How to block IPs using nftable

Hi,

I have the following nftable rules:

table inet fw4 { # handle 1
	chain input { # handle 1
		type filter hook input priority filter; policy accept;
		iifname "lo" accept comment "!fw4: Accept traffic from loopback" # handle 903
		ct state established,related accept comment "!fw4: Allow inbound established and related flows" # handle 904
		tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets" # handle 905
		iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" # handle 906
		iifname "wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic" # handle 907
	}

	chain forward { # handle 2
		type filter hook forward priority filter; policy drop;
		ct state established,related accept comment "!fw4: Allow forwarded established and related flows" # handle 908
		iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic" # handle 909
		iifname "wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic" # handle 910
		jump upnp_forward comment "Hook into miniupnpd forwarding chain" # handle 911
		jump handle_reject # handle 912
	}

	chain output { # handle 3
		type filter hook output priority filter; policy accept;
		oifname "lo" accept comment "!fw4: Accept traffic towards loopback" # handle 913
		ct state established,related accept comment "!fw4: Allow outbound established and related flows" # handle 914
		oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" # handle 915
		oifname "wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic" # handle 916
	}

	chain prerouting { # handle 4
		type filter hook prerouting priority filter; policy accept;
		iifname "br-lan" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment" # handle 917
	}

	chain handle_reject { # handle 5
		meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" # handle 918
		reject comment "!fw4: Reject any other traffic" # handle 919
	}

	chain syn_flood { # handle 6
		limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit" # handle 920
		drop comment "!fw4: Drop excess packets" # handle 921
	}

	chain input_lan { # handle 7
		ct status dnat accept comment "!fw4: Accept port redirections" # handle 922
		jump accept_from_lan # handle 923
	}

	chain output_lan { # handle 8
		jump accept_to_lan # handle 924
	}

	chain forward_lan { # handle 9
		jump accept_to_wan comment "!fw4: Accept lan to wan forwarding" # handle 925
		ct status dnat accept comment "!fw4: Accept port forwards" # handle 926
		jump accept_to_lan # handle 927
	}

	chain helper_lan { # handle 10
	}

	chain accept_from_lan { # handle 11
		iifname "br-lan" counter packets 86094 bytes 7941439 accept comment "!fw4: accept lan IPv4/IPv6 traffic" # handle 928
	}

	chain accept_to_lan { # handle 12
		oifname "br-lan" counter packets 85342 bytes 35711945 accept comment "!fw4: accept lan IPv4/IPv6 traffic" # handle 929
	}

	chain input_wan { # handle 13
		meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew" # handle 932
		icmp type echo-request counter packets 2101 bytes 97838 accept comment "!fw4: Allow-Ping" # handle 933
		meta nfproto ipv4 meta l4proto igmp counter packets 0 bytes 0 accept comment "!fw4: Allow-IGMP" # handle 934
		meta nfproto ipv6 udp dport 546 counter packets 1 bytes 237 accept comment "!fw4: Allow-DHCPv6" # handle 935
		ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD" # handle 936
		icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 17 bytes 1088 accept comment "!fw4: Allow-ICMPv6-Input" # handle 937
		icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 605 bytes 43560 accept comment "!fw4: Allow-ICMPv6-Input" # handle 938

		ct status dnat accept comment "!fw4: Accept port redirections" # handle 943
		jump reject_from_wan # handle 944
	}

	chain output_wan { # handle 14
		jump accept_to_wan # handle 945
	}

	chain forward_wan { # handle 15
		icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 21 bytes 2638 accept comment "!fw4: Allow-ICMPv6-Forward" # handle 946
		icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward" # handle 947
		meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP" # handle 948
		udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP" # handle 949

		ct status dnat accept comment "!fw4: Accept port forwards" # handle 970
		jump reject_to_wan # handle 971
	}

	chain accept_to_wan { # handle 16
		oifname "wan" counter packets 12451712 bytes 1583784248 accept comment "!fw4: accept wan IPv4/IPv6 traffic" # handle 972
	}

	chain reject_from_wan { # handle 17
		iifname "wan" counter packets 602391 bytes 53693393 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic" # handle 973
	}

	chain reject_to_wan { # handle 18
		oifname "wan" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic" # handle 974
	}

	chain dstnat { # handle 19
		type nat hook prerouting priority dstnat; policy accept;
		iifname "br-lan" jump dstnat_lan comment "!fw4: Handle lan IPv4/IPv6 dstnat traffic" # handle 975
		iifname "wan" jump dstnat_wan comment "!fw4: Handle wan IPv4/IPv6 dstnat traffic" # handle 976
		jump upnp_prerouting comment "Hook into miniupnpd prerouting chain" # handle 977
	}

	chain srcnat { # handle 20
		type nat hook postrouting priority srcnat; policy accept;
		oifname "br-lan" jump srcnat_lan comment "!fw4: Handle lan IPv4/IPv6 srcnat traffic" # handle 978
		oifname "wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic" # handle 979
		jump upnp_postrouting comment "Hook into miniupnpd postrouting chain" # handle 980
	}

	chain dstnat_lan { # handle 21
	}

	chain srcnat_lan { # handle 22
	}

	chain dstnat_wan { # handle 23
	}

	chain srcnat_wan { # handle 24
		meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic" # handle 1011
	}

	chain raw_prerouting { # handle 25
		type filter hook prerouting priority raw; policy accept;
	}

	chain raw_output { # handle 26
		type filter hook output priority raw; policy accept;
	}

	chain mangle_prerouting { # handle 27
		type filter hook prerouting priority mangle; policy accept;
	}

	chain mangle_postrouting { # handle 28
		type filter hook postrouting priority mangle; policy accept;
	}

	chain mangle_input { # handle 29
		type filter hook input priority mangle; policy accept;
	}

	chain mangle_output { # handle 30
		type route hook output priority mangle; policy accept;
	}

	chain mangle_forward { # handle 31
		type filter hook forward priority mangle; policy accept;
		iifname "wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing" # handle 1012
		oifname "wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing" # handle 1013
	}

	chain upnp_forward { # handle 456
	}

	chain upnp_prerouting { # handle 457
	}

	chain upnp_postrouting { # handle 458
	}
}

I tried the following rules to try to block an IP, and it doesn't work:

nft insert rule inet fw4 input_wan ip saddr xx.xx.xx.xx drop
nft insert rule inet fw4 input ip saddr xx.xx.xx.xx drop
nft add rule inet fw4 input ip saddr xx.xx.xx.xx drop

The specific IP's traffic is still coming through.

Can someone advise what's the exact command to use to block xx.xx.xx.xx coming from the Internet?

What are you trying to block and how do you see it still getting through?

The INPUT chains control the incoming traffic to the router itself.
The default firewall rules for the wan interface are restrictive enough to block any unsolicited traffic (to the router itself) except for ping and some other useful and harmless stuff.

If you want to block connections to your LAN, you must use the FORWARD chain.
There are no port forwarding rules, so (again) any unsolicited incoming connections from the Internet to the LAN will be blocked.

Whatever you see is a reply to a request made by a device on your network.
If you want to block the replies from a specific IP address, you need to insert your rule in the forward chain before the rule accepting established/related connections.

nft insert rule inet fw4 forward ip saddr A.B.C.D counter drop
1 Like

I'm seeing the IP coming through on Windows event viewer application.

I'm trying to block a specific IP from the Internet and the command that you gave me worked.

Thank you very much.

1 Like