Advanced Pagina 7
Sari la navigare
Sari la căutare
Firewall avansat
nftables
Tabele: ip (implicit), arp, ip6, bridge, inet, netdev.
Lanturi:
filter: Supported by arp, bridge, ip, ip6 and inet table families. route: Mark packets (like mangle for the output hook, for other hooks use the type filter instead), supported by ip and ip6. nat: In order to perform Network Address Translation, supported by ip and ip6.
Hook: Se refera la stadiul acelui pachet in timp ce este procesat de kernel in Netfilter.
The hooks for ip, ip6 and inet families are: prerouting, input, forward, output, postrouting. The hooks for arp family are: input, output. The bridge family handles ethernet packets traversing bridge devices. The hooks for netdev are: ingress, egress.
% nft (add | create) chain [<family>] <table> <name> [ \{ type <type> hook <hook> [device <device>] priority <priority> \; [policy (accept | drop) \;] \} ]
% nft (delete | list | flush) chain [<family>] <table> <name>
% nft rename chain [<family>] <table> <name> <newname>
Reguli: nft (add | insert | replace | displace) rule
Exemplu 1, imitare iptables
Exemplu de reguli nftables, de importat cu comanda nft -f. O parte din chain-uri imita iptables. Nota: unele distributii acum implementeaza propriile reguli, de recomandat folosita comanda "flush ruleset" inainte.
table inet filter {
chain input {
type filter hook input priority filter;
# Allow loopback (local connections)
iifname lo accept
# Allow established/related
ct state established,related accept
# Allow incoming pings
ip protocol icmp limit rate 1/second accept
# Allow SSH and HTTP
tcp dport {ssh,http} accept
# Drop everything else
drop
}
chain forward {
type filter hook forward priority filter;
# Disallow forwarding
drop
}
chain output {
type filter hook output priority filter;
# Allow all outgoing traffic
accept
}
}
Exemplu 2, prioritati
table ip filter {
# This chain is evaluated first due to priority
chain services {
type filter hook input priority 0; policy accept;
# If matched, this rule will prevent any further evaluation
tcp dport http drop
# If matched, and despite the accept verdict, the packet proceeds to enter the chain below
tcp dport ssh accept
# Likewise for any packets that get this far and hit the default policy
}
# This chain is evaluated last due to priority
chain input {
type filter hook input priority 1; policy drop;
# All ingress packets end up being dropped here!
}
}
Exemplu 3, log
table inet firewall {
chain inbound {
# By default, drop all traffic unless it meets a filter
# criteria specified by the rules that follow below.
type filter hook input priority 0; policy drop;
# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }
# Allow loopback traffic.
iifname lo accept
tcp dport { 22, 80, 443, 55291, 5900 } accept
# Uncomment to enable logging of denied inbound traffic
log prefix "[nftables] Inbound Denied: " counter drop
}
}
Operatii la nivel de ruleset
Listarea
Listing the complete ruleset:
% nft list ruleset
Listing the ruleset per family:
% nft list ruleset arp % nft list ruleset ip % nft list ruleset ip6 % nft list ruleset bridge % nft list ruleset inet
These commands will print all tables/chains/sets/rules of the given family.
Curatarea
In addition, you can also flush (erase, delete, wipe) the complete ruleset:
% nft flush ruleset
Also per family:
% nft flush ruleset arp % nft flush ruleset ip % nft flush ruleset ip6 % nft flush ruleset bridge % nft flush ruleset inet
Backup/restaurare
You can combine these two commands above to backup your ruleset, then load it atomically:
% echo "flush ruleset" > backup.nft % nft list ruleset >> backup.nft % nft -f backup.nft
Listarea in format JSON
You can also export your ruleset in JSON format, just pass the '--json' option:
% nft --json list ruleset > ruleset.json
Creare regula blocare ip-uri (nativa)
echo '
add table inet filter
add chain inet filter INPUT { type filter hook input priority 1 ; }
add set inet filter ipmaster { flags interval; type ipv4_addr; auto-merge; }
add set inet filter ipmaster6 { flags interval; type ipv6_addr; auto-merge; }
insert rule inet filter INPUT ip saddr @ipmaster counter drop
insert rule inet filter INPUT ip6 saddr @ipmaster6 counter drop
' | nft -f -
ipv4_validate <lista_ip | awk '{print "add element inet filter ipmaster { "$1" }"}' | nft -f - # import ipv4
ipv6_validate <lista_ip | awk '{print "add element inet filter ipmaster6 { "$1" }"}' | nft -f - # import ipv6
Note:
-functia ipv(4|6)_validate este un grep pe clase de ip-uri, nu este necesar pentru o lista simpla.
-Numarul de reguli verificabil cu " nft list table inet filter | grep -oc ',' "
-Verificarea numarului de "hits" catre adresele blocate se poate face cu " ip(6)tables -vL " sau insumat cu:
perl -E '/packets (\d+)/ and $s += $1 for `nft list ruleset | grep ipmaster`; say $s'
Creare regula conectare vpn wireguard (nativa)
[[ -n $wg_file ]] && file=$wg_file || file=$opt_file; ! [[ -s $file ]] && return 1; iname=$(basename -s .conf $file) address=$(grep '^Address' $file | ipv4_validate) address6=$(grep '^Address' $file | ipv6_validate)
ip link add $iname type wireguard || return 1; wg setconf $iname <(grep -E '^\[Interface|^\[Peer|^PrivateKey|^PublicKey|^Endpoint|^AllowedIPs|^$' $file) || return 1
ip -4 address add $address dev $iname; ip -6 address add $address6 dev $iname
grep '^DNS' $file | sed 's/DNS =/nameserver/' | resolvconf -a tun."$iname" -m 0 -x
wg set $iname fwmark 51820
ip link set mtu 1420 up dev $iname
sysctl -q net.ipv4.conf.all.src_valid_mark=1
ip -4 route add 0.0.0.0/0 dev $iname table 51820; ip -6 route add ::/0 dev $iname table 51820
for cmd in 'ip -4' 'ip -6'; do $cmd rule add not fwmark 51820 table 51820; $cmd rule add table main suppress_prefixlength 0; done
echo '
add table inet fw
add chain inet fw INPUT { type filter hook input priority 0 ; }
add chain inet fw preraw { type filter hook prerouting priority -300; }
add rule inet fw preraw iifname != '$iname' ip daddr '$(cut -d/ -f1 <<<$address)' fib saddr type != local drop
add rule inet fw preraw iifname != '$iname' ip6 daddr '$(cut -d/ -f1 <<<$address6)' fib saddr type != local drop
add chain inet fw premangle { type filter hook prerouting priority -150; }
add rule inet fw premangle meta l4proto udp meta mark set ct mark
add chain inet fw postmangle { type filter hook postrouting priority -150; }
add rule inet fw postmangle meta l4proto udp mark 51820 ct mark set mark
' | nft -f - && echo $iname connected
iptables
Regulile se pot incarca cu comanda iptables-restore sau se pot salva in /etc/sysconfig/iptables
Exemplu 1
# iptables-save > /dev/stdout # Warning: iptables-legacy tables present, use iptables-legacy-save to see them # iptables-legacy-save > /dev/stdout # Generated by iptables-save v1.8.9 on Mon Nov 11 14:43:17 2024 *mangle :PREROUTING ACCEPT [192:15752] :INPUT ACCEPT [192:15752] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [192:15752] :POSTROUTING ACCEPT [192:15752] COMMIT # Completed on Mon Nov 11 14:43:17 2024 # Generated by iptables-save v1.8.9 on Mon Nov 11 14:43:17 2024 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [50:3402] :POSTROUTING ACCEPT [50:3402] COMMIT # Completed on Mon Nov 11 14:43:17 2024 # Generated by iptables-save v1.8.9 on Mon Nov 11 14:43:17 2024 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT DROP [0:0] :bad_packets - [0:0] :bad_tcp_packets - [0:0] :icmp_packets - [0:0] :tcp_inbound - [0:0] :tcp_outbound - [0:0] :udp_inbound - [0:0] :udp_outbound - [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -j bad_packets -A INPUT -d 224.0.0.1/32 -j DROP -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -j tcp_inbound -A INPUT -p udp -j udp_inbound -A INPUT -p icmp -j icmp_packets -A INPUT -m pkttype --pkt-type broadcast -j DROP -A INPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "INPUT packet died: " -A OUTPUT -p icmp -m conntrack --ctstate INVALID -j DROP -A OUTPUT -s 127.0.0.1/32 -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -j ACCEPT -A OUTPUT -m limit --limit 3/min --limit-burst 3 -j LOG --log-prefix "OUTPUT packet died: " -A bad_packets -m conntrack --ctstate INVALID -j LOG --log-prefix "Invalid packet: " -A bad_packets -m conntrack --ctstate INVALID -j DROP -A bad_packets -p tcp -j bad_tcp_packets -A bad_packets -j RETURN -A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j LOG --log-prefix "New not syn: " -A bad_tcp_packets -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j DROP -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOG --log-prefix "Stealth scan: " -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j LOG --log-prefix "Stealth scan: " -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j LOG --log-prefix "Stealth scan: " -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j LOG --log-prefix "Stealth scan: " -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP -A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "Stealth scan: " -A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j LOG --log-prefix "Stealth scan: " -A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP -A bad_tcp_packets -p tcp -j RETURN -A icmp_packets -p icmp -f -j LOG --log-prefix "ICMP Fragment: " -A icmp_packets -p icmp -f -j DROP -A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP -A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT -A icmp_packets -p icmp -j RETURN -A tcp_inbound -p tcp -m tcp --dport 21 -j ACCEPT -A tcp_inbound -p tcp -m tcp --sport 20 -j ACCEPT -A tcp_inbound -p tcp -m tcp --dport 22 -j ACCEPT -A tcp_inbound -p tcp -m tcp --dport 631 -j ACCEPT -A tcp_inbound -p tcp -j RETURN -A tcp_outbound -p tcp -j ACCEPT -A udp_inbound -p udp -m udp --sport 67 --dport 68 -j ACCEPT -A udp_inbound -p udp -m udp --dport 631 -j ACCEPT -A udp_inbound -p udp -m udp --sport 68 --dport 67 -j ACCEPT -A udp_inbound -p udp -m udp --sport 67 --dport 68 -j ACCEPT -A udp_inbound -p udp -m udp --dport 111 -j ACCEPT -A udp_inbound -p udp -m udp --dport 9400 -j ACCEPT -A udp_inbound -p udp -m udp --dport 2049 -j ACCEPT -A udp_inbound -p udp -m udp --dport 9401 -j ACCEPT -A udp_inbound -p udp -m udp --dport 9402 -j ACCEPT -A udp_inbound -p udp -m udp --dport 9403 -j ACCEPT -A udp_inbound -p udp -j RETURN -A udp_outbound -p udp -j ACCEPT COMMIT # Completed on Mon Nov 11 14:43:17 2024
Ceea ce se traduce in:
iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere bad_packets all -- anywhere anywhere DROP all -- anywhere 224.0.0.1 ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED tcp_inbound tcp -- anywhere anywhere udp_inbound udp -- anywhere anywhere icmp_packets icmp -- anywhere anywhere DROP all -- anywhere anywhere PKTTYPE = broadcast LOG all -- anywhere anywhere limit: avg 3/min burst 3 LOG level warn prefix "INPUT packet died: " Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination DROP icmp -- anywhere anywhere ctstate INVALID ACCEPT all -- localhost anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere LOG all -- anywhere anywhere limit: avg 3/min burst 3 LOG level warn prefix "OUTPUT packet died: " Chain bad_packets (1 references) target prot opt source destination LOG all -- anywhere anywhere ctstate INVALID LOG level warn prefix "Invalid packet: " DROP all -- anywhere anywhere ctstate INVALID bad_tcp_packets tcp -- anywhere anywhere RETURN all -- anywhere anywhere Chain bad_tcp_packets (1 references) target prot opt source destination LOG tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN ctstate NEW LOG level warn prefix "New not syn: " DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN ctstate NEW LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE LOG level warn prefix "Stealth scan: " DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG LOG level warn prefix "Stealth scan: " DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG LOG level warn prefix "Stealth scan: " DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG LOG tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG LOG level warn prefix "Stealth scan: " DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG LOG tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST LOG level warn prefix "Stealth scan: " DROP tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST LOG tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN LOG level warn prefix "Stealth scan: " DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN RETURN tcp -- anywhere anywhere Chain icmp_packets (1 references) target prot opt source destination LOG icmp -f anywhere anywhere LOG level warn prefix "ICMP Fragment: " DROP icmp -f anywhere anywhere DROP icmp -- anywhere anywhere icmp echo-request ACCEPT icmp -- anywhere anywhere icmp time-exceeded RETURN icmp -- anywhere anywhere Chain tcp_inbound (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ftp ACCEPT tcp -- anywhere anywhere tcp spt:ftp-data ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:ipp RETURN tcp -- anywhere anywhere Chain tcp_outbound (0 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere Chain udp_inbound (1 references) target prot opt source destination ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:bootps ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc ACCEPT udp -- anywhere anywhere udp dpt:sunrpc ACCEPT udp -- anywhere anywhere udp dpt:9400 ACCEPT udp -- anywhere anywhere udp dpt:nfs ACCEPT udp -- anywhere anywhere udp dpt:9401 ACCEPT udp -- anywhere anywhere udp dpt:9402 ACCEPT udp -- anywhere anywhere udp dpt:9403 RETURN udp -- anywhere anywhere Chain udp_outbound (0 references) target prot opt source destination ACCEPT udp -- anywhere anywhere
Exemplu 2
*filter # Allow all outgoing, but drop incoming and forwarding packets by default :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] # Custom per-protocol chains :UDP - [0:0] :TCP - [0:0] :ICMP - [0:0] # Acceptable UDP traffic # Acceptable TCP traffic -A TCP -p tcp --dport 22 -j ACCEPT # Acceptable ICMP traffic # Boilerplate acceptance policy -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT -A INPUT -i lo -j ACCEPT # Drop invalid packets -A INPUT -m conntrack --ctstate INVALID -j DROP # Pass traffic to protocol-specific chains ## Only allow new connections (established and related should already be handled) ## For TCP, additionally only allow new SYN packets since that is the only valid ## method for establishing a new TCP connection -A INPUT -p udp -m conntrack --ctstate NEW -j UDP -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP -A INPUT -p icmp -m conntrack --ctstate NEW -j ICMP # Reject anything that's fallen through to this point ## Try to be protocol-specific w/ rejection message -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable -A INPUT -p tcp -j REJECT --reject-with tcp-reset -A INPUT -j REJECT --reject-with icmp-proto-unreachable # Commit the changes COMMIT *raw :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT *security :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] COMMIT *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT
Creare regula blocare ip-uri (folosind ipset)
ipv4_validate <lista_ip | awk 'NR==1{print "create ipmaster hash:net family inet hashsize 100000 maxelem 100000"}''{print "add ipmaster "$1}' | ipset restore -!
iptables -I INPUT -m set --match-set ipmaster src -j DROP # import ipv4
ipv6_validate <lista_ip | awk 'NR==1{print "create ipmaster6 hash:net family inet6 hashsize 500000 maxelem 500000"}''{print "add ipmaster6 "$1}' | ipset restore -!
ip6tables -I INPUT -m set --match-set ipmaster6 src -j DROP # import ipv6
Note:
-functia ipv(4|6)_validate este un grep pe clase de ip-uri, nu este necesar pentru o lista simpla.
-Numarul de reguli verificabil cu " ipset list -t " sau insumat cu:
perl -E '/Number of entries: (\d+)/ and $s += $1 for `ipset list -t`; say $s'
-Verificarea numarului de "hits" catre adresele blocate se poate face cu " ip(6)tables -vL " sau insumat cu:
perl -E "say $(iptables -vL | awk 'NR==3{print $1}') + $(ip6tables -vL | awk 'NR==3{print $1}')"