Nftables (Linux): Unterschied zwischen den Versionen

Installation

sudo apt-get install -y nftables

Service

sudo systemctl enable nftables.service
sudo systemctl restart nftables.service

Firewall

Pre-Konfiguration

sudo vi /etc/nftables.conf

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
   chain input {
      type filter hook input priority 0; policy accept;
   }

   chain forward {
      type filter hook forward priority 0; policy accept;
   }

   chain output {
      type filter hook output priority 0; policy accept;
   }
}

table inet filter

Legt eine Tabelle mit dem Namen filter für die Familiy inet an.

Mit der Familie inet lassen sich Regeln für IPv4 und IPv6 auf einmal definieren.

type filter hook input priority 0;

type legt fest, welche Art von Kette gebildet werden soll. Mögliche Werte sind filter, route oder nat.

hook legt fest, in welcher Phase sich die Pakete während der Bearbeitung befinden. Mögliche Werte sind prerouting, input, forward, output oder postrouting.

priority legt die Reihenfolge der Ketten fest bzw. legt sie zwischen Netfilter-Operationen.

policy accept;

Lässt als Standard-Regel alle Pakete durch.

Links

https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes

Beispiele

# icmp (ping)
icmp type echo-request limit rate 10/second burst 2 packets counter accept;

# open sshd (22) for internal networks only
tcp dport { ssh } ip saddr @internal_networks_ip4 limit rate 15/minute accept;

Links

https://wiki.nftables.org/wiki-nftables/index.php/Rate_limiting_matchings

Server-Firewall

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
  set internal_networks_ip4 {
    type ipv4_addr
    flags interval
    auto-merge
    elements = { 10.2.0.0/24, 10.0.0.0/24, 10.8.6.0/24 }
  }

  chain input {
    type filter hook input priority 0; policy drop;

    # established/related connections
    ct state established,related accept;

    # loopback interface
    iifname lo accept;

    # icmp (ping)
    icmp type echo-request accept;

    # open sshd (22) for internal networks only
    tcp dport { ssh } ip saddr @internal_networks_ip4 accept comment "accept SSH from internal networks"
    #tcp dport { ssh } accept comment "accept SSH from all networks"

    # open tcp ports: http (80), https (443)
    tcp dport { http, https } accept;

    # open udp ports: domain (53), openvpn (1194)
    udp dport { domain, openvpn } accept;

    # mail ports: pop3 (143), imap (110), submission (SMTP/587)
    tcp dport { pop3, imap2, submission } accept;
    udp dport { imap2 } accept;

    # mysql (3306)
    meta l4proto { tcp, udp } @th,16,16 { 3306 } ip saddr @internal_networks_ip4 accept comment "accept mysql from internal networks";

    counter comment "count dropped packets"
  }


  chain forward {
    type filter hook forward priority 0; policy drop;
    counter comment "count dropped packets"
  }

  chain output {
    type filter hook output priority 0; policy accept;
  }
}

Server Firewall Testing

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
  set internal_networks_ip4 {
    type ipv4_addr
    flags interval
    auto-merge
    elements = { 10.2.0.0/24, 10.0.0.0/24, 10.8.5.0/24 }
  }

  chain input {
    type filter hook input priority 0; policy drop;

    # established/related connections
    ct state established,related accept;

    # loopback interface
    iifname lo accept;

    # icmp (ping)
    icmp type echo-request accept;

    # open sshd (22) for internal networks only
    tcp dport { ssh } ip saddr @internal_networks_ip4 accept comment "accept SSH from internal networks"

    # open tcp ports: http (80), https (443)
    tcp dport { http, https } accept;

    # open udp ports: domain (53), openvpn (1194)
    udp dport { domain, openvpn } accept;

    # mysql (3306)
    meta l4proto { tcp, udp } @th,16,16 { 3306 } ip saddr @internal_networks_ip4 accept comment "accept mysql from internal networks";

    #iifname "wlan0" accept;

    #log
  }

  chain forward {
    type filter hook forward priority 0; policy drop;
    #type filter hook forward priority 0; policy accept;
    
    iifname "wlan0" oifname "eth0" accept;
    iifname "eth0" oifname "wlan0" ct state related,established accept;
  }

  chain output {
    type filter hook output priority 0; policy accept;
  }
}

# NAT
table ip nat {
  chain prerouting {
    type nat hook prerouting priority 0; policy accept;
  }

  # for all packets to WAN, after routing, replace source address with primary IP of WAN interface
  chain postrouting {
    type nat hook postrouting priority 100; policy accept;
    #ip saddr 10.8.5.0/24 oifname "eth0" masquerade
    oifname "eth0" masquerade;
  }
}

Links

https://de.wikipedia.org/wiki/Liste_der_standardisierten_Ports

Routing

Wichtig ist IP-Forwarding zu aktivieren - siehe dazu Netzwerk einrichten

# firewall
table ip filter {
  # allow all packets sent by the firewall machine itself
  chain output {
    type filter hook output priority 100; policy accept;
  }

  # allow LAN to firewall, disallow WAN to firewall
  chain input {
    type filter hook input priority 0; policy accept;
    iifname "lan0" accept
    iifname "wan0" drop
  }

  # allow packets from LAN to WAN, and WAN to LAN if LAN initiated the connection
  chain forward {
    type filter hook forward priority 0; policy drop;
    iifname "lan0" oifname "wan0" accept
    iifname "wan0" oifname "lan0" ct state related,established accept
  }
}

# NAT
table ip nat {
  chain prerouting {
    type nat hook prerouting priority 0; policy accept;
  }

  # for all packets to WAN, after routing, replace source address with primary IP of WAN interface
  chain postrouting {
    type nat hook postrouting priority 100; policy accept;
    oifname "wan0" masquerade
  }
}

Links

https://wiki.gentoo.org/wiki/Nftables/Examples

Routing Temp

#!/usr/sbin/nft -f

flush ruleset

# firewall
table ip filter {
  # allow all packets sent by the firewall machine itself
  chain output {
    type filter hook output priority 100; policy accept;
  }

  # allow LAN to firewall, disallow WAN to firewall
  chain input {
    type filter hook input priority 0; policy accept;
    iifname "eth0" accept
#    iifname "wlan0" drop
    iifname "wlan0" accept
  }

  # allow packets from LAN to WAN, and WAN to LAN if LAN initiated the connection
  chain forward {
#    type filter hook forward priority 0; policy drop;
    type filter hook forward priority 0; policy accept;
#    iifname "eth0" oifname "wlan0" accept
#    iifname "wlan0" oifname "eth0" ct state related,established accept
  }
}

# NAT
table ip nat {
  chain prerouting {
    type nat hook prerouting priority 0; policy accept;

    # redirect port 81 to port 80 at 10.1.0.150
    iif wlan0 tcp dport 81 dnat 10.1.0.150:80;
  }

  # for all packets to WAN, after routing, replace source address with primary IP of WAN interface
  chain postrouting {
    type nat hook postrouting priority 100; policy accept;
    oifname "wlan0" masquerade
  }
}

Kontrolle

sudo nft list table inet filter

Links

https://www.netfilter.org/projects/nftables/manpage.html

https://wiki.nftables.org/wiki-nftables/index.php/Main_Page

https://wiki.debian.org/nftables

https://manpages.debian.org/testing/nftables/nftables.8.en.html

https://linuxandcaffeine.com/setup-a-simple-web-server-firewall-using-nftables/

Zurück zu Ubuntu