Firewall blocks whe using two tables in nftables

Issues related to configuring your network
Post Reply
wmarx
Posts: 1
Joined: 2019/11/22 09:35:34

Firewall blocks whe using two tables in nftables

Post by wmarx » 2019/11/22 10:05:50

Dear all,

i have the problem that my firewall close all ports when i try to use mor than one table in nftables.

As long as i use only one table all work fine. I can login via ssh over all 3 networks.

flush ruleset
add table ip filter
add chain ip filter input { type filter hook input priority 0 ; policy drop ; }
add chain ip filter forward { type filter hook forward priority 0 ; policy drop ; }
add chain ip filter output { type filter hook output priority 0 ; policy accept ; }
add chain ip filter detailrules
add rule ip filter input ct state related,established accept
add rule ip filter input ct state invalid log drop
add rule ip filter input iif lo accept
add rule ip filter input ip protocol icmp accept
add rule ip filter input jump detailrules
add rule ip filter input log prefix "Blocked Traffic IPV4 "
add rule ip filter detailrules ip saddr 192.168.0.0/24 tcp dport 22 accept
add rule ip filter detailrules ip saddr 192.168.56.0/24 tcp dport 22 accept
add rule ip filter detailrules ip saddr 192.168.100.0/24 tcp dport 22 accept


But when i try to use a second table for one of the networks, the firewall blocks all ports.

flush ruleset
add table ip filter
add chain ip filter input { type filter hook input priority 0 ; policy drop ; }
add chain ip filter forward { type filter hook forward priority 0 ; policy drop ; }
add chain ip filter output { type filter hook output priority 0 ; policy accept ; }
add chain ip filter detailrules
add rule ip filter input ct state related,established accept
add rule ip filter input ct state invalid log drop
add rule ip filter input iif lo accept
add rule ip filter input ip protocol icmp accept
add rule ip filter input jump detailrules
add rule ip filter input log prefix "Blocked Traffic IPV4 "
add rule ip filter detailrules ip saddr 192.168.0.0/24 tcp dport 22 accept
add rule ip filter detailrules ip saddr 192.168.56.0/24 tcp dport 22 accept
add table ip hrz
add chain ip hrz input_hrz { type filter hook input priority 20 ; policy drop ; }
add rule ip hrz input_hrz ip protocol icmp accept
add rule ip hrz input_hrz ct state related,established accept
add rule ip hrz input_hrz ip saddr 192.168.100.0/24 tcp dport 22 accept

Has anyone an idea where my failure or missunderstanding is?

Post Reply