Nftables: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
Zeile 8: | Zeile 8: | ||
# interfaces: | # interfaces: | ||
define IF_INET = eth0 | define IF_INET = eth0 | ||
define IF_LOCAL = eth1 | |||
define IF_BRIDGE = bridge1 | |||
define NET_LOCAL = 10.10.10.0/24 | |||
define NET_BRIDGE = 172.16.10.0/12 | |||
define HOST_ALFA = 10.10.10.100 | |||
define HOST_BETA = 10.10.10.101 | |||
flush ruleset | flush ruleset | ||
Zeile 44: | Zeile 52: | ||
counter | counter | ||
# Port forwarding from 10101 -> | # Port forwarding from 10101 -> | ||
tcp dport 22 counter redirect to 10101; | tcp dport 10100 dnat $HOST_ALFA:22 | ||
tcp dport 22 counter redirect to 10102; | tcp dport 10101 dnat $HOST_BETA:22 | ||
#tcp dport 22 counter redirect to $HOST_ALFA:10101; | |||
#tcp dport 22 counter redirect to $HOST_ALFA:10102; | |||
} | } | ||
chain postrouting { | chain postrouting { | ||
type nat hook postrouting priority 0; | type nat hook postrouting priority 0; | ||
ip saddr $NET_LOCAL oifname $IP_LOCAL masquerade | |||
ip saddr $NET_BRIDGE oifname $IP_BRIDGE masquerade | |||
counter | counter | ||
} | } |
Version vom 29. September 2019, 17:39 Uhr
Kategorie:server Kategorie:firewall
Beispiel
Ein Host verwaltet virtuelle Maschinen, die per Firewall Serverdienste anbieten:
#!/usr/sbin/nft -f # interfaces: define IF_INET = eth0 define IF_LOCAL = eth1 define IF_BRIDGE = bridge1 define NET_LOCAL = 10.10.10.0/24 define NET_BRIDGE = 172.16.10.0/12 define HOST_ALFA = 10.10.10.100 define HOST_BETA = 10.10.10.101 flush ruleset table inet filter { chain input { type filter hook input priority 0; policy drop; iif lo accept comment "Accept any localhost traffic" ct state invalid drop comment "Drop invalid connections" ct state established,related accept comment "Accept traffic originated from us" ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept comment "Accept ICMPv6" ip protocol icmp icmp type { destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept comment "Accept ICMP" ip protocol igmp accept comment "Accept IGMP" tcp dport ssh accept comment "Accept SSH on port 22" tcp dport { http, https, 8008, 8080 } accept comment "Accept HTTP (ports 80, 443, 8008, 8080)" } chain forward { type filter hook forward priority 0; policy drop; } chain output { type filter hook output priority 0; policy accept; } } table ip nat { chain input { type nat hook input priority 0; counter } chain prerouting { type nat hook prerouting priority -101; counter # Port forwarding from 10101 -> tcp dport 10100 dnat $HOST_ALFA:22 tcp dport 10101 dnat $HOST_BETA:22 #tcp dport 22 counter redirect to $HOST_ALFA:10101; #tcp dport 22 counter redirect to $HOST_ALFA:10102; } chain postrouting { type nat hook postrouting priority 0; ip saddr $NET_LOCAL oifname $IP_LOCAL masquerade ip saddr $NET_BRIDGE oifname $IP_BRIDGE masquerade counter } }
- Spezielle Anforderungen: Ergänzung in table inet filter:
udp dport mdns ip6 daddr ff02::fb accept comment "Accept mDNS" udp dport mdns ip daddr 224.0.0.251 accept comment "Accept mDNS" udp dport netbios-ns ip6 saddr { fd00::/8, fe80::/10 } accept comment "Accept NetBIOS Name Service (nmbd)" udp dport netbios-ns ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept comment "Accept NetBIOS Name Service (nmbd)" udp dport netbios-dgm ip6 saddr { fd00::/8, fe80::/10 } accept comment "Accept NetBIOS Datagram Service (nmbd)" udp dport netbios-dgm ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept comment "Accept NetBIOS Datagram Service (nmbd)" tcp dport netbios-ssn ip6 saddr { fd00::/8, fe80::/10 } accept comment "Accept NetBIOS Session Service (smbd)" tcp dport netbios-ssn ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept comment "Accept NetBIOS Session Service (smbd)" tcp dport microsoft-ds ip6 saddr { fd00::/8, fe80::/10 } accept comment "Accept Microsoft Directory Service (smbd)" tcp dport microsoft-ds ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept comment "Accept Microsoft Directory Service (smbd)" meta l4proto { tcp, udp } th dport 2049 ip6 saddr { fd00::/8, fe80::/10 } accept comment "Accept NFS" meta l4proto { tcp, udp } th dport 2049 ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept comment "Accept NFS" udp sport bootpc udp dport bootps ip saddr 0.0.0.0 ip daddr 255.255.255.255 accept comment "Accept DHCPDISCOVER (for DHCP-Proxy)" udp sport { bootpc, 4011 } udp dport { bootps, 4011 } ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept comment "Accept PXE" udp dport tftp ip6 saddr { fd00::/8, fe80::/10 } accept comment "Accept TFTP" udp dport tftp ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept comment "Accept TFTP"