Nftables Testserver: Unterschied zwischen den Versionen

Aus Tutorials
Zur Navigation springen Zur Suche springen
 
(6 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 1: Zeile 1:
== Stand 10.04.2020 ==
== Schnittstellen ==
 
{| class="wikitable"
! Schnittstelle
! Name
! IP-Adresse
|-
| WAN
| eth0
| 10.2.0.175
|-
| LAN
| wlan0
| 10.3.0.1
|-
| OpenVPN
| tun0
| ---
|}
 
== Stand 16.08.2020 ==


<pre>
<pre>
Zeile 11: Zeile 31:
     flags interval
     flags interval
     auto-merge
     auto-merge
     elements = { 10.2.0.0/24, 10.0.0.0/24, 10.9.2.0/24 }
     elements = { 10.2.0.0/24, 10.0.0.0/24, 10.3.0.0/24 }
   }
   }


Zeile 24: Zeile 44:


     # icmp (ping)
     # icmp (ping)
     iifname "wlan0" icmp type echo-request accept;
     iifname "eth0" icmp type echo-request accept;
     iifname "tun0" icmp type echo-request accept;
     iifname "wlan0" ip daddr { 10.2.0.175 } icmp type echo-request accept;
    iifname "eth0" ip daddr { 10.3.0.1 } icmp type echo-request accept;


     # open sshd (22) for internal networks only
     # open sshd (22) for internal networks only
Zeile 36: Zeile 55:
     # open udp ports: domain (53), openvpn (1194)
     # open udp ports: domain (53), openvpn (1194)
     udp dport { domain, openvpn } accept;
     udp dport { domain, openvpn } accept;
    # dhcp ports: bootps (67)
    udp dport { bootps } accept;


     # mysql (3306)
     # mysql (3306)
     meta l4proto { tcp, udp } @th,16,16 { 3306 } ip saddr @internal_networks_ip4 accept comment "accept mysql from internal networks";
     meta l4proto { tcp, udp } @th,16,16 { 3306 } ip saddr @internal_networks_ip4 accept comment "accept mysql from internal networks";


    # dhcp server (67)
    udp dport { bootps } accept;
    counter comment "count dropped packets"
     #log
     #log
   }
   }
Zeile 48: Zeile 68:
   chain forward {
   chain forward {
     type filter hook forward priority 0; policy drop;
     type filter hook forward priority 0; policy drop;
   
 
     ip saddr @internal_networks_ip4 accept;
     ip saddr @internal_networks_ip4 accept;
     iifname "wlan0" oifname "tun0" ct state related,established accept;
     iifname "wlan0" oifname "tun0" ct state related,established accept;
 
    iifname "eth0" oifname "tun0" ct state related,established accept;
     #log
     iifname "wlan0" oifname "eth0" ct state related,established accept;
   }
   }


   chain output {
   chain output {
     type filter hook output priority 100; policy accept;
     type filter hook output priority 0; policy accept;
   }
   }
}
}
Zeile 69: Zeile 89:
   chain postrouting {
   chain postrouting {
     type nat hook postrouting priority 100; policy accept;
     type nat hook postrouting priority 100; policy accept;
     oifname "wlan0" ip saddr 10.9.2.0/24 masquerade;
     oifname "wlan0" ip saddr 10.8.5.0/24 masquerade;
    oifname "eth0" ip saddr 10.8.5.0/24 masquerade;
    oifname "wlan0" ip saddr 10.3.0.0/24 masquerade;
   }
   }
}
}

Aktuelle Version vom 16. August 2020, 11:07 Uhr

Schnittstellen

Schnittstelle Name IP-Adresse
WAN eth0 10.2.0.175
LAN wlan0 10.3.0.1
OpenVPN tun0 ---

Stand 16.08.2020

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
  set internal_networks_ip4 {
    type ipv4_addr
    flags interval
    auto-merge
    elements = { 10.2.0.0/24, 10.0.0.0/24, 10.3.0.0/24 }
  }

  chain input {
    type filter hook input priority 0; policy drop;

    # established/related connections
    ct state established,related accept;

    # loopback interface
    iifname lo accept;

    # icmp (ping)
    iifname "eth0" icmp type echo-request accept;
    iifname "wlan0" ip daddr { 10.2.0.175 } icmp type echo-request accept;

    # open sshd (22) for internal networks only
    tcp dport { ssh } ip saddr @internal_networks_ip4 accept comment "accept SSH from internal networks"

    # open tcp ports: http (80), https (443)
    tcp dport { http, https } accept;

    # open udp ports: domain (53), openvpn (1194)
    udp dport { domain, openvpn } accept;

    # mysql (3306)
    meta l4proto { tcp, udp } @th,16,16 { 3306 } ip saddr @internal_networks_ip4 accept comment "accept mysql from internal networks";

    # dhcp server (67)
    udp dport { bootps } accept;

    counter comment "count dropped packets"
    #log
  }

  chain forward {
    type filter hook forward priority 0; policy drop;

    ip saddr @internal_networks_ip4 accept;
    iifname "wlan0" oifname "tun0" ct state related,established accept;
    iifname "eth0" oifname "tun0" ct state related,established accept;
    iifname "wlan0" oifname "eth0" ct state related,established accept;
  }

  chain output {
    type filter hook output priority 0; policy accept;
  }
}

# NAT
table ip nat {
  chain prerouting {
    type nat hook prerouting priority 0; policy accept;
  }

  # for all packets to WAN, after routing, replace source address with primary IP of WAN interface
  chain postrouting {
    type nat hook postrouting priority 100; policy accept;
    oifname "wlan0" ip saddr 10.8.5.0/24 masquerade;
    oifname "eth0" ip saddr 10.8.5.0/24 masquerade;
    oifname "wlan0" ip saddr 10.3.0.0/24 masquerade;
  }
}


Zurück zu nftables