2

I have put in place a solution to open temporarily a port based on nft:

# create the nft set
nft add set ip filter SSHallowed { type ipv4_addr\; timeout 2m \;}

# add the rule to the table
nft insert rule ip filter INPUT ip saddr @SSHallowed tcp dport 22 accept

# to add ips to the set
nft add element ip filter SSHallowed { XX.XX.XX.XX }

Is there any way I can accept new connection, from the same ip and to the destination port of another already established connection, without having to run the "nft add element"? I think that should be something similar to 

nft insert rule ip filter INPUT ct state related tcp dport 22

But that one has not worked.

0xC0000022L
  • 6,819
  • 10
  • 50
  • 82
chronos
  • 135
  • 5
  • Is the goal to allow additional ssh connections to a server after an initial port-knocking method (or any other method) was used to allow the initial ssh access? You should describe both the intended goal (to avoid any XY problem) and give an example. I can already tell to check SSH's ControlMaster option to probably avoid having to do all this. – A.B Apr 05 '21 at 01:46

1 Answers1

1

You're probably missing statuses.

Thinking about iptables, you would allow both related and established connections. Then, I would assume you're looking for something like this:

nft insert rule ip filter INPUT ct state related,established tcp dport 22
SYN
  • 367
  • 2
  • 9
  • The reason because of I have not included the established, is because that established is already stated in another rule, table and protocol wide. – chronos Oct 11 '19 at 13:03