Hi,
This is about a new server, just had the installation completed.
I went to Host Access Control to limit the range of IPs permitted to connect to the server and I created the rules through Security Center > Host Access Control in AlmaLinux 8.5, but I faced a few problems:
1. First and foremost, it does not seem to work. Every IP can access the port, instead of only a few intended IPs.
Maybe I did something wrong, or maybe there is an option somewhere else to enable it?
For example, for port 22, the "nft -a list chain inet filter cPanel-HostAccessControl" returns (w.x.y.z are several IP addresses that I want to grant access to):
Also, the "systemctl status nftables" returns:
2. In the Documentation Host Access Control page (ver. 100 - last mod. 2021-12-15) it says that in the last (REJECT) rule we should "Enter ALL IP in the IP Address/CIDR text box".
However this brings an error: "IP addresses must be a valid v4 or v6 address".
See attached file.
I found somewhere that "ALL" instead of "ALL IP" could also work, and it seems to create the rule ok. But is it related to that the REJECT rule does not reject any IP?
3. In the same docoumentation page, it states that "You may apply your rule to multiple IP addresses by entering a comma-separated list of IP addresses or a CIDR subnet mask".
However, upon entering "w1.x1.y1.z1,w2.x2.y2.z2" (with actual IPs, of course) it displays the same error: "IP addresses must be a valid v4 or v6 address".
So it does not seem that the comma separated list works.
I tried to search similar problems but I did not find anything related (most entries are about CentOS 7, which does not rely on nftables, as CentOS 8 does).
May I also add that a few (graceful) restarts have been initiated, so it does not seem to be a "restart the service" issue.
I believe the the 3 questions are not related.
Please do not hesitate to ask for any more information.
And please accept my apologies beforehand, if I have missed something.
Thank you for your time.
This is about a new server, just had the installation completed.
I went to Host Access Control to limit the range of IPs permitted to connect to the server and I created the rules through Security Center > Host Access Control in AlmaLinux 8.5, but I faced a few problems:
1. First and foremost, it does not seem to work. Every IP can access the port, instead of only a few intended IPs.
Maybe I did something wrong, or maybe there is an option somewhere else to enable it?
For example, for port 22, the "nft -a list chain inet filter cPanel-HostAccessControl" returns (w.x.y.z are several IP addresses that I want to grant access to):
Code:
table inet filter {
chain cPanel-HostAccessControl { # handle 1
ip saddr w1.x1.y1.z1 ct state new tcp dport 22 counter packets 0 bytes 0 accept # handle 2
ip saddr w2.x2.y2.z2 ct state new tcp dport 22 counter packets 0 bytes 0 accept # handle 3
ip saddr w3.x3.y3.z3 ct state new tcp dport 22 counter packets 0 bytes 0 accept # handle 4
ip saddr w4.x4.y4.z4 ct state new tcp dport 22 counter packets 0 bytes 0 accept # handle 5
ip saddr w5.x5.y5.z5 ct state new tcp dport 22 counter packets 0 bytes 0 accept # handle 6
ip saddr w6.x6.y6.z6 ct state new tcp dport 22 counter packets 0 bytes 0 accept # handle 7
ip saddr w7.x7.y.7z7 ct state new tcp dport 22 counter packets 0 bytes 0 accept # handle 8
ct state new tcp dport 22 counter packets 0 bytes 0 reject # handle 9
}
}
Code:
● nftables.service - Netfilter Tables
Loaded: loaded (/usr/lib/systemd/system/nftables.service; enabled; vendor preset: disabled)
Active: active (exited) since Tue 2022-01-25 21:24:25 EET; 4h 24min ago
Docs: man:nft(8)
Process: 1400 ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf (code=exited, status=0/SUCCESS)
Main PID: 1400 (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 822260)
Memory: 0B
CGroup: /system.slice/nftables.service
Jan 25 21:24:19 my.server.com systemd[1]: Starting Netfilter Tables...
Jan 25 21:24:25 my.server.com systemd[1]: Started Netfilter Tables.However this brings an error: "IP addresses must be a valid v4 or v6 address".
See attached file.
I found somewhere that "ALL" instead of "ALL IP" could also work, and it seems to create the rule ok. But is it related to that the REJECT rule does not reject any IP?
3. In the same docoumentation page, it states that "You may apply your rule to multiple IP addresses by entering a comma-separated list of IP addresses or a CIDR subnet mask".
However, upon entering "w1.x1.y1.z1,w2.x2.y2.z2" (with actual IPs, of course) it displays the same error: "IP addresses must be a valid v4 or v6 address".
So it does not seem that the comma separated list works.
I tried to search similar problems but I did not find anything related (most entries are about CentOS 7, which does not rely on nftables, as CentOS 8 does).
May I also add that a few (graceful) restarts have been initiated, so it does not seem to be a "restart the service" issue.
I believe the the 3 questions are not related.
Please do not hesitate to ask for any more information.
And please accept my apologies beforehand, if I have missed something.
Thank you for your time.
Attachments
Last edited by a moderator:
