Benutzer-Werkzeuge
fortgeschrittene:nftables
Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen gezeigt.
| Beide Seiten, vorherige Überarbeitung Vorherige Überarbeitung Nächste Überarbeitung | Vorherige Überarbeitung | ||
|
fortgeschrittene:nftables [2020/01/02 21:43] ingo_wichmann [Doku] |
fortgeschrittene:nftables [2023/12/27 11:31] (aktuell) ingo_wichmann [interaktiv] |
||
|---|---|---|---|
| Zeile 1: | Zeile 1: | ||
| ====== nftables beobachten ====== | ====== nftables beobachten ====== | ||
| watch -d nft -a list ruleset | watch -d nft -a list ruleset | ||
| - | + | (( oder, wenn nur die filter-Regel von Interesse sind: | |
| - | ====== nftables Regeln zurücksetzen ====== | + | watch -d nft -a list table inet filter |
| + | )) | ||
| + | ====== nftables Regeln zurücksetzen/löschen ====== | ||
| nft flush ruleset | nft flush ruleset | ||
| ====== erste nftables Regeln ===== | ====== erste nftables Regeln ===== | ||
| - | |||
| ===== iptables-ähnliche Tabellen und Chains anlegen ===== | ===== iptables-ähnliche Tabellen und Chains anlegen ===== | ||
| ==== interaktiv ==== | ==== interaktiv ==== | ||
| nft -ia | nft -ia | ||
| add table inet filter | add table inet filter | ||
| - | add chain inet filter input { type filter hook input priority 0; policy accept; } | + | add chain inet filter input { type filter hook input priority filter; } |
| - | add chain inet filter forward { type filter hook forward priority 0; policy accept; } | + | add chain inet filter forward { type filter hook forward priority filter; } |
| - | add chain inet filter output { type filter hook output priority 0; policy accept; } | + | add chain inet filter output { type filter hook output priority filter; } |
| + | (( Since Linux kernel 5.2, there is support for performing stateful NAT in inet family chains: http://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT) )) | ||
| + | add table inet nat | ||
| + | add chain inet nat prerouting { type nat hook prerouting priority dstnat; } | ||
| + | add chain inet nat postrouting { type nat hook postrouting priority srcnat; } | ||
| ==== mit Konfigurationsdatei ==== | ==== mit Konfigurationsdatei ==== | ||
| <file txt nftables.conf> | <file txt nftables.conf> | ||
| + | flush ruleset | ||
| table inet filter { | table inet filter { | ||
| chain input { | chain input { | ||
| - | type filter hook input priority 0; policy accept; | + | type filter hook input priority filter; |
| } | } | ||
| chain forward { | chain forward { | ||
| - | type filter hook forward priority 0; policy accept; | + | type filter hook forward priority filter; |
| } | } | ||
| chain output { | chain output { | ||
| - | type filter hook output priority 0; policy accept; | + | type filter hook output priority filter; |
| + | } | ||
| + | } | ||
| + | table inet nat { | ||
| + | chain prerouting { | ||
| + | type nat hook prerouting priority dstnat; | ||
| + | } | ||
| + | chain postrouting { | ||
| + | type nat hook postrouting priority srcnat; | ||
| } | } | ||
| } | } | ||
| </file> | </file> | ||
| nft -f nftables.conf | nft -f nftables.conf | ||
| + | |||
| + | ===== erste tcp-Ports schließen ===== | ||
| + | nft -ia | ||
| + | insert rule inet filter input tcp dport { 80, 3128 } drop | ||
| + | |||
| + | Alternativ, mit named sets: | ||
| + | nft -ia | ||
| + | add set inet filter port_blacklist { type inet_service; } | ||
| + | add element inet filter port_blacklist { 80, 3128 } | ||
| + | replace rule inet filter input handle 7 tcp dport @port_blacklist drop | ||
| + | |||
| + | ===== einzelne Regel löschen ===== | ||
| + | nft -ia | ||
| + | delete rule inet filter input handle 7 | ||
| + | ====== nftables Regeln debuggen ====== | ||
| + | ===== counter nutzen ===== | ||
| + | ''accept'', ''drop'' oder ''reject'' jeweils ''counter'' voran stellen: ''counter accept'', ''counter drop'' oder ''counter reject'' | ||
| + | |||
| + | Beispiel: | ||
| + | nft -ia | ||
| + | replace rule inet filter input handle 7 tcp dport { 80, 3128 } counter reject with tcp reset | ||
| + | |||
| + | alle counter beobachten: | ||
| + | watch -d nft -a list ruleset | ||
| + | gezielter nur die counter einer Chain beobachten: | ||
| + | watch -d nft -a list chain inet filter input | ||
| + | |||
| + | ==== counter zurücksetzen ==== | ||
| + | auf die harte Tour: alle aktuellen Regeln löschen und neu einlesen: | ||
| + | (echo 'flush ruleset'; nft -s list ruleset) | nft -f - | ||
| + | ===== Pakete loggen ===== | ||
| + | nft -ia | ||
| + | add rule inet filter input log prefix "input accept" | ||
| + | |||
| + | geloggte Pakete anzeigen: | ||
| + | dmesg -Tw | ||
| + | |||
| + | ===== Lauf von Paketen nachverfolgen/tracen ===== | ||
| + | Trace-Regel hinzufügen: | ||
| + | nft insert rule inet filter input iifname eth0 nftrace set 1 | ||
| + | |||
| + | Pakete anzeigen: | ||
| + | nft monitor trace | ||
| + | |||
| + | ====== aktuelle nftables Regeln speichern ====== | ||
| + | nft -s list ruleset > /etc/nftables.conf | ||
| + | |||
| + | ====== nftables Regeln aus Datei laden ====== | ||
| + | nft -f /etc/nftables.conf | ||
| ====== nft Syntax ====== | ====== nft Syntax ====== | ||
| ^ action ^ object ^ family ^ | ^ action ^ object ^ family ^ | ||
| - | | create | ruleset | inet | | + | | create | ruleset | inet | |
| - | | add | table | ip | | + | | add | table(s) | ip | |
| - | | delete | chain | ip6 | | + | | delete | chain(s) | ip6 | |
| - | | rename | rule | | + | | rename | rule | |
| - | | list | | + | | list | set | |
| | flush | | | flush | | ||
| | insert | | | insert | | ||
| Zeile 49: | Zeile 112: | ||
| * https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes | * https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes | ||
| * Allow ICMPv6 traffic (https://tools.ietf.org/html/rfc4890#page-18) | * Allow ICMPv6 traffic (https://tools.ietf.org/html/rfc4890#page-18) | ||
| + | * https://commons.wikimedia.org/wiki/File:Netfilter-packet-flow.svg | ||
fortgeschrittene/nftables.1578001432.txt.gz · Zuletzt geändert: 2020/01/02 21:43 von ingo_wichmann
Seiten-Werkzeuge
Falls nicht anders bezeichnet, ist der Inhalt dieses Wikis unter der folgenden Lizenz veröffentlicht: CC Attribution-Noncommercial-Share Alike 4.0 International
