Advanced Pagina 7
Sari la navigare
Sari la căutare
Firewall avansat
nftables
Tabele: ip (implicit), arp, ip6, bridge, inet, netdev.
Lanturi:
filter: Supported by arp, bridge, ip, ip6 and inet table families. route: Mark packets (like mangle for the output hook, for other hooks use the type filter instead), supported by ip and ip6. nat: In order to perform Network Address Translation, supported by ip and ip6.
Hook: Se refera la stadiul acelui pachet in timp ce este procesat de kernel in Netfilter.
The hooks for ip, ip6 and inet families are: prerouting, input, forward, output, postrouting. The hooks for arp family are: input, output. The bridge family handles ethernet packets traversing bridge devices. The hooks for netdev are: ingress, egress.
policy este verdictul pentru a controla cursul acelui pachet in lant si tabel. Posibile valori: accept (default) si drop.
% nft (add | create) chain [<family>] <table> <name> [ \{ type <type> hook <hook> [device <device>] priority <priority> \; [policy <policy> \;] \} ]
% nft (delete | list | flush) chain [<family>] <table> <name>
% nft rename chain [<family>] <table> <name> <newname>
Reguli: nft (add | insert | replace | displace) rule
Exemplu 1, imitare iptables
Exemplu de reguli nftables, de importat cu comanda nft -f. O parte din chain-uri imita iptables. Nota: unele distributii acum implementeaza propriile reguli, de recomandat folosita comanda "flush ruleset" inainte.
table inet filter {
chain input {
type filter hook input priority filter;
# Allow loopback (local connections)
iifname lo accept
# Allow established/related
ct state established,related accept
# Allow incoming pings
ip protocol icmp limit rate 1/second accept
# Allow SSH and HTTP
tcp dport {ssh,http} accept
# Drop everything else
drop
}
chain forward {
type filter hook forward priority filter;
# Disallow forwarding
drop
}
chain output {
type filter hook output priority filter;
# Allow all outgoing traffic
accept
}
}
Exemplu 2, prioritati
table ip filter {
# This chain is evaluated first due to priority
chain services {
type filter hook input priority 0; policy accept;
# If matched, this rule will prevent any further evaluation
tcp dport http drop
# If matched, and despite the accept verdict, the packet proceeds to enter the chain below
tcp dport ssh accept
# Likewise for any packets that get this far and hit the default policy
}
# This chain is evaluated last due to priority
chain input {
type filter hook input priority 1; policy drop;
# All ingress packets end up being dropped here!
}
}
Exemplu 3
table inet firewall {
chain inbound {
# By default, drop all traffic unless it meets a filter
# criteria specified by the rules that follow below.
type filter hook input priority 0; policy drop;
# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }
# Allow loopback traffic.
iifname lo accept
tcp dport { 22, 80, 443, 55291, 5900 } accept
# Uncomment to enable logging of denied inbound traffic
log prefix "[nftables] Inbound Denied: " counter drop
}
}
Operatii la nivel de ruleset
listing
Listing the complete ruleset:
% nft list ruleset
Listing the ruleset per family:
% nft list ruleset arp % nft list ruleset ip % nft list ruleset ip6 % nft list ruleset bridge % nft list ruleset inet
These commands will print all tables/chains/sets/rules of the given family.
flushing
In addition, you can also flush (erase, delete, wipe) the complete ruleset:
% nft flush ruleset
Also per family:
% nft flush ruleset arp % nft flush ruleset ip % nft flush ruleset ip6 % nft flush ruleset bridge % nft flush ruleset inet
backup/restore
You can combine these two commands above to backup your ruleset:
% echo "flush ruleset" > backup.nft % nft list ruleset >> backup.nft
And load it atomically:
% nft -f backup.nft
Listing in JSON format
You can also export your ruleset in JSON format, just pass the '--json' option:
% nft --json list ruleset > ruleset.json
Creare regula blocare ip-uri (nativa)
-functia ipv(4|6)_validate este un grep pe clase de ip-uri, nu este necesar pentru o lista simpla.
-Numarul de reguli verificabil cu " nft list table inet filter | grep -oc ',' "
echo '
add table inet filter
add chain inet filter INPUT { type filter hook input priority 1 ; }
add set inet filter ipmaster { flags interval; type ipv4_addr; auto-merge; }
add set inet filter ipmaster6 { flags interval; type ipv6_addr; auto-merge; }
insert rule inet filter INPUT ip saddr @ipmaster counter drop
insert rule inet filter INPUT ip6 saddr @ipmaster6 counter drop
' | nft -f -
ipv4_validate </tmp/ip_lists | awk '{print "add element inet filter ipmaster { "$1" }"}' | nft -f - # import ipv4
ipv6_validate </tmp/ip_lists | awk '{print "add element inet filter ipmaster6 { "$1" }"}' | nft -f - # import ipv6
Creare regula conectare vpn wireguard (nativa)
[[ -n $wg_file ]] && file=$wg_file || file=$opt_file; ! [[ -s $file ]] && return 1; iname=$(basename -s .conf $file) address=$(grep '^Address' $file | ipv4_validate) address6=$(grep '^Address' $file | ipv6_validate)
ip link add $iname type wireguard || return 1; wg setconf $iname <(grep -E '^\[Interface|^\[Peer|^PrivateKey|^PublicKey|^Endpoint|^AllowedIPs|^$' $file) || return 1
ip -4 address add $address dev $iname; ip -6 address add $address6 dev $iname
grep '^DNS' $file | sed 's/DNS =/nameserver/' | resolvconf -a tun."$iname" -m 0 -x
wg set $iname fwmark 51820
ip link set mtu 1420 up dev $iname
sysctl -q net.ipv4.conf.all.src_valid_mark=1
ip -4 route add 0.0.0.0/0 dev $iname table 51820; ip -6 route add ::/0 dev $iname table 51820
for cmd in 'ip -4' 'ip -6'; do $cmd rule add not fwmark 51820 table 51820; $cmd rule add table main suppress_prefixlength 0; done
echo '
add table inet fw
add chain inet fw INPUT { type filter hook input priority 0 ; }
add chain inet fw preraw { type filter hook prerouting priority -300; }
add rule inet fw preraw iifname != '$iname' ip daddr '$(cut -d/ -f1 <<<$address)' fib saddr type != local drop
add rule inet fw preraw iifname != '$iname' ip6 daddr '$(cut -d/ -f1 <<<$address6)' fib saddr type != local drop
add chain inet fw premangle { type filter hook prerouting priority -150; }
add rule inet fw premangle meta l4proto udp meta mark set ct mark
add chain inet fw postmangle { type filter hook postrouting priority -150; }
add rule inet fw postmangle meta l4proto udp mark 51820 ct mark set mark
' | nft -f - && echo $iname connected