[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Network tcp/iptables issue with XRDP

> On 24 Oct 2023, at 17:36, Arno Lehmann <al@its-lehmann.de> wrote:
> 
> Hello,
Hi Arno,
> 
> Am 24.10.2023 um 16:19 schrieb Henggi:
> ...
>> As I mentioned in my 1st email, I think (afaik) that no other netfitler module/service is running.
> 
> My anecdote was intended to illustrate that beliefs are not really good tools to diagnose problems ;-)
fair enough :)
> 
>> root@server:~# systemctl status firewalld
>> Unit firewalld.service could not be found.
> 
> Ok, so whatever it is, it's not firewalld managed on the local host.
> 
> What does
> 
> nft list ruleset
> 
> show?
> (Unfortunately, this is all I know about netfilter diagnostics... and I couldn't even get this far without internet search engine :-)

Oh wow… that’s interesting. I had no idea about „nft“ (I just knew „iptables-nft“) which seem to be very different.
I think I have dig down where those „nft" rules are coming from while iptables-nft is completely empty. Thanks, great clue!


------------
root@server:~# iptables-nft -L -v
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

------------
root@server:~# iptables-legacy -L -v
Chain INPUT (policy ACCEPT 2628K packets, 266M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 2316K packets, 237M bytes)
 pkts bytes target     prot opt in     out     source               destination

------------
root@server:~# nft list ruleset
table inet filter {
        chain input {
                type filter hook input priority filter; policy accept;
                iif "lo" accept
                ip protocol icmp icmp type echo-request limit rate over 10/second burst 4 packets drop
                ip6 nexthdr ipv6-icmp icmpv6 type echo-request limit rate over 10/second burst 4 packets drop
                ct state established,related accept
                ip6 nexthdr ipv6-icmp icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, mld-listener-query, mld-listener-report, mld-listener-done, nd-router-solicit, nd-rou
                ip protocol icmp icmp type { destination-unreachable, echo-request, router-advertisement, router-solicitation, time-exceeded, parameter-problem } accept
                ip protocol igmp accept
                tcp dport 22 accept
                tcp dport 80 accept
                tcp dport 443 accept
                tcp dport 25 accept
                tcp dport 587 accept
                tcp dport 465 accept
                tcp dport 110 accept
                tcp dport 995 accept
                tcp dport 143 accept
                tcp dport 993 accept
                counter packets 355822 bytes 22452621 drop
        }

        chain output {
                type filter hook output priority filter; policy accept;
        }

        chain forward {
                type filter hook forward priority filter; policy drop;
        }
}



> 
>> However, then there are kernel modules loaded when looking for „net OR filter OR fire OR ip“ as followed (of which I assume are just loaded as part of the default base system but not doing anyhting - how to be sure of it):
>> root@server:~# lsmod |egrep -i "net|filter|fire|ip"
>> inet_diag              28672  1 tcp_diag
>> iptable_nat            16384  0
>> nf_nat                 49152  1 iptable_nat
>> iptable_filter         16384  0
>> nf_defrag_ipv6         20480  1 nf_conntrack
>> nf_defrag_ipv4         16384  1 nf_conntrack
>> nfnetlink              20480  1 nf_tables
>> ip_tables              32768  2 iptable_filter,iptable_nat
>> x_tables               53248  3 iptable_filter,ip_tables,iptable_nat
>> ipv6                  557056  20
> Just for reference:
> 
> # lsmod | grep -E '^nf' | wc -l
> 34
> 
> 
> so there may be a lot more, which your grep filter hid from you.

Good point, thx! Indeed modules where missed with my simple string grep….

root@server:~# lsmod | grep -E '^nf'
nf_nat                 49152  1 iptable_nat
nft_ct                 20480  1
nf_conntrack          143360  2 nf_nat,nft_ct
nf_defrag_ipv6         20480  1 nf_conntrack
nf_defrag_ipv4         16384  1 nf_conntrack
nft_limit              16384  2
nf_tables             237568  93 nft_ct,nft_limit
nfnetlink              20480  1 nf_tables

> 
> I'm also noticing that fwbuilder, my tool of choice, seems to be scratching on the border line between "stable" and "legacy"...
> 
> Cheers,
> 
> Arno
Reply to: