top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

Netfilter: adding a multiport rule

+1 vote
457 views

How do I add a multiport rule

 nft add rule ip filter output tcp dports 99,200 ip daddr 1.1.1.1
 counter meta oif eth0 fails.

I see that the range works,

 nft add rule ip filter output tcp dport 99-105 ip daddr 1.1.1.1
 counter meta oif eth0
posted Sep 25, 2013 by Sonu Jindal

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button

1 Answer

+1 vote

Try with an anonymous set:

nft add rule filter output tcp dport {99 , 200} ip daddr 1.1.1.1
counter meta oif eth0
answer Sep 25, 2013 by Kumar Mitrasen
Similar Questions
+1 vote

Is there a way to find out if there any iptables rules set on a machine ?

There are some indirect ways which will not always work; for example, I know that on most hosts, iptables -S will return the following output (when no iptable rules are set)
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

So you can check whether or not the number of output lines is greater than 3 (as an indication of whether or not iptables rules are set). But there are hosts on which there are more chains then these 3; these chains are set by application/services, even without any iptable rules which are set. And after running iptables -F on these machines, iptables -S will still show more than 3 chains, even that there are no iptables rules set in these chains.

So the question is - is there a way to know whether or not netfilter rules are set on a host, regardless of the number of chains ?

0 votes

Is it possible to bind multiple address families in netfilter queue? I see IPv4 show up in my queue, but not ARP. With error code removed, here is how I'm calling nfq_bind:

netfilterqueue_handle = nfq_open();
netfilterqueue_queue = nfq_create_queue( netfilterqueue_handle, 0,

nfq_bind_pf( netfilterqueue_handle, AF_INET );
nfq_bind_pf( netfilterqueue_handle, NF_ARP );

I'm thinking the more likely possibility is the iptable rules I'm using to send traffic to the queue are too restrictive. Here are the rules I have:

# Generated by iptables-save v1.4.21 on Sat Feb 14 10:40:46 2015
*nat
:PREROUTING ACCEPT [161:14105]
:INPUT ACCEPT [56:4995]
:OUTPUT ACCEPT [56:4496]
:POSTROUTING ACCEPT [56:4496]
-A POSTROUTING -s 10.0.1.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Sat Feb 14 10:40:46 2015
# Generated by iptables-save v1.4.21 on Sat Feb 14 10:40:46 2015
*filter
:INPUT ACCEPT [1017:217421]
:FORWARD DROP [53:2307]
:OUTPUT ACCEPT [934:211104]
:MYRA - [0:0]
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j MYRA
-A FORWARD -s 10.0.1.0/24 -o eth0 -m conntrack --ctstate NEW -j MYRA
-A MYRA -j NFQUEUE --queue-num 0 --queue-bypass
COMMIT
# Completed on Sat Feb 14 10:40:46 2015

Do I have to add another FORWARD line to get ARP to jump to MYRA? What would it look like?

+1 vote

I know that packet traverses through the Net Filter hooks but how to practically realize that, any suggestions...

0 votes

I am trying to queue the packets of a process so I can use libnetfilter_queue to modify them.

I read in the documentation that I should use --pid-owner processid to filter packets of a process and iptables -I

  -j NFQUEUE --queue-num  to add them to the queue.

I read the documentation but I am still confused how to do this. If any one can help me to understand this command I would appreciate it a lot.

0 votes

While I was looking for ways to move some firewalling functionality into user space (parse packet to decide whether to drop or accept the packet along with some reporting in the drop case), I came across iptable's NFQUEUE target, which, along with libnetfilter_queue, seems to be a perfect match for my use case.
However, parts of the doxygen documentation (at https://www.netfilter.org/projects/libnetfilter_queue/doxygen/html/modules.html )
are marked deprecated (i.e. Queue handling, Library setup, Message parsing functions, and Printing).

I may have missed it while I was searching the netfilter mailing list archives in this context, but I could not find any hint on the reason why these parts of libnetfilter_queue are deprecated (apart from nfq_set_verdict_mark() being marked as deprecated) nor did I find any hint on a replacement. Could you enlighten me here?

...