Home / server / Questions / 1018949
In Process
realShadow
Asked: 2020-05-28 09:55:53 +0800 CST

nftables - One machine not able to access server

  • 772

I am working on setting up my firewall on my server right now and it drives me crazy. I am using nftables aand have the following ruleset:

table inet filter {
    map whitelist {
            type ipv4_addr . inet_service : verdict
            elements = { 192.168.1.x . ssh : accept,
                         192.168.1.y . ssh : accept,
                         192.168.1.z . ssh : accept }
    }

    chain input {
            type filter hook input priority 0; policy accept;
            ct state established,related accept
            iifname "lo" accept
            tcp dport http ip saddr { 192.168.1.0/24 } accept comment "Accept HTTP traffic on PORT 80"
            tcp dport netbios-ns ip saddr { 192.168.1.0/24 } accept comment "Accept NetBIOS Name Service (nmbd) on PORT 137"
            tcp dport netbios-dgm ip saddr { 192.168.1.0/24 } accept comment "Accept NetBIOS Datagram Service (nmbd) on PORT 138"
            tcp dport netbios-ssn ip saddr { 192.168.1.0/24 } accept comment "Accept NetBIOS Session Service (smbd) on PORT 139"
            tcp dport https ip saddr { 192.168.1.0/24 } accept comment "Accept HTTPS traffic on PORT 443"
            tcp dport microsoft-ds ip saddr { 192.168.1.0/24 } accept comment "Accept Microsoft Directory Services (smbd) on PORT 445"
            tcp dport webmin ip saddr { 192.168.1.0/24 } accept comment "Accept traffic for WebMin Interface on PORT 10000"
            udp dport netbios-ns ip saddr { 192.168.1.0/24 } accept comment "Accept NetBIOS Name Service (nmdb) on PORT 137"
            udp dport netbios-dgm ip saddr { 192.168.1.0/24 } accept comment "Accept NetBIOS Datagram Service (nmbd) on PORT 138"
            udp dport netbios-ssn ip saddr { 192.168.1.0/24 } accept comment "Accept NetBIOS Session Service (nmdb) on PORT 139"
            udp dport microsoft-ds ip saddr { 192.168.1.0/24 } accept comment "Accept Microsoft Directory Service (smbd) on PORT 445"
            meta nfproto ipv4 ip saddr . tcp dport vmap @whitelist
            drop
    }

    chain output {
            type filter hook output priority 0; policy accept;
    }

    chain forward {
            type filter hook forward priority 0; policy drop;
    }

}

I made sure the network range defined above is within the correct range. The range covers 254 addresses and my machines should be fine. I have no issues with my main machine as well one other one. These two machines have the IPs 192.168.1.42 and 192.168.1.181. But one other machine drives me crazy. As soon as the drop part is added that machine with the IP 192.168.1.115 cannot access the server anymore. My question is, as I just can't figure out why this one machine does not want to access the data on the server anymore, is there anything obvious why this access would not work? What am I missing?

thanks

realshadow

security nftables

0 Answers