Nftables: Unterschied zwischen den Versionen

Aus xinux.net
Zur Navigation springen Zur Suche springen
 
(28 dazwischenliegende Versionen von 2 Benutzern werden nicht angezeigt)
Zeile 1: Zeile 1:
=Install=
+
* [[Nftabels Grundlagen]]
*apt-get install nftables
+
* [[Grundlegendes zum Connection Tracking]]
=Create a basic IPv4 table=
+
* [[nftables console]]
*nft add table inet filter
+
* [[iptables zu nftables]]
=List that table=
+
* [[nftables masquerade]]
*nft list table inet filter
+
* [[nftables Host absichern]]
table inet filter {
+
* [[nftables Netze absichern]]
}
+
* [[nftables misc]]
=Create a chain for input traffic IPv4=
+
* [[nftables Anpassung]]
*nft add chain inet filter input { type filter hook input priority 0\; }
 
=A rule to check that all is fine (IPv4)=
 
*nft add rule inet filter input counter accept
 
=List that table=
 
*nft list table inet filter
 
<pre>
 
table inet filter {
 
chain input {
 
type filter hook input priority 0; policy accept;
 
counter packets 47 bytes 3100 accept
 
}
 
}
 
</pre>
 
=Flush rules in chain filter/input=
 
*nft flush chain inet filter input
 
=Delete the chain filter/input=
 
*nft delete chain inet filter input
 
=Delete the table filter=
 
*nft delete table inet filter
 
 
 
=Example Script=
 
<pre>
 
#!/usr/sbin/nft -f
 
#variable declaration
 
define tcp_lan_input_ports = { 8472, 53 }
 
define tcp_all_input_ports = { 80, 443 }
 
define udp_lan_input_ports = { 53 }
 
define tcp_for_input_ports = { 53 }
 
define udp_for_input_ports = {  53 }
 
 
 
# table declaration
 
add table filter
 
add table nat
 
flush chain filter input
 
flush chain filter output
 
flush chain filter forward
 
table filter {
 
        chain input {
 
                type filter hook input priority 0; policy drop;
 
                ct state established,related counter packets 97 bytes 6640 accept
 
                iifname "lo" counter accept
 
                iifname "ens19" tcp dport $tcp_lan_input_ports counter accept
 
                tcp dport $tcp_all_input_ports  counter accept
 
                udp dport $udp_lan_input_ports  counter accept
 
                log prefix "nft-input "
 
        }
 
 
 
        chain output {
 
                type filter hook output priority 0; policy drop;
 
                ct state established,related counter accept
 
                counter accept
 
                log prefix "nft-output "
 
        }
 
 
 
        chain forward {
 
                type filter hook forward priority 0; policy drop;
 
                ct state established,related counter accept
 
                iifname "ens19" oifname "ens19" counter accept
 
                iifname "ens19" oifname "ens18" tcp dport $tcp_for_input_ports counter accept
 
                iifname "ens19" oifname "ens18" udp dport $udp_for_input_ports counter accept
 
                iifname "ens19" oifname "ens18" icmp type echo-request counter accept
 
                log prefix "nft-forward "
 
        }
 
}
 
</pre>
 

Aktuelle Version vom 7. März 2023, 08:35 Uhr

Abgerufen von „https://xinux.net/index.php?title=Nftables&oldid=42779