I'm running Debian and I've made the switch from iptables to nftables.
Unfortunately, not everything is going smoothly. Some of the most important settings I had in my iptables script are not working in my nftables script (/etc/nftables.conf).
The settings I've transcribed below, and others like them, all contained in the /etc/nftables.conf file, are not working in nftables:
# ------------------------------------------------------------------------------------------------------- #
# ------------------------------------------------------------------------------------------------------- #
These settings do not work, resulting in errors of this type:
Supposedly nftables is superior to iptables...
I wonder if anyone can help me with this issue.
Thanks in advance!
Unfortunately, not everything is going smoothly. Some of the most important settings I had in my iptables script are not working in my nftables script (/etc/nftables.conf).
The settings I've transcribed below, and others like them, all contained in the /etc/nftables.conf file, are not working in nftables:
# ------------------------------------------------------------------------------------------------------- #
Code:
#!/usr/sbin/nft -f# ---------------------------------------------------- ## Kernel settings ## ---------------------------------------------------- ### For details see:## * http://www.securityfocus.com/infocus/1711########## Enable IP spoofing protection (default is on) ############ i.e. drop spoofed packets coming in on an interface, which if replied to,## would result in the reply going out a different interface.for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done########## Ignore incoming ICMP echo-requests - i.e. disable ping (default is on) ##########echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all########## Enable broadcast/multicast echo protection (ignore broadcast/multicast pings) ############ i.e. ignore incoming ICMP echo-requests to broadcast/multicast addresses.echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts########## Disable IP forwarding (default is off) ##########echo 0 > /proc/sys/net/ipv4/ip_forward########## Disable TCP Selective ACK (default is on) ##########echo 0 > /proc/sys/net/ipv4/tcp_sack########## Disable source routed packets (default is off) ##########for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f; doneThese settings do not work, resulting in errors of this type:
Code:
/etc/nftables.conf:102:67-67: Error: syntax error, unexpected newline, expecting string or last for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done /etc/nftables.conf:105:6-6: Error: syntax error, unexpected number, expecting string or last echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_allSupposedly nftables is superior to iptables...
I wonder if anyone can help me with this issue.
Thanks in advance!
Statistics: Posted by zetetic — 2024-04-24 04:04 — Replies 1 — Views 42