Advanced Pagina 7
Firewall avansat
nftables
Tabele: ip (implicit), arp, ip6, bridge, inet, netdev.
Lanturi:
filter: Supported by arp, bridge, ip, ip6 and inet table families. route: Mark packets (like mangle for the output hook, for other hooks use the type filter instead), supported by ip and ip6. nat: In order to perform Network Address Translation, supported by ip and ip6.
Hook: Se refera la stadiul acelui pachet in timp ce este procesat de kernel in Netfilter.
The hooks for ip, ip6 and inet families are: prerouting, input, forward, output, postrouting. The hooks for arp family are: input, output. The bridge family handles ethernet packets traversing bridge devices. The hooks for netdev are: ingress, egress.
policy este verdictul pentru a controla cursul acelui pachet in lant si tabel. Posibile valori: accept (default) si drop.
% nft (add | create) chain [<family>] <table> <name> [ \{ type <type> hook <hook> [device <device>] priority <priority> \; [policy <policy> \;] \} ]
% nft (delete | list | flush) chain [<family>] <table> <name>
% nft rename chain [<family>] <table> <name> <newname>
Reguli: nft (add | insert | replace | displace) rule
Exemplu 1, imitare iptables
Exemplu de reguli nftables, de importat cu comanda nft -f. O parte din chain-uri imita iptables. Nota: unele distributii acum implementeaza propriile reguli, de recomandat folosita comanda "flush ruleset" inainte.
table inet filter {
chain input {
type filter hook input priority filter;
# Allow loopback (local connections)
iifname lo accept
# Allow established/related
ct state established,related accept
# Allow incoming pings
ip protocol icmp limit rate 1/second accept
# Allow SSH and HTTP
tcp dport {ssh,http} accept
# Drop everything else
drop
}
chain forward {
type filter hook forward priority filter;
# Disallow forwarding
drop
}
chain output {
type filter hook output priority filter;
# Allow all outgoing traffic
accept
}
}
Exemplu 2, prioritati
table ip filter {
# This chain is evaluated first due to priority
chain services {
type filter hook input priority 0; policy accept;
# If matched, this rule will prevent any further evaluation
tcp dport http drop
# If matched, and despite the accept verdict, the packet proceeds to enter the chain below
tcp dport ssh accept
# Likewise for any packets that get this far and hit the default policy
}
# This chain is evaluated last due to priority
chain input {
type filter hook input priority 1; policy drop;
# All ingress packets end up being dropped here!
}
}
Exemplu 3
table inet firewall {
chain inbound {
# By default, drop all traffic unless it meets a filter
# criteria specified by the rules that follow below.
type filter hook input priority 0; policy drop;
# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }
# Allow loopback traffic.
iifname lo accept
tcp dport { 22, 80, 443, 55291, 5900 } accept
# Uncomment to enable logging of denied inbound traffic
log prefix "[nftables] Inbound Denied: " counter drop
}
}
Operatii la nivel de ruleset
listing
Listing the complete ruleset:
% nft list ruleset
Listing the ruleset per family:
% nft list ruleset arp % nft list ruleset ip % nft list ruleset ip6 % nft list ruleset bridge % nft list ruleset inet
These commands will print all tables/chains/sets/rules of the given family.
flushing
In addition, you can also flush (erase, delete, wipe) the complete ruleset:
% nft flush ruleset
Also per family:
% nft flush ruleset arp % nft flush ruleset ip % nft flush ruleset ip6 % nft flush ruleset bridge % nft flush ruleset inet
backup/restore
You can combine these two commands above to backup your ruleset:
% echo "flush ruleset" > backup.nft % nft list ruleset >> backup.nft
And load it atomically:
% nft -f backup.nft
Listing in JSON format
You can also export your ruleset in JSON format, just pass the '--json' option:
% nft --json list ruleset > ruleset.json
Creare regula blocare ip-uri de sine statoare
-functia ipv(4|6)_validate este un grep pe clase de ip-uri, nu este necesar pentru o lista simpla.
-Numarul de reguli verificabil cu " nft list table inet utilities_filter | grep -oc ',' "
if ! nft list chain inet filter INPUT >$quiet 2>&1; then
echo '
add table inet filter
add chain inet filter INPUT { type filter hook input priority 1 ; }
add set inet filter ipmaster { flags interval; type ipv4_addr; auto-merge; }
add set inet filter ipmaster6 { flags interval; type ipv6_addr; auto-merge; }
insert rule inet filter INPUT ip saddr @ipmaster counter drop
insert rule inet filter INPUT ip6 saddr @ipmaster6 counter drop
' | nft -f -; fi
ipv4_validate </tmp/ip_lists | awk '{print "add element inet filter ipmaster { "$1" }"}' | nft -f - # import ipv4
ipv6_validate </tmp/ip_lists | awk '{print "add element inet filter ipmaster6 { "$1" }"}' | nft -f - # import ipv6