Adding Sets

[GlennToms]

Hi Again,

I posted by full config files maybe you can see where I'm making the mistake.
The geo-inet4 from the example is working fine. Only when i try to add my additional sets does it error.

ERROR:

geo-nft.sh v2.2.3:
        The following 'define-ipv4' line in /etc/nftables/geo-nft/refill-sets.conf
        does not point to a valid nftables set:
        define-ipv4 inet filter geo-channel4 GG

/etc/nftables/geo-nft/refill-sets.conf

include "/etc/nftables/geo-nft/countrysets/*"

define-ipv4 inet filter geo-inet4 AD
define-ipv6 inet filter geo-inet6 AQ

define-ipv4 inet filter geo-channel4 GG
define-ipv6 inet filter geo-channel6 GG

/etc/nftables.confc/nftables.conf

#!/usr/bin/nft -f
flush ruleset
table inet filter {
  set geo-inet4 {
    type ipv4_addr
    flags interval
  }
  set geo-inet6 {
    type ipv6_addr
    flags interval
  }

  set geo-channel4 {
    type ipv4_addr
    flags interval
  }
  set geo-channel6 {
    type ipv6_addr
    flags interval
  }

  chain input {
    type filter hook input priority 0; policy drop;
    ct state established,related counter accept comment "Accept established and related traffic"
    iif lo counter accept comment "Accept localhost traffic"
    ct state invalid counter drop comment "Drop invalid state packets"
    #tcp dport 22 counter accept comment "Accept SSH on port 22"
    tcp daddr @geo-channel4 dport 22 counter accept comment "Accept SSH on port 22"
    tcp daddr @geo-channel6 dport 22 counter accept comment "Accept SSH on port 22"
    ip protocol icmp limit rate 5/second counter accept comment "Accept ICMP traffic"
    ip protocol igmp limit rate 5/second counter accept comment "Accept IGMP traffic"
    ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, echo-request } \
      limit rate 5/second counter accept comment "Accept IPv6 neighbor discovery traffic"
    counter drop comment "Drop all other incoming traffic"
  }
  chain forward {
    type filter hook forward priority 0; policy drop;
    counter drop comment "Drop forwarded packets since this isn't a router"
  }
  chain output {
    type filter hook output priority 0; policy accept;
    ct state established,related counter accept comment "Accept established and related traffic"
    oif lo counter accept comment "Accept localhost traffic"
    ct state invalid counter drop comment "Drop invalid state packets"
    meta l4proto { udp, tcp } @th,16,16 53 ct state new counter accept comment "Allow new DNS out"
    ip daddr @geo-inet4 counter reject comment "Reject destination addresses in set geo-inet4"
    ip6 daddr @geo-inet6 counter reject comment "Reject destination addresses in set geo-inet6"
    meta l4proto { tcp, udp } @th,16,16 { 80, 443 } ct state new counter accept comment "Allow new HTTP/HTTPS out"
    counter accept comment "Accept all other outgoing traffic"
  }
}
include "/etc/nftables/geo-nft/*refill-sets.nft"

---

I got Sets working now. Not sure what I was doing wrong but the sets are filled now. Only issue left is with NFT.

How do I only allow source IP SET to port 22 but allow every IP to 80 & 443.

[wirefalls]

Hello,

Glad that you have sets working. If you want to accept incoming SSH traffic from addresses in sets @geo-channel4 and @geo-channel6 then you'll want to match the source address rather than the destination address. Test these rules and see if they work for you:

ip saddr @geo-channel4 tcp dport 22 counter accept comment "Accept SSH on port 22 from addresses in set @geo-channel4"
ip6 saddr @geo-channel6 tcp dport 22 counter accept comment "Accept SSH on port 22 from addresses in set @geo-channel6"

As for HTTP/HTTPS, remove the 'ct state new' from the rule. Test this and see if it does what you want:

meta l4proto { tcp, udp } @th,16,16 { 80, 443 } counter accept comment "Allow outgoing HTTP/HTTPS"

Hopefully that gets things working.

Thanks

[GlennToms]

Thanks I got that working now. Looks like my rules weren't even close!