Advanced Pagina 7: Diferență între versiuni

De la Wiki Linux Advanced
Sari la navigare Sari la căutare
(Pagină nouă: ==Firewall avansat== Pagina anterioară | Următoarea pagină)
 
Fără descriere a modificării
Linia 1: Linia 1:
==Firewall avansat==
==Firewall avansat==
===nftables===
Tabele: ip (implicit), arp, ip6, bridge, inet, netdev.
Lanturi:
  filter: Supported by arp, bridge, ip, ip6 and inet table families.
  route: Mark packets (like mangle for the output hook, for other hooks use the type filter instead), supported by ip and ip6.
  nat: In order to perform Network Address Translation, supported by ip and ip6.
Hook: Se refera la stadiul acelui pachet in timp ce este procesat de kernel in Netfilter.
  The hooks for ip, ip6 and inet families are: prerouting, input, forward, output, postrouting.
  The hooks for arp family are: input, output.
  The bridge family handles ethernet packets traversing bridge devices.
  The hooks for netdev are: ingress, egress.
policy este verdictul pentru a controla cursul acelui pachet in lant si tabel. Posibile valori: accept (default) si drop.
<pre>
% nft (add | create) chain [<family>] <table> <name> [ \{ type <type> hook <hook> [device <device>] priority <priority> \; [policy <policy> \;] \} ]
% nft (delete | list | flush) chain [<family>] <table> <name>
% nft rename chain [<family>] <table> <name> <newname>
</pre>
Reguli: nft (add | insert | replace | displace) rule
====Exemplu 1, imitare iptables====
Exemplu de reguli nftables, de importat cu comanda nft -f. O parte din chain-uri imita iptables. Nota: unele distributii acum implementeaza propriile reguli, de recomandat folosita comanda "flush ruleset" inainte.
<pre>
table inet filter {
        chain input {
                type filter hook input priority filter;
                # Allow loopback (local connections)
                iifname lo accept
                # Allow established/related
                ct state established,related accept
                # Allow incoming pings
                ip protocol icmp limit rate 1/second accept
                # Allow SSH and HTTP
                tcp dport {ssh,http} accept
                # Drop everything else
                drop
        }
        chain forward {
                type filter hook forward priority filter;
                # Disallow forwarding
                drop
        }
        chain output {
                type filter hook output priority filter;
                # Allow all outgoing traffic
                accept
        }
}
</pre>
====Exemplu 2, prioritati====
<pre>
table ip filter {
        # This chain is evaluated first due to priority
        chain services {
                type filter hook input priority 0; policy accept;
                # If matched, this rule will prevent any further evaluation
                tcp dport http drop
                # If matched, and despite the accept verdict, the packet proceeds to enter the chain below
                tcp dport ssh accept
                # Likewise for any packets that get this far and hit the default policy
        }
        # This chain is evaluated last due to priority
        chain input {
                type filter hook input priority 1; policy drop;
                # All ingress packets end up being dropped here!
        }
}
</pre>
====Exemplu 3====
<pre>
table inet firewall {
    chain inbound {                                                             
        # By default, drop all traffic unless it meets a filter
        # criteria specified by the rules that follow below.
        type filter hook input priority 0; policy drop;
        # Allow traffic from established and related packets, drop invalid
        ct state vmap { established : accept, related : accept, invalid : drop }
        # Allow loopback traffic.
        iifname lo accept
        tcp dport { 22, 80, 443, 55291, 5900 } accept
                                                                                                                                                                                                                                                                                         
        # Uncomment to enable logging of denied inbound traffic                                                                                                                                                                                                                         
        log prefix "[nftables] Inbound Denied: " counter drop                                                                                                                                                                                                                           
    }                                                                                                                                                                                                                                                                                   
}
</pre>
====Operatii la nivel de ruleset====
listing
Listing the complete ruleset:
% nft list ruleset
Listing the ruleset per family:
% nft list ruleset arp
% nft list ruleset ip
% nft list ruleset ip6
% nft list ruleset bridge
% nft list ruleset inet
These commands will print all tables/chains/sets/rules of the given family.
flushing
In addition, you can also flush (erase, delete, wipe) the complete ruleset:
% nft flush ruleset
Also per family:
% nft flush ruleset arp
% nft flush ruleset ip
% nft flush ruleset ip6
% nft flush ruleset bridge
% nft flush ruleset inet
backup/restore
You can combine these two commands above to backup your ruleset:
% echo "flush ruleset" > backup.nft
% nft list ruleset >> backup.nft
And load it [[Atomic_rule_replacement|atomically]]:
% nft -f backup.nft
Listing in JSON format
You can also export your ruleset in JSON format, just pass the
'--json' option:
% nft --json list ruleset > ruleset.json
====Creare regula blocare ip-uri de sine statoare====
-''functia ipv(4|6)_validate este un grep pe clase de ip-uri, nu este necesar pentru o lista simpla.''
-''Numarul de reguli verificabil cu " nft list table inet utilities_filter | grep -oc ',' "''
<pre>
if ! nft list chain inet filter INPUT >$quiet 2>&1; then
echo '
add table inet filter
add chain inet filter INPUT { type filter hook input priority 1 ; }
add set inet filter ipmaster { flags interval; type ipv4_addr; auto-merge; }
add set inet filter ipmaster6 { flags interval; type ipv6_addr; auto-merge; }
insert rule inet filter INPUT ip saddr @ipmaster counter drop
insert rule inet filter INPUT ip6 saddr @ipmaster6 counter drop
' | nft -f -; fi
ipv4_validate </tmp/ip_lists | awk '{print "add element inet filter ipmaster { "$1" }"}' | nft -f - # import ipv4
ipv6_validate </tmp/ip_lists | awk '{print "add element inet filter ipmaster6 { "$1" }"}' | nft -f - # import ipv6
</pre>
===iptables===
[[Advanced_Pagina_6|Pagina anterioară]] | [[Advanced_Pagina_8|Următoarea pagină]]
[[Advanced_Pagina_6|Pagina anterioară]] | [[Advanced_Pagina_8|Următoarea pagină]]

Versiunea de la data 11 noiembrie 2024 13:54

Firewall avansat

nftables

Tabele: ip (implicit), arp, ip6, bridge, inet, netdev.

Lanturi: 

 filter: Supported by arp, bridge, ip, ip6 and inet table families.
 route: Mark packets (like mangle for the output hook, for other hooks use the type filter instead), supported by ip and ip6.
 nat: In order to perform Network Address Translation, supported by ip and ip6.

Hook: Se refera la stadiul acelui pachet in timp ce este procesat de kernel in Netfilter. 

 The hooks for ip, ip6 and inet families are: prerouting, input, forward, output, postrouting.
 The hooks for arp family are: input, output.
 The bridge family handles ethernet packets traversing bridge devices.
 The hooks for netdev are: ingress, egress.

policy este verdictul pentru a controla cursul acelui pachet in lant si tabel. Posibile valori: accept (default) si drop. 

 % nft (add | create) chain [<family>] <table> <name> [ \{ type <type> hook <hook> [device <device>] priority <priority> \; [policy <policy> \;] \} ]
 % nft (delete | list | flush) chain [<family>] <table> <name>
 % nft rename chain [<family>] <table> <name> <newname>

Reguli: nft (add | insert | replace | displace) rule

Exemplu 1, imitare iptables

Exemplu de reguli nftables, de importat cu comanda nft -f. O parte din chain-uri imita iptables. Nota: unele distributii acum implementeaza propriile reguli, de recomandat folosita comanda "flush ruleset" inainte. 

table inet filter {
        chain input {
                type filter hook input priority filter;

                # Allow loopback (local connections)
                iifname lo accept

                # Allow established/related
                ct state established,related accept

                # Allow incoming pings
                ip protocol icmp limit rate 1/second accept

                # Allow SSH and HTTP
                tcp dport {ssh,http} accept

                # Drop everything else
                drop
        }
        chain forward {
                type filter hook forward priority filter;

                # Disallow forwarding
                drop
        }
        chain output {
                type filter hook output priority filter;

                # Allow all outgoing traffic
                accept
        }
}

Exemplu 2, prioritati

table ip filter {
        # This chain is evaluated first due to priority
        chain services {
                type filter hook input priority 0; policy accept;

                # If matched, this rule will prevent any further evaluation
                tcp dport http drop

                # If matched, and despite the accept verdict, the packet proceeds to enter the chain below
                tcp dport ssh accept

                # Likewise for any packets that get this far and hit the default policy
        }

        # This chain is evaluated last due to priority
        chain input {
                type filter hook input priority 1; policy drop;
                # All ingress packets end up being dropped here!
        }
}

Exemplu 3

table inet firewall {
    chain inbound {                                                              

        # By default, drop all traffic unless it meets a filter
        # criteria specified by the rules that follow below.
        type filter hook input priority 0; policy drop;

        # Allow traffic from established and related packets, drop invalid
        ct state vmap { established : accept, related : accept, invalid : drop } 

        # Allow loopback traffic.
        iifname lo accept

        tcp dport { 22, 80, 443, 55291, 5900 } accept
                                                                                                                                                                                                                                                                                          
        # Uncomment to enable logging of denied inbound traffic                                                                                                                                                                                                                           
        log prefix "[nftables] Inbound Denied: " counter drop                                                                                                                                                                                                                             
    }                                                                                                                                                                                                                                                                                     
}

Operatii la nivel de ruleset

listing

Listing the complete ruleset: 

% nft list ruleset


Listing the ruleset per family: 

% nft list ruleset arp
% nft list ruleset ip
% nft list ruleset ip6
% nft list ruleset bridge
% nft list ruleset inet

These commands will print all tables/chains/sets/rules of the given family.

flushing

In addition, you can also flush (erase, delete, wipe) the complete ruleset: 

% nft flush ruleset

Also per family: 

% nft flush ruleset arp
% nft flush ruleset ip
% nft flush ruleset ip6
% nft flush ruleset bridge
% nft flush ruleset inet

backup/restore

You can combine these two commands above to backup your ruleset: 

% echo "flush ruleset" > backup.nft
% nft list ruleset >> backup.nft

And load it atomically: 

% nft -f backup.nft

Listing in JSON format

You can also export your ruleset in JSON format, just pass the '--json' option: 

% nft --json list ruleset > ruleset.json

Creare regula blocare ip-uri de sine statoare

-functia ipv(4|6)_validate este un grep pe clase de ip-uri, nu este necesar pentru o lista simpla.

-Numarul de reguli verificabil cu " nft list table inet utilities_filter | grep -oc ',' " 

if ! nft list chain inet filter INPUT >$quiet 2>&1; then
echo '
add table inet filter
add chain inet filter INPUT { type filter hook input priority 1 ; }
add set inet filter ipmaster { flags interval; type ipv4_addr; auto-merge; }
add set inet filter ipmaster6 { flags interval; type ipv6_addr; auto-merge; }
insert rule inet filter INPUT ip saddr @ipmaster counter drop
insert rule inet filter INPUT ip6 saddr @ipmaster6 counter drop
' | nft -f -; fi
ipv4_validate </tmp/ip_lists | awk '{print "add element inet filter ipmaster { "$1" }"}' | nft -f - # import ipv4
ipv6_validate </tmp/ip_lists | awk '{print "add element inet filter ipmaster6 { "$1" }"}' | nft -f - # import ipv6

iptables

Pagina anterioară | Următoarea pagină

Adus de la „https://wiki.linuxadvanced.ro/index.php?title=Advanced_Pagina_7&oldid=526