Closed TeleMediaCC closed 4 years ago
Hmm, what version of nft are you using? I guess old versions of nft don't support math operations on chain priorities.
I just checked the nftables changelog and it looks like support for arithmetic expressions in chain priorities was only added in nftables 0.9.1 (https://www.spinics.net/lists/netfilter/msg58736.html). Since Debian Buster is still using nftables 0.9.0 (and other LTS distros even older versions of nftables), I have gone ahead and removed the arithmetic expression from the "add chain" command and replaced the priority with just "-200". Please try the script on the latest commit and let me know if it fixes your issue.
i'm new to git and never used it before. Can you help me a lil, how I can start that script? I've nft up and running, installed git on centos but I can't figure out how to install/run it. :)
@frankofno You don't need git. You can just download the script from here: https://raw.githubusercontent.com/rpthms/nft-geo-filter/master/nft-geo-filter, save it somewhere on your server (probably in /usr/local/bin) and then run the script. Look at the examples in the README to learn how to use nft-geo-filter.
the "... and run the script."-part is what I can't figure out. just typing in "nft-geo-filter" or nft-geo-filter -h" or "nft-geo-filter --allow MC" is not working. not a directory not a command messages showing up. "nft-geo-filter --table-family netdev --interface eth0 MC" is giving me command not found
oh, chmod +x was missing, one step closer. now i'm getting
[root@mail bin]# nft-geo-filter --table-family netdev --interface eth0 MC
Traceback (most recent call last):
File "/usr/local/bin/nft-geo-filter", line 406, in
@frankofno Looks like your Python version is too old and doesn't support the capture_output argument. Could you create a separate issue so that we don't derail @TeleMediaCC's issue? Also, specify which distro you're using in that issue.
I installed 0.9.6
root@xxx:/home/xxx/nft-geo-filter# nft -v
nftables v0.9.6 (Capital Idea #2)
root@xxx:/home/xxx/nft-geo-filter# ./nft-geo-filter --allow HU
ERROR - show_subprocess_run_error - Failed to run: (1, ['/usr/sbin/nft', 'add', 'chain', 'inet', 'geo-filter', 'filter-chain', '{', 'type', 'filter', 'hook', 'prerouting', 'priority', 'filter', '-', '200;', 'policy', 'drop;', '}'])
ERROR - show_subprocess_run_error - Command exit status: 1
ERROR - show_subprocess_run_error - Command stdout: b''
ERROR - show_subprocess_run_error - Command stderr: b'Error: syntax error, unexpected string, expecting - or number\nadd chain inet geo-filter filter-chain { type filter hook prerouting priority filter - 200; policy drop; }\n ^^^^^^\n'
Failed to add the target nftables chain
@TeleMediaCC Could you tell me what distro you're running the script on? And what version of the distro? Also, what version of Python 3 have you got installed on your system?
Fresh installed Debian 10.5
#cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 10 (buster)"
NAME="Debian GNU/Linux"
VERSION_ID="10"
VERSION="10 (buster)"
VERSION_CODENAME=buster
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"
# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description: Debian GNU/Linux 10 (buster)
Release: 10
Codename: buster
# uname -r
4.19.0-10-amd64
# cat /proc/version
Linux version 4.19.0-10-amd64 (debian-kernel@lists.debian.org) (gcc version 8.3.0 (Debian 8.3.0-6)) #1 SMP Debian 4.19.132-1 (2020-07-24)
# python -v
Python 2.7.16 (default, Oct 10 2019, 22:02:15)
[GCC 8.3.0] on linux2
# python3 -v
Python 3.7.3 (default, Jul 25 2020, 13:03:44)
[GCC 8.3.0] on linux
Are you sure you're using nftables 0.9.6 on Debian 10.5? I just tried installing nftables on the latest Buster release and the highest version of nftables I could get was nftables 0.9.0.
root@debian:~# cat /etc/debian_version
10.5
root@debian:~#
root@debian:~#
root@debian:~#
root@debian:~#
root@debian:~#
root@debian:~#
root@debian:~# apt update && apt install nftables
Hit:1 http://deb.debian.org/debian buster InRelease
Hit:2 http://deb.debian.org/debian-security buster/updates InRelease
Hit:3 http://deb.debian.org/debian buster-updates InRelease
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
libjansson4 libnftables0
The following NEW packages will be installed:
libjansson4 libnftables0 nftables
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 286 kB of archives.
After this operation, 896 kB of additional disk space will be used.
Do you want to continue? [Y/n]
Get:1 http://deb.debian.org/debian buster/main amd64 libjansson4 amd64 2.12-1 [38.0 kB]
Get:2 http://deb.debian.org/debian buster/main amd64 libnftables0 amd64 0.9.0-2 [203 kB]
Get:3 http://deb.debian.org/debian buster/main amd64 nftables amd64 0.9.0-2 [45.2 kB]
Fetched 286 kB in 0s (11.1 MB/s)
Selecting previously unselected package libjansson4:amd64.
(Reading database ... 29491 files and directories currently installed.)
Preparing to unpack .../libjansson4_2.12-1_amd64.deb ...
Unpacking libjansson4:amd64 (2.12-1) ...
Selecting previously unselected package libnftables0:amd64.
Preparing to unpack .../libnftables0_0.9.0-2_amd64.deb ...
Unpacking libnftables0:amd64 (0.9.0-2) ...
Selecting previously unselected package nftables.
Preparing to unpack .../nftables_0.9.0-2_amd64.deb ...
Unpacking nftables (0.9.0-2) ...
