search

rpthms / nft-geo-filter

Allow/deny traffic in nftables using country specific IP blocks
MIT License
97 stars 24 forks source link

Error on adding filter #1

Closed TeleMediaCC closed 4 years ago

TeleMediaCC commented 4 years ago

Hi

I only want to put a simple filter, but I get nft error.

Command: root@xxx:/home/xxx/nft-geo-filter# ./nft-geo-filter --allow HU

Response:

ERROR - show_subprocess_run_error - Failed to run: (1, ['/usr/sbin/nft', 'add', 'chain', 'inet', 'geo-filter', 'filter-chain', '{', 'type', 'filter', 'hook', 'prerouting', 'priority', 'filter', '-', '200;', 'policy', 'drop;', '}'])
ERROR - show_subprocess_run_error - Command exit status: 1
ERROR - show_subprocess_run_error - Command stdout: b''
ERROR - show_subprocess_run_error - Command stderr: b'Error: syntax error, unexpected string, expecting - or number\nadd chain inet geo-filter filter-chain { type filter hook prerouting priority filter - 200; policy drop; }\n                                                                              ^^^^^^\n'
Failed to add the target nftables chain

I get only en empty geo-filter table:

table inet geo-filter {
}
rpthms commented 4 years ago

Hmm, what version of nft are you using? I guess old versions of nft don't support math operations on chain priorities.

rpthms commented 4 years ago

I just checked the nftables changelog and it looks like support for arithmetic expressions in chain priorities was only added in nftables 0.9.1 (https://www.spinics.net/lists/netfilter/msg58736.html). Since Debian Buster is still using nftables 0.9.0 (and other LTS distros even older versions of nftables), I have gone ahead and removed the arithmetic expression from the "add chain" command and replaced the priority with just "-200". Please try the script on the latest commit and let me know if it fixes your issue.

frankofno commented 4 years ago

i'm new to git and never used it before. Can you help me a lil, how I can start that script? I've nft up and running, installed git on centos but I can't figure out how to install/run it. :)

rpthms commented 4 years ago

@frankofno You don't need git. You can just download the script from here: https://raw.githubusercontent.com/rpthms/nft-geo-filter/master/nft-geo-filter, save it somewhere on your server (probably in /usr/local/bin) and then run the script. Look at the examples in the README to learn how to use nft-geo-filter.

frankofno commented 4 years ago

the "... and run the script."-part is what I can't figure out. just typing in "nft-geo-filter" or nft-geo-filter -h" or "nft-geo-filter --allow MC" is not working. not a directory not a command messages showing up. "nft-geo-filter --table-family netdev --interface eth0 MC" is giving me command not found

frankofno commented 4 years ago

oh, chmod +x was missing, one step closer. now i'm getting [root@mail bin]# nft-geo-filter --table-family netdev --interface eth0 MC Traceback (most recent call last): File "/usr/local/bin/nft-geo-filter", line 406, in if gFilter.add_table() == -1: File "/usr/local/bin/nft-geo-filter", line 81, in add_table subprocess.run(nft_command.split(), capture_output=True, check=True) File "/usr/lib64/python3.6/subprocess.py", line 423, in run with Popen(*popenargs, **kwargs) as process: TypeError: init() got an unexpected keyword argument 'capture_output'

rpthms commented 4 years ago

@frankofno Looks like your Python version is too old and doesn't support the capture_output argument. Could you create a separate issue so that we don't derail @TeleMediaCC's issue? Also, specify which distro you're using in that issue.

TeleMediaCC commented 4 years ago

I installed 0.9.6

root@xxx:/home/xxx/nft-geo-filter# nft -v
nftables v0.9.6 (Capital Idea #2)
root@xxx:/home/xxx/nft-geo-filter# ./nft-geo-filter --allow HU
ERROR - show_subprocess_run_error - Failed to run: (1, ['/usr/sbin/nft', 'add', 'chain', 'inet', 'geo-filter', 'filter-chain', '{', 'type', 'filter', 'hook', 'prerouting', 'priority', 'filter', '-', '200;', 'policy', 'drop;', '}'])
ERROR - show_subprocess_run_error - Command exit status: 1
ERROR - show_subprocess_run_error - Command stdout: b''
ERROR - show_subprocess_run_error - Command stderr: b'Error: syntax error, unexpected string, expecting - or number\nadd chain inet geo-filter filter-chain { type filter hook prerouting priority filter - 200; policy drop; }\n                                                                              ^^^^^^\n'
Failed to add the target nftables chain
rpthms commented 4 years ago

@TeleMediaCC Could you tell me what distro you're running the script on? And what version of the distro? Also, what version of Python 3 have you got installed on your system?

