I can not rewrite, rewrite please who knows на nftables
iptables -t raw -I PREROUTING -i eth0.2 -p tcp --sport 443 --tcp-flags RST RST -j DROP
nft insert rule inet fw4 raw_prerouting iifname "eth0.2" tcp sport 443 'tcp flags & (rst) == rst' counter drop
Don't miss the single quotes.
2 Likes
Thank you very much !!!
It works through Putty
nft add rule inet fw4 raw_prerouting iifname "eth0.2" tcp sport 443 'tcp flags & (rst) == rst' counter drop
It is not possible to save the setting, even added manually through Luci in /etc/rc.local and does not want to work either. Only the introduction of manual commands through Putty/
Maybe you tell me how to save? Search on the internet did not give a result.
OpenWrt version 22.03.3
You can add the statement to an include file.
Path: /usr/share/nftables.d/chain-post/raw_prerouting/01-tcp-rst.nft
Content:
iifname "eth0.2" tcp sport 443 'tcp flags & (rst) == rst' counter drop
1 Like
You can save wherever you want, the question is how to save?
Please give an example of how to save
mkdir -p /usr/share/nftables.d/chain-post/raw_prerouting
cat >/usr/share/nftables.d/chain-post/raw_prerouting/01-tcp-rst.nft <<EOF
iifname "eth0.2" tcp sport 443 tcp flags & (rst) == rst counter drop
EOF
/etc/init.d/firewall restart
1 Like
In general, if you have access to a normal desktop linux such as Debian or Ubuntu or etc you can ask the system how to translate most iptables commands:
dlakelan@tintin:~$ iptables-translate -t raw -I PREROUTING -i eth0.2 -p tcp --sport 443 --tcp-flags RST RST -j DROP
nft insert rule ip raw PREROUTING iifname "eth0.2" tcp sport 443 tcp flags rst / rst counter drop
1 Like
Many thanks
Also a note to @jow that there is no chain-prepend include statement in raw_prerouting. Not sure if this is intentional or an oversight.