Setting up libjansson4:amd64 (2.12-1) ...
Setting up libnftables0:amd64 (0.9.0-2) ...
Setting up nftables (0.9.0-2) ...
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for libc-bin (2.28-10) ...
root@debian:~#
root@debian:~#
root@debian:~#
root@debian:~#
root@debian:~# nft -v
nftables v0.9.0 (Fearless Fosdick)
Sure. I built from source based on these doc: https://dev.to/isabelcmdcosta/installing-nftables-from-sources-ondebian--4ic
@GaborTorma Could you download the latest version of the script from here: https://raw.githubusercontent.com/rpthms/nft-geo-filter/master/nft-geo-filter and try running the script again? I had replaced the "filter - 200" with an explicit "-200" priority, so maybe it should work for you?
Is there any special reason why you're compiling nftables yourself? You could also try using the nftables package from the buster-backports repo which is at version 0.9.3 (which should hopefully work, but I haven't tested it yet).
@GaborTorma I've just pushed a fix to the script. The script now works in Buster 10.5. The issue was that nft was parsing the "-200" part as an option to nft instead of treating it as a part of the add chain command (https://bugzilla.redhat.com/show_bug.cgi?id=1778883). Adding a "--" argument after nft fixes the issue. Please download the script again and give it a shot.
root@debian:~# cat /etc/debian_version
10.5
root@debian:~#
root@debian:~#
root@debian:~#
root@debian:~#
root@debian:~# apt update && apt upgrade
Hit:1 http://mirrors.linode.com/debian buster InRelease
Hit:2 http://mirrors.linode.com/debian-security buster/updates InRelease
Hit:3 http://mirrors.linode.com/debian buster-updates InRelease
Reading package lists... Done
Building dependency tree
Reading state information... Done
All packages are up to date.
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@debian:~#
root@debian:~#
root@debian:~#
root@debian:~#
root@debian:~#
root@debian:~#
root@debian:~#
root@debian:~#
root@debian:~# apt install nftables
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
libjansson4 libnftables0
The following NEW packages will be installed:
libjansson4 libnftables0 nftables
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 286 kB of archives.
After this operation, 896 kB of additional disk space will be used.
Do you want to continue? [Y/n]
Get:1 http://mirrors.linode.com/debian buster/main amd64 libjansson4 amd64 2.12-1 [38.0 kB]
Get:2 http://mirrors.linode.com/debian buster/main amd64 libnftables0 amd64 0.9.0-2 [203 kB]
Get:3 http://mirrors.linode.com/debian buster/main amd64 nftables amd64 0.9.0-2 [45.2 kB]
Fetched 286 kB in 0s (8,992 kB/s)
Selecting previously unselected package libjansson4:amd64.
(Reading database ... 29491 files and directories currently installed.)
Preparing to unpack .../libjansson4_2.12-1_amd64.deb ...
Unpacking libjansson4:amd64 (2.12-1) ...
Selecting previously unselected package libnftables0:amd64.
Preparing to unpack .../libnftables0_0.9.0-2_amd64.deb ...
Unpacking libnftables0:amd64 (0.9.0-2) ...
Selecting previously unselected package nftables.
Preparing to unpack .../nftables_0.9.0-2_amd64.deb ...
Unpacking nftables (0.9.0-2) ...
Setting up libjansson4:amd64 (2.12-1) ...
Setting up libnftables0:amd64 (0.9.0-2) ...
Setting up nftables (0.9.0-2) ...
Processing triggers for man-db (2.8.5-2) ...
Processing triggers for libc-bin (2.28-10) ...
root@debian:~#
root@debian:~#
root@debian:~#
root@debian:~#
root@debian:~#
root@debian:~#
root@debian:~# nft -v
nftables v0.9.0 (Fearless Fosdick)
root@debian:~#
root@debian:~#
root@debian:~#
root@debian:~#
root@debian:~#
root@debian:~# curl -O https://raw.githubusercontent.com/rpthms/nft-geo-filter/master/nft-geo-filter
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 21622 100 21622 0 0 72073 0 --:--:-- --:--:-- --:--:-- 72073
root@debian:~#
root@debian:~#
root@debian:~#
root@debian:~#
root@debian:~#
root@debian:~#
root@debian:~# chmod u+x ./nft-geo-filter
root@debian:~# ./nft-geo-filter MC && nft list ruleset
table inet geo-filter {
set filter-v4 {
type ipv4_addr
flags interval
auto-merge
elements = { 37.44.224.0/22, 80.94.96.0/20,
82.113.0.0/19, 87.238.104.0/21,
87.254.224.0/19, 88.209.64.0/18,
91.199.109.0/24, 176.114.96.0/20,
185.47.116.0/22, 185.162.120.0/22,
185.250.4.0/22, 188.191.136.0/21,
194.9.12.0/23, 195.20.192.0/23,
195.78.0.0/19, 213.133.72.0/21,
213.137.128.0/19 }
}
set filter-v6 {
type ipv6_addr
flags interval
auto-merge
elements = { 2a01:8fe0::/32,
2a07:9080::/29,
2a0b:8000::/29 }
}
chain filter-chain {
type filter hook prerouting priority -200; policy accept;
ip saddr @filter-v4 drop
ip6 saddr @filter-v6 drop
}
}
Works. Thanx!
Hi
I only want to put a simple filter, but I get nft error.
Command:
root@xxx:/home/xxx/nft-geo-filter# ./nft-geo-filter --allow HU
Response:
I get only en empty geo-filter table: