-
Notifications
You must be signed in to change notification settings - Fork 125
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FR] Simplified Method for Determining if IP+Port is Whitelisted or Blacklisted #262
Comments
Hey! Unfortunately, nftables is really complex and your seemingly simple question is not simple to answer. For example, while an IP address might be blocked specifically (easy case), maybe entire networks are blocked (harder case) or maybe the packets are filtered by some other criterion entirely (impossible to figure out in general by just looking at nftables rules — you’d need to evaluate the rules). I think the only way to determine whether an IP address is blocked or not is to do such a check with detailed knowledge of the nftables configuration. Meaning, if you control (or know) the entire nftables configuration, you can then come up with a working check. Which software sets up the nftables rules on your host? |
Greetings and thanks for taking your time to reply.
Although it presents itself as "iptables," it operates on the nftables framework underneath, at least as far as I understand. I employ a script that scans the directory /etc/iptables/ for files with the extension *.conf and loads them. These files adhere to the older format. For instance:
Given that this rule permits all IPs from 123.123.123.0 to 123.123.123.255, I am interested in determining whether the IP 123.123.123.25 is whitelisted for Port 22. As you mentioned, there are some challenges:
In my opinion, determining if an IP is whitelisted or blacklisted is a fundamental function of any firewall tool. It also proves useful for conducting A/B testing on applications to verify their functionality. Parsing the configuration wasn't initially my focus. However, it could potentially serve the purpose - assuming no modifications have been made to the configuration and it hasn't been reloaded. A better approach would involve working with the data/config currently active in nftables/iptables, as this at any times would be right. Perhaps suggesting this as a feature request directly to nftables could be beneficial. A command like nftables-status, which allows users to check the status of a specific IP address and port combination, would indeed be quite useful. For instance:
What do you think about this idea? Have you encountered others who have expressed a need for this functionality, or is it primarily something i solely find valuable? |
Hello again. Based on your reply, I think there might be a misunderstanding. You are reporting an issue in the google/nftables package, which is a module for the Go programming language to interact with the Linux nftables subsystem at a low level. You are not in the right place for feature requests for nftables itself, or for tooling that works with nftables (such as your suggested nftables-status). Before we continue the discussion, are you even using the Go programming language, or did you end up in the wrong repository? :) |
I'm curious if there's a straightforward or recommended method to, for instance, verify the status of the IP address
123.123.123.123
on port22
. I've been considering something along these lines:This would allow for a simple way to determine whether any given IP or IP with a specific port is whitelisted. Perhaps I'm overcomplicating things?
Essentially, my goal is to ascertain from within a docker-container whether any given IP and port combination is whitelisted on the host according to the IPtables rules on the host. Any guidance on how to achieve this, or whether it's presently feasible, would be greatly appreciated.
I am open for discussion and hints :)
The text was updated successfully, but these errors were encountered: