Using iptables is it possible to block fragmented packets with this rule:
iptables -A INPUT -f -j DROP
But there isn't a equivalent in nftables. There is any way to do it?
Asked
Active
Viewed 3,436 times
2 Answers
4
From Nftables Wiki or just man nft you can use ip frag-off. Now (after a few trials and errors) the 3 flags (reserved, DF, MF) are included in this value at the 3 highest bits and have to be excluded from the test, needing a & operation. So this:
nft 'add rule ip filter input ip frag-off & 0x1fff != 0 drop'
Would do it...
... but when nf_conntrack_ipv4 is loaded (almost always), its specific nf_defrag_ipv4 part registers at hook priority -400, and will reassemble all fragments. That means any processing after won't see any fragment. So your chain has to hook with a priority value lower than that. Here's a complete working example:
nft add table filter
nft 'add chain filter predefrag { type filter hook prerouting priority -450; }'
nft 'add rule ip filter predefrag ip frag-off & 0x1fff != 0 drop'
Arguably the 1st packet is also a fragment with offset 0 but with MF set. So maybe 0x1fff should be replaced with 0x3fff to catch it.
A.B
- 9,037
- 2
- 19
- 37
0
try:
iptables-translate -A INPUT -f -j DROP
result:
nft add rule ip filter INPUT ip frag-off != 0 counter drop
iptables-translate comme from (on debian Debian 4.9.82-1+deb9u3 (2018-03-02) x86_64 GNU/Linux:
apt install iptables-nftables-compat
https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_priority
or nft 'add rule inet filter input ip frag-off 0x4000 counter accept'
zoeurk
- 9
- 3
-
today's result of iptables-translate is different (meaning the older translation was wrong): `iptables-translate -A INPUT -f -j DROP` => `nft add rule ip filter INPUT ip frag-off & 0x1fff != 0 counter drop` which is what I wrote 1y1/2 before. – A.B Aug 11 '20 at 10:58