TeleMediaCC commented 4 years ago

Fresh installed Debian 10.5

#cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 10 (buster)
Release:        10
Codename:       buster
# uname -r
4.19.0-10-amd64
# cat /proc/version
Linux version 4.19.0-10-amd64 (debian-kernel@lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.132-1 (2020-07-24)
# python -v
Python 2.7.16 (default, Oct 10 2019, 22:02:15)
[GCC 8.3.0] on linux2
# python3 -v
Python 3.7.3 (default, Jul 25 2020, 13:03:44)
[GCC 8.3.0] on linux
rpthms commented 4 years ago

Are you sure you're using nftables 0.9.6 on Debian 10.5? I just tried installing nftables on the latest Buster release and the highest version of nftables I could get was nftables 0.9.0.

root@debian:~# cat /etc/debian_version 
10.5
root@debian:~# 
root@debian:~# 
root@debian:~# 
root@debian:~# 
root@debian:~# 
root@debian:~# 
root@debian:~# apt update && apt install nftables
Hit:1 http://deb.debian.org/debian buster InRelease
Hit:2 http://deb.debian.org/debian-security buster/updates InRelease
Hit:3 http://deb.debian.org/debian buster-updates InRelease
Reading package lists... Done
Building dependency tree       
Reading state information... Done
All packages are up to date.
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  libjansson4 libnftables0
The following NEW packages will be installed:
  libjansson4 libnftables0 nftables
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 286 kB of archives.
After this operation, 896 kB of additional disk space will be used.
Do you want to continue? [Y/n] 
Get:1 http://deb.debian.org/debian buster/main amd64 libjansson4 amd64 2.12-1 [38.0 kB]
Get:2 http://deb.debian.org/debian buster/main amd64 libnftables0 amd64 0.9.0-2 [203 kB]
Get:3 http://deb.debian.org/debian buster/main amd64 nftables amd64 0.9.0-2 [45.2 kB]
Fetched 286 kB in 0s (11.1 MB/s)
Selecting previously unselected package libjansson4:amd64.
(Reading database ... 29491 files and directories currently installed.)
Preparing to unpack .../libjansson4_2.12-1_amd64.deb ...
Unpacking libjansson4:amd64 (2.12-1) ...
Selecting previously unselected package libnftables0:amd64.
Preparing to unpack .../libnftables0_0.9.0-2_amd64.deb ...
Unpacking libnftables0:amd64 (0.9.0-2) ...
Selecting previously unselected package nftables.
Preparing to unpack .../nftables_0.9.0-2_amd64.deb ...
Unpacking nftables (0.9.0-2) ...
Setting up libjansson4:amd64 (2.12-1) ...
Setting up libnftables0:amd64 (0.9.0-2) ...
Setting up nftables (0.9.0-2) ...
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for libc-bin (2.28-10) ...
root@debian:~# 
root@debian:~# 
root@debian:~# 
root@debian:~# 
root@debian:~# nft -v
nftables v0.9.0 (Fearless Fosdick)
GaborTorma commented 4 years ago

Sure. I built from source based on these doc: https://dev.to/isabelcmdcosta/installing-nftables-from-sources-ondebian--4ic

rpthms commented 4 years ago

@GaborTorma Could you download the latest version of the script from here: https://raw.githubusercontent.com/rpthms/nft-geo-filter/master/nft-geo-filter and try running the script again? I had replaced the "filter - 200" with an explicit "-200" priority, so maybe it should work for you?

