Bonjour, j’ai nouvellement un raspberry pi 4, 4GB sous Buster.
Je souhaite mettre en place nftables, après plusieurs essais, nftables fonctionne à moitié, je ne peux plus accéder à VNC pourtant j’ai ouvert le port 5900 quand je met le fichier.
Voici ce que je mets en place avec dans la console
nft -f nftables.rules
Dans nftables.rules, il y a:
« tous ce qui est marqué « # », se sont mes essais: »
table ip filter {
chain input {
type filter hook input priority 0;
ct state established,related accept # handle 2
# accept any localhost traffic
iif lo accept
tcp dport http accept # handle 5
tcp dport https accept # handle 6
tcp dport 22 accept # handle 7
# activate the following line to accept common local services
#tcp dport { 22, 80, 443 } ct state new accept
tcp dport {221 , 4431 , 554 , 584, 587 , 3389 , 8087 , 135 , 137 , 138 , 139 , 445 , 8080 , 7 , 9 , 5900 , 5901 , 5902 , 5903 } accept # handle 7
udp dport { 123 , 135 , 137 , 138 , 139 , 445 , 8080 , 7 , 9 } accept # handle 7
# accept neighbour discovery otherwise IPv6 connectivity breaks.
#ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
#udp dport 123 accept # handle 7
#tcp dport 554 accept # handle 7
#tcp dport 587 accept # handle 7
#tcp dport 3389 accept # handle 7
#tcp dport 8087 accept # handle 7
#tcp dport 135 accept # handle 7
#udp dport 135 accept # handle 7
#tcp dport 137 accept # handle 7
#udp dport 137 accept # handle 7
#tcp dport 138 accept # handle 7
#udp dport 138 accept # handle 7
#tcp dport 139 accept # handle 7
#udp dport 139 accept # handle 7
#tcp dport 445 accept # handle 7
#udp dport 445 accept # handle 7
#tcp dport 8080 accept # handle 7
#udp dport 8080 accept # handle 7
#tcp dport 7 accept # handle 7
#udp dport 7 accept # handle 7
#tcp dport 9 accept # handle 7
#udp dport 9 accept # handle 7
#tcp dport 5900:5910 accept # handle 7
tcp flags & (fin | syn | rst | psh | ack | urg) > urg counter packets 0 bytes 0 # handle 8
tcp flags & (fin | syn | rst | psh | ack | urg) < fin counter packets 0 bytes 0 # handle 9
icmp type echo-reply accept # handle 10
drop # handle 11
}
chain output {
type filter hook output priority 0;
ct state established,related accept # handle 13
tcp dport https accept # handle 14
udp dport domain accept # handle 15
udp dport ntp accept # handle 16
tcp dport 587 accept # handle 17
tcp dport { 4431 , 554 , 584 , 587 , 3389 , 8087 , 135 , 137 , 138 , 139 , 445 , 8080 , 7 , 9 , 5900 , 5901 , 5902 , 5903 } accept # handle 7
udp dport { 123 , 135 , 137 , 138 , 139 , 445 , 8080 , 7 , 9 } accept # handle 7
#udp dport 123 accept # handle 7
#tcp dport 554 accept # handle 7
#tcp dport 587 accept # handle 7
#tcp dport 3389 accept # handle 7
#tcp dport 8087 accept # handle 7
#tcp dport 135 accept # handle 7
#udp dport 135 accept # handle 7
#tcp dport 137 accept # handle 7
#udp dport 137 accept # handle 7
#tcp dport 138 accept # handle 7
#udp dport 138 accept # handle 7
#tcp dport 139 accept # handle 7
#udp dport 139 accept # handle 7
#tcp dport 445 accept # handle 7
#udp dport 445 accept # handle 7
#tcp dport 8080 accept # handle 7
#udp dport 8080 accept # handle 7
#tcp dport 7 accept # handle 7
#udp dport 7 accept # handle 7
#tcp dport 9 accept # handle 7
#udp dport 9 accept # handle 7
#tcp dport 5900:5910 accept # handle 7
icmp type echo-request accept # handle 18
drop # handle 19
}
}