What does this NFtables rules does ?

SpongeB0B

Member
Joined
Feb 11, 2022
Messages
30
Reaction score
7
Credits
270
Hi everyone,
In my nft ruleset I've created (this is an extract) -->

Code:
table ip Tip {
    chain chIN {
        type filter hook input priority 0; policy drop;
        ct state established,related accept      
        iif != lo ip daddr 127.0.0.1/8 drop
        iifname lo accept
    }
    chain chOUT {
        type filter hook output priority 0; policy drop;
        udp dport 53 accept
        tcp dport { 80, 443 } accept
        ct state established,related accept
        iifname lo accept
    }
So quite tight rules.

But I have installed a software that additionally add those rule after mine,
Code:
table inet mangle {
    chain output {
        type route hook output priority mangle; policy accept;
        ct state related,new queue num 0 bypass
    }
}
table inet filter {
    chain input {
        type filter hook input priority filter; policy accept;
        udp sport 53 queue num 0 bypass
    }

Like the policy is set to accept, I guess it's open up ALL traffic on inet (ipv4 & ipv6) regardless of my rules ? right ?
 
Last edited:


I'm still looking what this rule does

CSS:
table inet filter {
    chain input {
        type filter hook input priority filter; policy accept;
        udp sport 53 queue num 0 bypass
    }
For what I could get this let all traffic enter, is that correct ?
 
Incoming and outgoing packets from source port udp/53 but most modern nameservers use a random high source port nowadays, so this rule is most likely no longer necessary.
 
if you are using UFW you can
Code:
sudo ufw status verbose
which will tell you the status
Once you have UFW logging on, you can use the "less" command to check the UFW firewall logs in your system:
Code:
sudo less /var/log/ufw.log
 

Staff online


Top