Is there any special reason why you're compiling nftables yourself? You could also try using the nftables package from the buster-backports repo which is at version 0.9.3 (which should hopefully work, but I haven't tested it yet).

rpthms commented 4 years ago

@GaborTorma I've just pushed a fix to the script. The script now works in Buster 10.5. The issue was that nft was parsing the "-200" part as an option to nft instead of treating it as a part of the add chain command (https://bugzilla.redhat.com/show_bug.cgi?id=1778883). Adding a "--" argument after nft fixes the issue. Please download the script again and give it a shot.

root@debian:~# cat /etc/debian_version 
10.5
root@debian:~# 
root@debian:~# 
root@debian:~# 
root@debian:~# 
root@debian:~# apt update && apt upgrade
Hit:1 http://mirrors.linode.com/debian buster InRelease
Hit:2 http://mirrors.linode.com/debian-security buster/updates InRelease
Hit:3 http://mirrors.linode.com/debian buster-updates InRelease
Reading package lists... Done
Building dependency tree       
Reading state information... Done
All packages are up to date.
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@debian:~# 
root@debian:~# 
root@debian:~# 
root@debian:~# 
root@debian:~# 
root@debian:~# 
root@debian:~# 
root@debian:~# 
root@debian:~# apt install nftables
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following additional packages will be installed:
  libjansson4 libnftables0
The following NEW packages will be installed:
  libjansson4 libnftables0 nftables
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 286 kB of archives.
After this operation, 896 kB of additional disk space will be used.
Do you want to continue? [Y/n] 
Get:1 http://mirrors.linode.com/debian buster/main amd64 libjansson4 amd64 2.12-1 [38.0 kB]
Get:2 http://mirrors.linode.com/debian buster/main amd64 libnftables0 amd64 0.9.0-2 [203 kB]
Get:3 http://mirrors.linode.com/debian buster/main amd64 nftables amd64 0.9.0-2 [45.2 kB]
Fetched 286 kB in 0s (8,992 kB/s)
Selecting previously unselected package libjansson4:amd64.
(Reading database ... 29491 files and directories currently installed.)
Preparing to unpack .../libjansson4_2.12-1_amd64.deb ...
Unpacking libjansson4:amd64 (2.12-1) ...
Selecting previously unselected package libnftables0:amd64.
Preparing to unpack .../libnftables0_0.9.0-2_amd64.deb ...
Unpacking libnftables0:amd64 (0.9.0-2) ...
Selecting previously unselected package nftables.
Preparing to unpack .../nftables_0.9.0-2_amd64.deb ...
Unpacking nftables (0.9.0-2) ...
Setting up libjansson4:amd64 (2.12-1) ...
Setting up libnftables0:amd64 (0.9.0-2) ...
Setting up nftables (0.9.0-2) ...
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for libc-bin (2.28-10) ...
root@debian:~# 
root@debian:~# 
root@debian:~# 
root@debian:~# 
root@debian:~# 
root@debian:~# 
root@debian:~# nft -v
nftables v0.9.0 (Fearless Fosdick)
root@debian:~# 
root@debian:~# 
root@debian:~# 
root@debian:~# 
root@debian:~# 
root@debian:~# curl -O https://raw.githubusercontent.com/rpthms/nft-geo-filter/master/nft-geo-filter
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 21622  100 21622    0     0  72073      0 --:--:-- --:--:-- --:--:-- 72073
root@debian:~# 
root@debian:~# 
root@debian:~# 
root@debian:~# 
root@debian:~# 
root@debian:~# 
root@debian:~# chmod u+x ./nft-geo-filter 
root@debian:~# ./nft-geo-filter MC && nft list ruleset
table inet geo-filter {
        set filter-v4 {
                type ipv4_addr
                flags interval
                auto-merge
                elements = { 37.44.224.0/22, 80.94.96.0/20,
                             82.113.0.0/19, 87.238.104.0/21,
                             87.254.224.0/19, 88.209.64.0/18,
                             91.199.109.0/24, 176.114.96.0/20,
                             185.47.116.0/22, 185.162.120.0/22,
                             185.250.4.0/22, 188.191.136.0/21,
                             194.9.12.0/23, 195.20.192.0/23,
                             195.78.0.0/19, 213.133.72.0/21,
                             213.137.128.0/19 }
        }

        set filter-v6 {
                type ipv6_addr
                flags interval
                auto-merge
                elements = { 2a01:8fe0::/32,
                             2a07:9080::/29,
                             2a0b:8000::/29 }
        }

        chain filter-chain {
                type filter hook prerouting priority -200; policy accept;
                ip saddr @filter-v4 drop
                ip6 saddr @filter-v6 drop
        }
}
TeleMediaCC commented 4 years ago

Works. Thanx!