Nftables: Unterschied zwischen den Versionen

Aus Info-Theke
Zur Navigation springen Zur Suche springen
 
(9 dazwischenliegende Versionen von 3 Benutzern werden nicht angezeigt)
Zeile 1: Zeile 1:
Kategorie:server
[[Kategorie:ServerApplikation]]
Kategorie:firewall
[[Kategorie:firewall]]
= Links =
* Port forwarding: http://ayekat.ch/blog/qemu-networkd-nftables
* https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes#Tables
 
= Einleitung =
Regeln werden für "Tables" definiert:
* ip: betrifft IP4-Protokoll
* ip6: betrifft IP6-Protokoll
* inet: betrifft  IP4- oder IP6-Protokoll
* tcp: betrifft TCP-Protokoll
* udp: betrifft UDP-Protokoll
* Weitere Tables: Udplite Sctp Dccp Ah Esp Comp Icmp Icmpv6 Ether Dst Frag Hbh Mh Rt Vlan Arp Ct Meta


= Beispiel =
= Beispiel =
Ein Host verwaltet virtuelle Maschinen, die per Firewall Serverdienste anbieten:
Ein Host verwaltet virtuelle Maschinen, die per Firewall Serverdienste anbieten:


* /etc/nftables.conf
<pre>#!/usr/sbin/nft -f
<pre>#!/usr/sbin/nft -f
# interfaces:
# interfaces:
define IF_INET = eth0
define IF_INET = eth0
define IF_LOCAL = bridge0
define IF_LOCAL = eth1
define IF_DMZ = eth1
define IF_BRIDGE = bridge1


define NET_LOCAL = 10.10.10.0/8
define NET_LOCAL = 10.10.10.0/24
define NET_DMZ = 172.16.0.0/12
define NET_BRIDGE = 172.16.10.0/12


define HOST_FW = 88.77.22.11
define HOST_ALFA = 10.10.10.100
define HOST_ALFA = 10.10.10.100
define HOST_BETA = 10.10.10.101
define HOST_BETA = 10.10.10.101


define FW_ACCEPTED { 80, 443, 22 }
flush ruleset
 
table inet filter {
  chain input {
    type filter hook input priority 0; policy drop;
    iif lo accept comment "Accept any localhost traffic"
    ct state invalid drop comment "Drop invalid connections"
    ct state established,related accept comment "Accept traffic originated from us"
    ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept comment "Accept ICMPv6"
    ip protocol icmp icmp type { destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept comment "Accept ICMP"
    ip protocol igmp accept comment "Accept IGMP"
 
    tcp dport ssh accept comment "Accept SSH on port 22"


# BANNED
    tcp dport { http, https, 8008, 8080 } accept comment "Accept HTTP (ports 80, 443, 8008, 8080)"
add rule filter input meta iifname IF_INET ip saddr 121.12.242.43 drop;


# Drop locals from internet
  }
add rule filter input meta iifname IF_INET ip saddr \
  chain forward {
        { 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12 } drop;
    type filter hook forward priority 0; policy drop;
  }
  chain output {
    type filter hook output priority 0; policy accept;
  }
}
table ip nat {


# Drop invalid
  chain input {
add rule filter input ct state invalid drop;
    type nat hook input priority 0;
    counter
  }


add rule filter input meta iif lo ct state new accept;
  chain prerouting {
    type nat hook prerouting priority -101;
    counter
    # Port forwarding from 10101 ->
    tcp dport 10100 dnat $HOST_ALFA:22
    tcp dport 10101 dnat $HOST_BETA:22
    #tcp dport 22 counter redirect to $HOST_ALFA:10101;
    #tcp dport 22 counter redirect to $HOST_ALFA:10102;
  }


add rule filter input meta iif IF_DMZ ip saddr NET_DMZ ct state new accept;
  chain postrouting {
add rule filter input meta iif IF_LOCAL ip saddr NET_LOCAL ct state new accept;
    type nat hook postrouting priority 0;
    ip saddr $NET_LOCAL oifname $IP_LOCAL masquerade
    ip saddr $NET_BRIDGE oifname $IP_BRIDGE masquerade
    counter
  }
}
</pre>


# Accept for firewall only:
* Spezielle Anforderungen: Ergänzung in table inet filter:
add rule filter input meta iifname IP_INET ip protocol tcp ct state new tcp dport FW_ACCEPTED accept;
<pre>
    udp dport mdns ip6 daddr ff02::fb accept comment "Accept mDNS"
    udp dport mdns ip daddr 224.0.0.251 accept comment "Accept mDNS"
   
    udp dport netbios-ns ip6 saddr { fd00::/8, fe80::/10 } accept comment "Accept NetBIOS Name Service (nmbd)"
    udp dport netbios-ns ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept comment "Accept NetBIOS Name Service (nmbd)"
    udp dport netbios-dgm ip6 saddr { fd00::/8, fe80::/10 } accept comment "Accept NetBIOS Datagram Service (nmbd)"
    udp dport netbios-dgm ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept comment "Accept NetBIOS Datagram Service (nmbd)"
    tcp dport netbios-ssn ip6 saddr { fd00::/8, fe80::/10 } accept comment "Accept NetBIOS Session Service (smbd)"
    tcp dport netbios-ssn ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept comment "Accept NetBIOS Session Service (smbd)"
    tcp dport microsoft-ds ip6 saddr { fd00::/8, fe80::/10 } accept comment "Accept Microsoft Directory Service (smbd)"
    tcp dport microsoft-ds ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept comment "Accept Microsoft Directory Service (smbd)"
    meta l4proto { tcp, udp } th dport 2049 ip6 saddr { fd00::/8, fe80::/10 } accept comment "Accept NFS"
    meta l4proto { tcp, udp } th dport 2049 ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept comment "Accept NFS"


# Allow ping:
    udp sport bootpc udp dport bootps ip saddr 0.0.0.0 ip daddr 255.255.255.255 accept comment "Accept DHCPDISCOVER (for DHCP-Proxy)"
add rule inet filter input meta nfproto ipv4 icmp type { echo-request } counter accept
    udp sport { bootpc, 4011 } udp dport { bootps, 4011 } ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept comment "Accept PXE"
add rule inet filter input meta nfproto ipv6 icmpv6 type echo-request counter accept
    udp dport tftp ip6 saddr { fd00::/8, fe80::/10 } accept comment "Accept TFTP"
    udp dport tftp ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept comment "Accept TFTP"
</pre>


# Port forwarding:
= Kommandos =
add rule nat prerouting meta iifname IF_INET tcp dport 10100 dnat HOST_ALFA:22
<pre>
add rule nat prerouting meta iifname IF_INET tcp dport 10101 dnat HOST_BETA:22
# Aktive Regeln anzeigen:
nft list ruleset
# Zeigt aktive Tables:
nft list tables
# Zeigt genannte Table:
nft list tables inet
# iptables-Regeln exportieren
iptables-save > iptables.txt
# in nftables-Syntax wandeln:
iptables-restore-translate -f iptables.txt > nftables.txt
</pre>


# Policies
= Weiterleiten (Forwarding) ermöglichen =
add rule filter input drop;
<pre>
add rule filter forward drop;
# Status:
add rule filter output accept;
sysctl net.ipv4.ip_forward
# Temporär einschalten:
sysctl -w net.ipv4.ip_forward=1
# Permanent einschalten:
vi /etc/sysctl.conf
# net.ipv4.ip_forward = 1
</pre>
</pre>

Aktuelle Version vom 11. Oktober 2019, 09:08 Uhr

Links[Bearbeiten]

Einleitung[Bearbeiten]

Regeln werden für "Tables" definiert:

  • ip: betrifft IP4-Protokoll
  • ip6: betrifft IP6-Protokoll
  • inet: betrifft IP4- oder IP6-Protokoll
  • tcp: betrifft TCP-Protokoll
  • udp: betrifft UDP-Protokoll
  • Weitere Tables: Udplite Sctp Dccp Ah Esp Comp Icmp Icmpv6 Ether Dst Frag Hbh Mh Rt Vlan Arp Ct Meta

Beispiel[Bearbeiten]

Ein Host verwaltet virtuelle Maschinen, die per Firewall Serverdienste anbieten:

  • /etc/nftables.conf
#!/usr/sbin/nft -f
# interfaces:
define IF_INET = eth0
define IF_LOCAL = eth1
define IF_BRIDGE = bridge1

define NET_LOCAL = 10.10.10.0/24
define NET_BRIDGE = 172.16.10.0/12

define HOST_ALFA = 10.10.10.100
define HOST_BETA = 10.10.10.101

flush ruleset

table inet filter {
  chain input {
    type filter hook input priority 0; policy drop;
    iif lo accept comment "Accept any localhost traffic"
    ct state invalid drop comment "Drop invalid connections"
    ct state established,related accept comment "Accept traffic originated from us"
    ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept comment "Accept ICMPv6"
    ip protocol icmp icmp type { destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept comment "Accept ICMP"
    ip protocol igmp accept comment "Accept IGMP"

    tcp dport ssh accept comment "Accept SSH on port 22"

    tcp dport { http, https, 8008, 8080 } accept comment "Accept HTTP (ports 80, 443, 8008, 8080)"

  }
  chain forward {
    type filter hook forward priority 0; policy drop;
  }
  chain output {
    type filter hook output priority 0; policy accept;
  }
}
table ip nat {

  chain input {
    type nat hook input priority 0;
    counter
  }

  chain prerouting {
    type nat hook prerouting priority -101;
    counter
    # Port forwarding from 10101 ->
    tcp dport 10100 dnat $HOST_ALFA:22
    tcp dport 10101 dnat $HOST_BETA:22
    #tcp dport 22 counter redirect to $HOST_ALFA:10101;
    #tcp dport 22 counter redirect to $HOST_ALFA:10102;
  }

  chain postrouting {
    type nat hook postrouting priority 0;
    ip saddr $NET_LOCAL oifname $IP_LOCAL masquerade
    ip saddr $NET_BRIDGE oifname $IP_BRIDGE masquerade
    counter
  }
}
  • Spezielle Anforderungen: Ergänzung in table inet filter:
    udp dport mdns ip6 daddr ff02::fb accept comment "Accept mDNS"
    udp dport mdns ip daddr 224.0.0.251 accept comment "Accept mDNS"
    
    udp dport netbios-ns ip6 saddr { fd00::/8, fe80::/10 } accept comment "Accept NetBIOS Name Service (nmbd)"
    udp dport netbios-ns ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept comment "Accept NetBIOS Name Service (nmbd)"
    udp dport netbios-dgm ip6 saddr { fd00::/8, fe80::/10 } accept comment "Accept NetBIOS Datagram Service (nmbd)"
    udp dport netbios-dgm ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept comment "Accept NetBIOS Datagram Service (nmbd)"
    tcp dport netbios-ssn ip6 saddr { fd00::/8, fe80::/10 } accept comment "Accept NetBIOS Session Service (smbd)"
    tcp dport netbios-ssn ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept comment "Accept NetBIOS Session Service (smbd)"
    tcp dport microsoft-ds ip6 saddr { fd00::/8, fe80::/10 } accept comment "Accept Microsoft Directory Service (smbd)"
    tcp dport microsoft-ds ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept comment "Accept Microsoft Directory Service (smbd)"
    meta l4proto { tcp, udp } th dport 2049 ip6 saddr { fd00::/8, fe80::/10 } accept comment "Accept NFS"
    meta l4proto { tcp, udp } th dport 2049 ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept comment "Accept NFS"

    udp sport bootpc udp dport bootps ip saddr 0.0.0.0 ip daddr 255.255.255.255 accept comment "Accept DHCPDISCOVER (for DHCP-Proxy)"
    udp sport { bootpc, 4011 } udp dport { bootps, 4011 } ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept comment "Accept PXE"
    udp dport tftp ip6 saddr { fd00::/8, fe80::/10 } accept comment "Accept TFTP"
    udp dport tftp ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept comment "Accept TFTP"

Kommandos[Bearbeiten]

# Aktive Regeln anzeigen:
nft list ruleset
# Zeigt aktive Tables:
nft list tables
# Zeigt genannte Table:
nft list tables inet
# iptables-Regeln exportieren
iptables-save > iptables.txt
# in nftables-Syntax wandeln:
iptables-restore-translate -f iptables.txt > nftables.txt

Weiterleiten (Forwarding) ermöglichen[Bearbeiten]

# Status:
sysctl net.ipv4.ip_forward
# Temporär einschalten:
sysctl -w net.ipv4.ip_forward=1
# Permanent einschalten:
vi /etc/sysctl.conf
# net.ipv4.ip_forward = 1