Hi,
I have the following nftable rules:
table inet fw4 { # handle 1
chain input { # handle 1
type filter hook input priority filter; policy accept;
iifname "lo" accept comment "!fw4: Accept traffic from loopback" # handle 903
ct state established,related accept comment "!fw4: Allow inbound established and related flows" # handle 904
tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets" # handle 905
iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" # handle 906
iifname "wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic" # handle 907
}
chain forward { # handle 2
type filter hook forward priority filter; policy drop;
ct state established,related accept comment "!fw4: Allow forwarded established and related flows" # handle 908
iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic" # handle 909
iifname "wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic" # handle 910
jump upnp_forward comment "Hook into miniupnpd forwarding chain" # handle 911
jump handle_reject # handle 912
}
chain output { # handle 3
type filter hook output priority filter; policy accept;
oifname "lo" accept comment "!fw4: Accept traffic towards loopback" # handle 913
ct state established,related accept comment "!fw4: Allow outbound established and related flows" # handle 914
oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" # handle 915
oifname "wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic" # handle 916
}
chain prerouting { # handle 4
type filter hook prerouting priority filter; policy accept;
iifname "br-lan" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment" # handle 917
}
chain handle_reject { # handle 5
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic" # handle 918
reject comment "!fw4: Reject any other traffic" # handle 919
}
chain syn_flood { # handle 6
limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit" # handle 920
drop comment "!fw4: Drop excess packets" # handle 921
}
chain input_lan { # handle 7
ct status dnat accept comment "!fw4: Accept port redirections" # handle 922
jump accept_from_lan # handle 923
}
chain output_lan { # handle 8
jump accept_to_lan # handle 924
}
chain forward_lan { # handle 9
jump accept_to_wan comment "!fw4: Accept lan to wan forwarding" # handle 925
ct status dnat accept comment "!fw4: Accept port forwards" # handle 926
jump accept_to_lan # handle 927
}
chain helper_lan { # handle 10
}
chain accept_from_lan { # handle 11
iifname "br-lan" counter packets 86094 bytes 7941439 accept comment "!fw4: accept lan IPv4/IPv6 traffic" # handle 928
}
chain accept_to_lan { # handle 12
oifname "br-lan" counter packets 85342 bytes 35711945 accept comment "!fw4: accept lan IPv4/IPv6 traffic" # handle 929
}
chain input_wan { # handle 13
meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew" # handle 932
icmp type echo-request counter packets 2101 bytes 97838 accept comment "!fw4: Allow-Ping" # handle 933
meta nfproto ipv4 meta l4proto igmp counter packets 0 bytes 0 accept comment "!fw4: Allow-IGMP" # handle 934
meta nfproto ipv6 udp dport 546 counter packets 1 bytes 237 accept comment "!fw4: Allow-DHCPv6" # handle 935
ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . no-route, mld-listener-report . no-route, mld-listener-done . no-route, mld2-listener-report . no-route } counter packets 0 bytes 0 accept comment "!fw4: Allow-MLD" # handle 936
icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second counter packets 17 bytes 1088 accept comment "!fw4: Allow-ICMPv6-Input" # handle 937
icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, nd-neighbor-solicit . no-route, nd-neighbor-advert . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 605 bytes 43560 accept comment "!fw4: Allow-ICMPv6-Input" # handle 938
ct status dnat accept comment "!fw4: Accept port redirections" # handle 943
jump reject_from_wan # handle 944
}
chain output_wan { # handle 14
jump accept_to_wan # handle 945
}
chain forward_wan { # handle 15
icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second counter packets 21 bytes 2638 accept comment "!fw4: Allow-ICMPv6-Forward" # handle 946
icmpv6 type . icmpv6 code { packet-too-big . no-route, parameter-problem . no-route, parameter-problem . admin-prohibited } limit rate 1000/second counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward" # handle 947
meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP" # handle 948
udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP" # handle 949
ct status dnat accept comment "!fw4: Accept port forwards" # handle 970
jump reject_to_wan # handle 971
}
chain accept_to_wan { # handle 16
oifname "wan" counter packets 12451712 bytes 1583784248 accept comment "!fw4: accept wan IPv4/IPv6 traffic" # handle 972
}
chain reject_from_wan { # handle 17
iifname "wan" counter packets 602391 bytes 53693393 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic" # handle 973
}
chain reject_to_wan { # handle 18
oifname "wan" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic" # handle 974
}
chain dstnat { # handle 19
type nat hook prerouting priority dstnat; policy accept;
iifname "br-lan" jump dstnat_lan comment "!fw4: Handle lan IPv4/IPv6 dstnat traffic" # handle 975
iifname "wan" jump dstnat_wan comment "!fw4: Handle wan IPv4/IPv6 dstnat traffic" # handle 976
jump upnp_prerouting comment "Hook into miniupnpd prerouting chain" # handle 977
}
chain srcnat { # handle 20
type nat hook postrouting priority srcnat; policy accept;
oifname "br-lan" jump srcnat_lan comment "!fw4: Handle lan IPv4/IPv6 srcnat traffic" # handle 978
oifname "wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic" # handle 979
jump upnp_postrouting comment "Hook into miniupnpd postrouting chain" # handle 980
}
chain dstnat_lan { # handle 21
}
chain srcnat_lan { # handle 22
}
chain dstnat_wan { # handle 23
}
chain srcnat_wan { # handle 24
meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic" # handle 1011
}
chain raw_prerouting { # handle 25
type filter hook prerouting priority raw; policy accept;
}
chain raw_output { # handle 26
type filter hook output priority raw; policy accept;
}
chain mangle_prerouting { # handle 27
type filter hook prerouting priority mangle; policy accept;
}
chain mangle_postrouting { # handle 28
type filter hook postrouting priority mangle; policy accept;
}
chain mangle_input { # handle 29
type filter hook input priority mangle; policy accept;
}
chain mangle_output { # handle 30
type route hook output priority mangle; policy accept;
}
chain mangle_forward { # handle 31
type filter hook forward priority mangle; policy accept;
iifname "wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing" # handle 1012
oifname "wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing" # handle 1013
}
chain upnp_forward { # handle 456
}
chain upnp_prerouting { # handle 457
}
chain upnp_postrouting { # handle 458
}
}
I tried the following rules to try to block an IP, and it doesn't work:
nft insert rule inet fw4 input_wan ip saddr xx.xx.xx.xx drop
nft insert rule inet fw4 input ip saddr xx.xx.xx.xx drop
nft add rule inet fw4 input ip saddr xx.xx.xx.xx drop
The specific IP's traffic is still coming through.
Can someone advise what's the exact command to use to block xx.xx.xx.xx coming from the Internet?