Hi.
I have a Debian 12 server.
I am trying to switch from UFW to pure iptables.
I read a couple of books, but I don't know where to look for answers to some questions.
Here is the code from the UFW "rules.before" file.
The last line is a test rule:
# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines
# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT
# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP
-A ufw-before-input -p icmp --icmp-type echo-request -m limit --limit 3/minute --limit-burst 5 -j DROP
...
I installed and configured nftables. Along the way, I learned to use conntrack and understood the problem.
ICMP gets into the conntrack table as related and hangs there for 30 seconds, and the next request passes according to the rule estalished, related.
But for some reason I thought that if there is an ICMP request and an ICMP reply, then after the reply the connection is closed and the next request passes as a new connection. And this is a mistake.