raw {
>     chain PREROUTING {
>         type filter hook prerouting priority raw;
>         ip daddr 42.642.11.82 tcp dport 22 meta nftrace set 1
>     }
> }
> 
> 
> Next, run "nft monitor trace".

sure, if only because i will learn a new hack :)

> If you do see output, study it, for it will conclusively show how the
> packets traverse your ruleset and why they are being accepted.

that would be lovely!!

thank you.  will report back.

randy

  reply	other threads:[~2026-06-10  1:32 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-10  0:10 prefix len confusion Randy Bush
2026-06-10  0:51 ` Kerin Millar
2026-06-10  1:01   ` Randy Bush
2026-06-10  1:26     ` Kerin Millar
2026-06-10  1:32       ` Randy Bush [this message]
2026-06-10  1:38         ` Kerin Millar
2026-06-10  6:20     ` Reindl Harald
2026-06-10 10:09       ` Kerin Millar

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=m2zf1318p7.wl-randy@psg.com \
    --to=randy@psg.com \
    --cc=kfm@plushkava.net \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox