[FR] Simplified Method for Determining if IP+Port is Whitelisted or Blacklisted

[the-hotmann]

I'm curious if there's a straightforward or recommended method to, for instance, verify the status of the IP address 123.123.123.123 on port 22. I've been considering something along these lines:

func GetStatus(ip ipv4, port int) bool {
  //... performs some magic ...//
  return status
}

This would allow for a simple way to determine whether any given IP or IP with a specific port is whitelisted. Perhaps I'm overcomplicating things?

Essentially, my goal is to ascertain from within a docker-container whether any given IP and port combination is whitelisted on the host according to the IPtables rules on the host. Any guidance on how to achieve this, or whether it's presently feasible, would be greatly appreciated.

I am open for discussion and hints :)

[stapelberg]

Hey! Unfortunately, nftables is really complex and your seemingly simple question is not simple to answer. For example, while an IP address might be blocked specifically (easy case), maybe entire networks are blocked (harder case) or maybe the packets are filtered by some other criterion entirely (impossible to figure out in general by just looking at nftables rules — you’d need to evaluate the rules).

I think the only way to determine whether an IP address is blocked or not is to do such a check with detailed knowledge of the nftables configuration. Meaning, if you control (or know) the entire nftables configuration, you can then come up with a working check.

Which software sets up the nftables rules on your host?

[the-hotmann]

Greetings and thanks for taking your time to reply.
Regarding the version:

$ iptables -V
iptables v1.8.7 (nf_tables)

Although it presents itself as "iptables," it operates on the nftables framework underneath, at least as far as I understand.

I employ a script that scans the directory /etc/iptables/ for files with the extension *.conf and loads them. These files adhere to the older format. For instance:

/usr/sbin/iptables -A INPUT -i ens160 -p tcp -s 123.123.123.123/24 -m multiport --dports 22,2222 -j ACCEPT

Given that this rule permits all IPs from 123.123.123.0 to 123.123.123.255, I am interested in determining whether the IP 123.123.123.25 is whitelisted for Port 22. As you mentioned, there are some challenges:

• Parsing all IPs as CIDR and verifying if the IP is included.
• Determining which rule takes precedence if multiple rules are in place.

In my opinion, determining if an IP is whitelisted or blacklisted is a fundamental function of any firewall tool. It also proves useful for conducting A/B testing on applications to verify their functionality.

Parsing the configuration wasn't initially my focus. However, it could potentially serve the purpose - assuming no modifications have been made to the configuration and it hasn't been reloaded. A better approach would involve working with the data/config currently active in nftables/iptables, as this at any times would be right.

Perhaps suggesting this as a feature request directly to nftables could be beneficial. A command like nftables-status, which allows users to check the status of a specific IP address and port combination, would indeed be quite useful.

For instance:

nftables-status 123.123.123.25 22

IP             PORT STATUS
123.123.123.25 22   BLOCKED

What do you think about this idea? Have you encountered others who have expressed a need for this functionality, or is it primarily something i solely find valuable?

[stapelberg]

Hello again. Based on your reply, I think there might be a misunderstanding.

You are reporting an issue in the google/nftables package, which is a module for the Go programming language to interact with the Linux nftables subsystem at a low level.

You are not in the right place for feature requests for nftables itself, or for tooling that works with nftables (such as your suggested nftables-status).

Before we continue the discussion, are you even using the Go programming language, or did you end up in the wrong repository? :)