QUESTION :
I have put in place a solution to open temporarily a port based on nft:
# create the nft set
nft add set ip filter SSHallowed { type ipv4_addr; timeout 2m ;}
# add the rule to the table
nft insert rule ip filter INPUT ip saddr @SSHallowed tcp dport 22 accept
# to add ips to the set
nft add element ip filter SSHallowed { XX.XX.XX.XX }
Is there any way I can accept new connection, from the same ip and to the destination port of another already established connection, without having to run the “nft add element”? I think that should be something similar to
nft insert rule ip filter INPUT ct state related tcp dport 22
But that one has not worked.
ANSWER :
You’re probably missing statuses.
Thinking about iptables, you would allow both related and established connections. Then, I would assume you’re looking for something like this:
nft insert rule ip filter INPUT ct state related,established tcp dport 22