Not sure if nftables is really working after removing firewalld

oneearth · July 3, 2021, 7:34pm

I’m trying to get port 8085 open on a Debian 10 Nginx Virtualmin 6.16 system.

I originally tried to open port 8085 with > Webmin > Networking > Firewalld but it ran into some error. So rather than troubleshoot a firewalld problem, I decided to try out nftables.

So I:
iptables-legacy_save > iptables_legacy_20210630
iptables-restore-translate -f iptables_legacy_20210630 > nftables_legacy_20210630
systemctl stop firewalld & systemctl disable firewalld
apt install nftables
nft -f nftables_legacy_20210630
iptables -F & ip6tables -F
vi /etc/modprobe.d/blacklist and blacklist iptables, ebtables, and ip6tables

. . .

nft insert rule inet filter input tcp dport 8085 accept

nft list ruleset

table inet filter {
        chain input {
                type filter hook input priority 0; policy accept;
                tcp dport 8085 accept
        }

. . .

after I nft add rule inet into the appropriate table and chain and nft list ruleset shows the rule added, still port 8085 is closed.

I tried systemctl restart nftables, but no go, port 8085 is still closed.

● nftables.service - nftables
   Loaded: loaded (/lib/systemd/system/nftables.service; enabled; vendor preset: enabled)
   Active: active (exited) since Sat 2021-07-03 12:30:35 PDT; 1min 23s ago
     Docs: man:nft(8)
           http://wiki.nftables.org
  Process: 5829 ExecStart=/usr/sbin/nft -f /etc/nftables.conf (code=exited, status=0/SUCCESS)
 Main PID: 5829 (code=exited, status=0/SUCCESS)

Jul 03 12:30:35 bliss.krishnify.com systemd[1]: Starting nftables...
Jul 03 12:30:35 bliss.krishnify.com systemd[1]: Started nftables.

. . .

nmap -sT -p8085 172.93.48.66
Starting Nmap 7.70 ( https://nmap.org ) at 2021-07-03 12:32 PDT
Nmap scan report for bliss.krishnify.com (172.93.48.66)
Host is up (0.00018s latency).

PORT     STATE  SERVICE
8085/tcp closed unknown

. . .

There’s a whole bunch of other tables and chains in the nftables ruleset. I’m not very well versed with nftables hierarchy.

It seems like these parts are relevant:

table ip filter {
        chain INPUT {
                type filter hook input priority 0; policy accept;
                ct state established,related counter packets 412 bytes 31660 accept
                iifname "lo" counter packets 26 bytes 1787 accept
                counter packets 114 bytes 8017 jump INPUT_direct
                counter packets 114 bytes 8017 jump INPUT_ZONES_SOURCE
                counter packets 114 bytes 8017 jump INPUT_ZONES
                ct state invalid counter packets 3 bytes 120 drop
                counter packets 76 bytes 5871 reject with icmp type host-prohibited
        }

        chain INPUT_ZONES {
                iifname "docker0" counter packets 0 bytes 0 jump IN_docker
                counter packets 602 bytes 41121 goto IN_public
        }

        chain IN_public {
                counter packets 602 bytes 41121 jump IN_public_log
                counter packets 602 bytes 41121 jump IN_public_deny
                counter packets 602 bytes 41121 jump IN_public_allow
                ip protocol icmp counter packets 0 bytes 0 accept
        }

        chain IN_public_allow {
                tcp dport ssh ct state new,untracked counter packets 8 bytes 480 accept
                tcp dport smtp ct state new,untracked counter packets 6 bytes 360 accept
                tcp dport urd ct state new,untracked counter packets 1 bytes 60 accept
                tcp dport ftp ct state new,untracked counter packets 0 bytes 0 accept
                tcp dport pop3 ct state new,untracked counter packets 0 bytes 0 accept
                tcp dport pop3s ct state new,untracked counter packets 0 bytes 0 accept
                tcp dport imap2 ct state new,untracked counter packets 0 bytes 0 accept
                tcp dport imaps ct state new,untracked counter packets 0 bytes 0 accept
                tcp dport http ct state new,untracked counter packets 0 bytes 0 accept
                tcp dport https ct state new,untracked counter packets 0 bytes 0 accept
                tcp dport submission ct state new,untracked counter packets 2 bytes 120 accept
                tcp dport domain ct state new,untracked counter packets 0 bytes 0 accept
                tcp dport ftp-data ct state new,untracked counter packets 0 bytes 0 accept
                tcp dport 2222 ct state new,untracked counter packets 0 bytes 0 accept
                tcp dport 8085 ct state new,untracked counter packets 10 bytes 520 accept
                tcp dport 10000-10100 ct state new,untracked counter packets 0 bytes 0 accept
                tcp dport 20000 ct state new,untracked counter packets 0 bytes 0 accept
                tcp dport 1025-65535 ct state new,untracked counter packets 3 bytes 120 accept
                udp dport domain ct state new,untracked counter packets 5 bytes 366 accept
        }

Nftables does update the counter and bytes when I go to a browser and access http://krishnify.com:8085.

Not sure where port 8085 gets dropped. Probably this statement:
ct state invalid counter packets 22 bytes 1424 drop

I don’t know what else I need to do open port 8085 and get an established state.

Does anyone have any suggestions for me?

system · September 1, 2021, 7:34pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.