Nftables Host absichern: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
 
(35 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 10: Zeile 10:
  
 
=Die erste sinnvolle Konfiguration=
 
=Die erste sinnvolle Konfiguration=
*cat /etc/nftables.conf
+
{{nftabels-var1
  #!/usr/sbin/nft -f
+
| kit = 172.22.0.0/16
  flush ruleset  
+
}}
+
  # Alte Regeln löschen (flush)
+
  flush ruleset
 +
 
 
  table inet filter {
 
  table inet filter {
 
         chain input {
 
         chain input {
Zeile 31: Zeile 32:
 
           }
 
           }
 
  }
 
  }
 +
{{vorlage:nat2}}
 +
==Aktivieren und Kontrolliere==
 +
;Aktivieren
 +
*nft -f /etc/nftables.conf
 +
;Kontrollieren
 +
*nft list ruleset
  
 
=Wir schalten ping frei=
 
=Wir schalten ping frei=
*cat /etc/nftables.conf
+
{{nftabels-var1
#!/usr/sbin/nft -f
+
| kit = 172.22.0.0/16
define local_tcp_ports = { 22 }
+
}}
   
+
  # Alte Regeln löschen (flush)
 
  flush ruleset
 
  flush ruleset
 +
 
  table inet filter {
 
  table inet filter {
 
         chain input {
 
         chain input {
Zeile 43: Zeile 51:
 
                 ct state established,related accept
 
                 ct state established,related accept
 
                 ct state new iif "lo" accept
 
                 ct state new iif "lo" accept
                 ct state new tcp dport $local_tcp_ports accept
+
                 ct state new tcp dport 22 accept
 
                 <span style="color:#8a2be2">ct state new icmp type echo-request accept</span>  
 
                 <span style="color:#8a2be2">ct state new icmp type echo-request accept</span>  
 
         }
 
         }
Zeile 54: Zeile 62:
 
           }
 
           }
 
  }
 
  }
 +
{{vorlage:nat2}}
  
=Wir laden nun die Konfiguration=
+
==Aktivieren und Kontrolliere==
 +
;Aktivieren
 
*nft -f /etc/nftables.conf
 
*nft -f /etc/nftables.conf
 +
;Kontrollieren
 +
*nft list ruleset
  
 
=Wir loggen=
 
=Wir loggen=
Zeile 63: Zeile 75:
 
*<span style="color:#FF0000">Neu: Wir fügen in jeder Kette eine log-Regel ein, um verworfene Pakete zu protokollieren</span>
 
*<span style="color:#FF0000">Neu: Wir fügen in jeder Kette eine log-Regel ein, um verworfene Pakete zu protokollieren</span>
  
*cat /etc/nftables.conf
+
{{nftabels-var1
#!/usr/sbin/nft -f
+
| kit = 172.22.0.0/16
define local_tcp_ports = { 22 }
+
}}
   
+
  # Alte Regeln löschen (flush)
 
  flush ruleset
 
  flush ruleset
 
  table inet filter {
 
  table inet filter {
Zeile 73: Zeile 85:
 
                 ct state established,related accept
 
                 ct state established,related accept
 
                 ct state new iif "lo" accept
 
                 ct state new iif "lo" accept
                 ct state new tcp dport $local_tcp_ports accept
+
                 ct state new tcp dport 22 accept
 
                 ct state new icmp type echo-request accept  
 
                 ct state new icmp type echo-request accept  
                <span style="color:#FF0000">log prefix " --nftables-drop-input-- "</span>
+
                  <span style="color:#8a2be2">log prefix " --nftables-drop-input-- "</span>
 
         }
 
         }
+
   
     
+
 
 
 
         chain output {
 
         chain output {
 
                 type filter hook output priority filter; policy drop;
 
                 type filter hook output priority filter; policy drop;
Zeile 85: Zeile 96:
 
                 ct state new oif "lo" accept
 
                 ct state new oif "lo" accept
 
                 ct state new accept
 
                 ct state new accept
                <span style="color:#FF0000">log prefix " --nftables-drop-output-- "</span>
+
                  <span style="color:#8a2be2">log prefix " --nftables-drop-output-- "</span>
 
         }
 
         }
 
  }
 
  }
</pre>
 
  
 +
{{vorlage:nat2}}
 +
 +
=DHCP für das Lan freischalten=
 +
*<span style="color:#FF0000">Neu: Wir schlaten für das LAN UDP Port 67 frei</span>
 +
 +
{{nftabels-var1
 +
| kit = 172.22.0.0/16
 +
}}
 +
define LANDEV=enp0s9
 +
# Alte Regeln löschen (flush)
 +
flush ruleset
 +
table inet filter {
 +
        chain input {
 +
                type filter hook input priority filter; policy drop;
 +
                ct state established,related accept
 +
                ct state new iif "lo" accept
 +
                ct state new tcp dport 22 accept
 +
                ct state new icmp type echo-request accept
 +
                <span style="color:#8a2be2">ct state new iif $LANDEV udp dport 67 accept</span>
 +
                log prefix " --nftables-drop-input-- "
 +
        }
 +
   
 +
 +
        chain output {
 +
                type filter hook output priority filter; policy drop;
 +
                ct state established,related accept
 +
                ct state new oif "lo" accept
 +
                ct state new accept
 +
                log prefix " --nftables-drop-output-- "
 +
        }
 +
}
  
 +
{{vorlage:nat2}}
  
 
==nftables Logging über journalctl ==
 
==nftables Logging über journalctl ==
Zeile 122: Zeile 164:
 
;Testet ob die Regel greifen positiv wie negativ <nowiki>:)</nowiki>
 
;Testet ob die Regel greifen positiv wie negativ <nowiki>:)</nowiki>
  
  chain input {
 
  type filter hook input priority filter; policy drop;
 
  ct state established,related accept
 
  ct state new iif "lo" accept
 
ct state new icmp type echo-request accept
 
ct state new iif "enp0s8" ip saddr 10.88.213.0/24 tcp dport 22 accept
 
ct state new iif "enp0s9" ip saddr 172.26.213.0/24 tcp dport 22 accept
 
ct state new iif "enp0s10" ip saddr 10.213.1.0/24 tcp dport 22 accept
 
ct state new iif "enp0s3" ip saddr 192.168.6.200 tcp dport 22 accept
 
log prefix " --nftables-drop-input-- "
 
}
 
 
chain output {
 
type filter hook output priority filter; policy drop;
 
ct state established,related accept
 
ct state new accept
 
log prefix " --nftables-drop-output-- "
 
}
 
}
 
 
=Handling=
 
=Handling=
 
;Regelsatz anzeigen
 
;Regelsatz anzeigen

Aktuelle Version vom 22. Mai 2026, 09:14 Uhr

Die ersten wirklichen Regeln die etwas bewirken

  • Momentan wollen wir nur den Host absichern.
  • Darum können wir die forward Kette erstmal aussen vor lassen.
  • Wir beziehen uns also nur auf den Host selbst.
  • Wir wollen nun folgendes tun:
  • Der Rechner soll mit sich selbst über das Loopback Interface kommunizieren können.
  • Vom Rechner selbst nach aussen soll alles zugelassen werden
  • Auf den Rechner soll per "ssh" zugegriffen werden können.

Die erste sinnvolle Konfiguration

  • cat /etc/nftables.conf
#!/usr/sbin/nft -f

# Variablen
define WANIP = <WANIP der Firewall>
define LAN = 172.26.2XX.0/24
define MGMT = 172.27.2XX.0/24
define SERVER = 10.2XX.1.0/24
define DMZ = 10.88.2XX.0/24
define KIT = 172.22.0.0/16
define WANDEV = enp0s3
# Alte Regeln löschen (flush)
flush ruleset

table inet filter {
        chain input {
                type filter hook input priority filter; policy drop;
                ct state established,related accept
                ct state new iif "lo" accept
                ct state new tcp dport 22 accept 

        }
     

        chain output {
                type filter hook output priority filter; policy drop;
                ct state established,related accept
                ct state new accept
          }
}

 table inet nat {
  chain postrouting {
   type nat hook postrouting priority 100; policy accept;
        ip saddr $DMZ ip daddr $KIT return
        ip saddr $DMZ ip daddr 10.88.0.0/16 return
        ip saddr $DMZ oif $WANDEV snat to $WANIP
        ip saddr $LAN oif $WANDEV snat to $WANIP
        ip saddr $SERVER oif $WANDEV snat to $WANIP
        ip saddr $MGMT oif $WANDEV snat to $WANIP
     }
  }

Aktivieren und Kontrolliere

Aktivieren
  • nft -f /etc/nftables.conf
Kontrollieren
  • nft list ruleset

Wir schalten ping frei

  • cat /etc/nftables.conf
#!/usr/sbin/nft -f

# Variablen
define WANIP = <WANIP der Firewall>
define LAN = 172.26.2XX.0/24
define MGMT = 172.27.2XX.0/24
define SERVER = 10.2XX.1.0/24
define DMZ = 10.88.2XX.0/24
define KIT = 172.22.0.0/16
define WANDEV = enp0s3
# Alte Regeln löschen (flush)
flush ruleset

table inet filter {
        chain input {
                type filter hook input priority filter; policy drop;
                ct state established,related accept
                ct state new iif "lo" accept
                ct state new tcp dport 22 accept
                ct state new icmp type echo-request accept 
        }
     

        chain output {
                type filter hook output priority filter; policy drop;
                ct state established,related accept
                ct state new accept
          }
}

 table inet nat {
  chain postrouting {
   type nat hook postrouting priority 100; policy accept;
        ip saddr $DMZ ip daddr $KIT return
        ip saddr $DMZ ip daddr 10.88.0.0/16 return
        ip saddr $DMZ oif $WANDEV snat to $WANIP
        ip saddr $LAN oif $WANDEV snat to $WANIP
        ip saddr $SERVER oif $WANDEV snat to $WANIP
        ip saddr $MGMT oif $WANDEV snat to $WANIP
     }
  }

Aktivieren und Kontrolliere

Aktivieren
  • nft -f /etc/nftables.conf
Kontrollieren
  • nft list ruleset

Wir loggen

  • Wir wollen die abgelehnten Pakete loggen.
  • Die Idee dahinter ist, wir schreiben eine Regel kurz bevor die Default Policy greift.
  • Neu: Wir fügen in jeder Kette eine log-Regel ein, um verworfene Pakete zu protokollieren
  • cat /etc/nftables.conf
#!/usr/sbin/nft -f

# Variablen
define WANIP = <WANIP der Firewall>
define LAN = 172.26.2XX.0/24
define MGMT = 172.27.2XX.0/24
define SERVER = 10.2XX.1.0/24
define DMZ = 10.88.2XX.0/24
define KIT = 172.22.0.0/16
define WANDEV = enp0s3
# Alte Regeln löschen (flush)
flush ruleset
table inet filter {
        chain input {
                type filter hook input priority filter; policy drop;
                ct state established,related accept
                ct state new iif "lo" accept
                ct state new tcp dport 22 accept
                ct state new icmp type echo-request accept 
                 log prefix " --nftables-drop-input-- "
        }
   

        chain output {
                type filter hook output priority filter; policy drop;
                ct state established,related accept
                ct state new oif "lo" accept
                ct state new accept
                 log prefix " --nftables-drop-output-- "
        }
}

 table inet nat {
  chain postrouting {
   type nat hook postrouting priority 100; policy accept;
        ip saddr $DMZ ip daddr $KIT return
        ip saddr $DMZ ip daddr 10.88.0.0/16 return
        ip saddr $DMZ oif $WANDEV snat to $WANIP
        ip saddr $LAN oif $WANDEV snat to $WANIP
        ip saddr $SERVER oif $WANDEV snat to $WANIP
        ip saddr $MGMT oif $WANDEV snat to $WANIP
     }
  }

DHCP für das Lan freischalten

  • Neu: Wir schlaten für das LAN UDP Port 67 frei
  • cat /etc/nftables.conf
#!/usr/sbin/nft -f

# Variablen
define WANIP = <WANIP der Firewall>
define LAN = 172.26.2XX.0/24
define MGMT = 172.27.2XX.0/24
define SERVER = 10.2XX.1.0/24
define DMZ = 10.88.2XX.0/24
define KIT = 172.22.0.0/16
define WANDEV = enp0s3
define LANDEV=enp0s9
# Alte Regeln löschen (flush)
flush ruleset
table inet filter {
        chain input {
                type filter hook input priority filter; policy drop;
                ct state established,related accept
                ct state new iif "lo" accept
                ct state new tcp dport 22 accept
                ct state new icmp type echo-request accept 
                ct state new iif $LANDEV udp dport 67 accept
                log prefix " --nftables-drop-input-- "
        }
   

        chain output {
                type filter hook output priority filter; policy drop;
                ct state established,related accept
                ct state new oif "lo" accept
                ct state new accept
                log prefix " --nftables-drop-output-- "
        }
}

 table inet nat {
  chain postrouting {
   type nat hook postrouting priority 100; policy accept;
        ip saddr $DMZ ip daddr $KIT return
        ip saddr $DMZ ip daddr 10.88.0.0/16 return
        ip saddr $DMZ oif $WANDEV snat to $WANIP
        ip saddr $LAN oif $WANDEV snat to $WANIP
        ip saddr $SERVER oif $WANDEV snat to $WANIP
        ip saddr $MGMT oif $WANDEV snat to $WANIP
     }
  }

nftables Logging über journalctl

Erklärung
  • journalctl -k -f -g nftables
Nur Logtext ohne Metadaten
  • journalctl -k -f -g nftables -o cat
Logausgabe mit ISO-Zeitformat
  • journalctl -k -f -g nftables -o short-iso
Nur drop-input
  • journalctl -k -f -g nftables-drop-input

Aktivieren der Firewall beim Systemstart

  • systemctl enable nftables --now

Source oder Destination IP oder Netze

Hinweis für die Aufgaben.

Source Ips oder Netze werden mit einem ip saddr IP angeben

Destination Ips oder Netze werden mit einem ip daddr IP angeben

Beispiele
ct state new iif "enp0s9" ip saddr 172.26.213.0/24 tcp dport 22 accept

Aufgabe

  • Grenzt den Zugriff per ssh so ein das folgende Bereiche zugelassen:
    • DMZ
    • LAN
    • SERVER
    • HOST
Testet ob die Regel greifen positiv wie negativ :)

Handling

Regelsatz anzeigen
  • nft list ruleset
Regelsatz neuladen
  • systemctl restart nftables

oder

  • nft -f /etc/nftables.conf
Regelsatz löschen
  • systemctl stop nftables

oder

  • nft flush ruleset
Firewall für den System aktiveren
  • systemctl enable nftables
Ist die Firewall enabled?
  • systemctl is-enabled nftables
Firewall start
  • systemctl start nftables
Firewall start und enabled
  • systemctl enable nftables --now
Logging
  • journalctl -fkg nftables
Abgerufen von „http://www.xinux.net/index.php?title=Nftables_Host_absichern&oldid=70352