Hi,
i'm using a RPi 4 for controling my smarthome,
but a couple month ago i can't connect to my pi anymore.
Due to a lack of time, I have only now been able to address the problem again.
I found out that the kernel completely ignores my conntrack settings of my nftables,
so even connections established by the pi are blocked when receiving packets.
As an example: without accepting the input chain globaly, i can't use apt.
When I enter “nft list table ip filter”, the packet counter does not change.
am I missing something?
uname -a:
Linux SmarthomePi 6.6.31+rpt-rpi-v8 #1 SMP PREEMPT Debian 1:6.6.31-1+rpt1 (2024-05-29) aarch64 GNU/Linux
My nftables:
i'm using a RPi 4 for controling my smarthome,
but a couple month ago i can't connect to my pi anymore.
Due to a lack of time, I have only now been able to address the problem again.
I found out that the kernel completely ignores my conntrack settings of my nftables,
so even connections established by the pi are blocked when receiving packets.
As an example: without accepting the input chain globaly, i can't use apt.
When I enter “nft list table ip filter”, the packet counter does not change.
am I missing something?
uname -a:
Linux SmarthomePi 6.6.31+rpt-rpi-v8 #1 SMP PREEMPT Debian 1:6.6.31-1+rpt1 (2024-05-29) aarch64 GNU/Linux
My nftables:
Code:
#!/usr/sbin/nft -fflush rulesetinclude "/etc/nftables.d/define/interfaces.nft"include "/etc/nftables.d/define/ips.nft"include "/etc/nftables.d/define/networks.nft"include "/etc/nftables.d/define/ports.nft"include "/etc/nftables.d/define/hosts.nft"#include "/etc/nftables.d/fail2ban.nft"#include "/etc/nftables.d/geoip.nft"table ip filter { chain INPUT { type filter hook input priority filter; policy drop; # invalid connections ct state invalid drop # established/related connections ct state { related, established } counter packets 0 bytes 0 accept # accept loopback iifname lo accept # drop connections to loopback not coming from loopback iifname != lo ip saddr 127.0.0.0/8 drop iifname != lo ip daddr 127.0.0.1/8 drop # splitt up inbound traffic into subchains ip daddr $ipv4_smarthomepi_device ip saddr $ipv4_routerpi_device goto ROUTERPI-TO-SMARTHOMEPI ip daddr $ipv4_smarthomepi_device goto DEVICE-TO-SMARTHOMEPI ip daddr $ipv4_smarthomepi_iot goto IOT-TO-SMARTHOMEPI } chain FORWARD { type filter hook forward priority filter; policy drop; # invalid connections ct state invalid drop # established/related connections ct state { established, related } accept # splitt up forward traffic into subchains # from iot to iot iifname $if_device oifname $if_device accept iifname $if_iot oifname $if_iot accept } chain OUTPUT { type filter hook output priority filter; policy accept; } include "/etc/nftables.d/chains.nft" include "/etc/nftables.d/docker.nft"}Statistics: Posted by smhrambo — Tue Jul 23, 2024 11:49 am