mirror of https://github.com/tLDP/LDP
update nftables section
This commit is contained in:
parent
4ae6752949
commit
2684af99a4
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
Binary file not shown.
|
@ -1980,19 +1980,18 @@ Chain intOUT (1 references)
|
||||||
<title>Präparation zur Nutzung von nftables</title>
|
<title>Präparation zur Nutzung von nftables</title>
|
||||||
<para>Installieren einer Linux-Distribution, welche die Unterstützung für nftables bereits eingebaut hat. Beim Schreiben dieses Absatzes (Mai 2014) war mindestens Fedora Rawhide (Vorläufer der Version 21) mit entsprechendem Support und nftables version 0.2.0 versehen.</para></sect2><sect2>
|
<para>Installieren einer Linux-Distribution, welche die Unterstützung für nftables bereits eingebaut hat. Beim Schreiben dieses Absatzes (Mai 2014) war mindestens Fedora Rawhide (Vorläufer der Version 21) mit entsprechendem Support und nftables version 0.2.0 versehen.</para></sect2><sect2>
|
||||||
<title>Basis-nftables Konfiguration</title>
|
<title>Basis-nftables Konfiguration</title>
|
||||||
<para>Laden der Kernel-Module</para><screen>
|
<para>Laden der Kernel-Module:</para><screen>
|
||||||
<![CDATA[# modprobe nf_tables
|
<![CDATA[# modprobe nf_tables
|
||||||
# modprobe nf_tables_ipv4
|
# modprobe nf_tables_ipv4
|
||||||
# modprobe nf_tables_ipv6
|
# modprobe nf_tables_ipv6
|
||||||
# modprobe nf_tables_inet
|
# modprobe nf_tables_inet
|
||||||
]]></screen><para>Erzeugen der Filter-Tabellen</para><screen>
|
]]></screen><para>Löschen der Regeln in iptables and ip6tables um Interferenzen zu vermeiden:</para><screen>
|
||||||
<![CDATA[# nft add table ip filter
|
<![CDATA[# iptables -F
|
||||||
# nft add table ip6 filter
|
# ip6tables -F
|
||||||
# nft add table inet filter
|
]]></screen><para>Erzeugen der Filter-Tabelle:</para><screen>
|
||||||
]]></screen><para>Erzeugen einer input chain in jeder Filter-Tabelle</para><screen>
|
<![CDATA[# nft add table inet filter
|
||||||
<![CDATA[# nft add chain ip filter input { type filter hook input priority 1 \; }
|
]]></screen><para>Erzeugen einer input chain in der Filter-Tabelle:</para><screen>
|
||||||
# nft add chain ip6 filter input { type filter hook input priority 1 \; }
|
<![CDATA[# nft add chain inet filter input { type filter hook input priority 0 \; }
|
||||||
# nft add chain inet filter input { type filter hook input priority 0 \; }
|
|
||||||
]]></screen></sect2><sect2>
|
]]></screen></sect2><sect2>
|
||||||
<title>Einfache Filter-Policy mit nftables</title>
|
<title>Einfache Filter-Policy mit nftables</title>
|
||||||
<sect3>
|
<sect3>
|
||||||
|
@ -2000,49 +1999,76 @@ Chain intOUT (1 references)
|
||||||
<para>Erlauben von Paketen, die zu existierenden Einträgen in der Connection-Tracking-Tabelle gehören</para><screen>
|
<para>Erlauben von Paketen, die zu existierenden Einträgen in der Connection-Tracking-Tabelle gehören</para><screen>
|
||||||
<![CDATA[# nft add rule inet filter input ct state established,related counter accept
|
<![CDATA[# nft add rule inet filter input ct state established,related counter accept
|
||||||
]]></screen><para>Erlauben von IPv4 und IPv6 ICMP echo-request (aka ping)</para><screen>
|
]]></screen><para>Erlauben von IPv4 und IPv6 ICMP echo-request (aka ping)</para><screen>
|
||||||
<![CDATA[# nft add rule ip filter input icmp type { echo-request } counter accept
|
<![CDATA[# nft add rule inet filter input meta nfproto ipv4 icmp type { echo-request } counter accept
|
||||||
# nft add rule ip6 filter input icmpv6 type echo-request counter accept
|
# nft add rule inet filter input meta nfproto ipv6 icmpv6 type echo-request counter accept
|
||||||
]]></screen><para>Erlauben einiger wichtiger IPv6 ICMP Pakete, ohne Zähler, dafür mit Hop-Limit-Prüfung (erhöht die Sicherheit)</para><screen>
|
]]></screen><para>Erlauben einiger wichtiger IPv6 ICMP Pakete, ohne Zähler, dafür mit Hop-Limit-Prüfung (erhöht die Sicherheit)</para><screen>
|
||||||
<![CDATA[# nft add rule ip6 filter input icmpv6 type
|
<![CDATA[# nft add rule inet filter input meta nfproto ipv6
|
||||||
¬ { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert }
|
¬ icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} ip6 hoplimit 1 accept
|
||||||
¬ ip6 hoplimit 1 accept
|
# nft add rule inet filter input meta nfproto ipv6
|
||||||
# nft add rule ip6 filter input icmpv6 type
|
¬ icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} ip6 hoplimit 255 counter accept
|
||||||
¬ { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert }
|
]]></screen><para>Erlauben von eingehenden SSH-Verbindungen für IPv4 und IPv6</para><screen>
|
||||||
¬ ip6 hoplimit 255 accept
|
|
||||||
]]></screen><para>Erlauben von eingehenden SSH-Verbindungen für IPv4 und IPv6 unter Nutzung der IP-Version unabhängigen Tabelle “inet”</para><screen>
|
|
||||||
<![CDATA[# nft add rule inet filter input tcp dport 22 ct state new tcp flags \& \(syn \| ack\) == syn counter accept
|
<![CDATA[# nft add rule inet filter input tcp dport 22 ct state new tcp flags \& \(syn \| ack\) == syn counter accept
|
||||||
|
]]></screen><para>Reject/drop anderer Pakete</para><screen>
|
||||||
|
<![CDATA[# nft add rule inet filter input tcp dport 0-65535 reject
|
||||||
|
# nft add rule inet filter input udp dport 0-65535 counter drop
|
||||||
|
# nft add rule inet filter input counter drop
|
||||||
]]></screen></sect3><sect3>
|
]]></screen></sect3><sect3>
|
||||||
<title>Ergebnis</title>
|
<title>Ergebnis</title>
|
||||||
<para>Tabelle für IPv4 Filter</para><screen>
|
<para>Tabelle für IP unabhängigen Filter</para><screen>
|
||||||
<![CDATA[# nft list table ip filter
|
<![CDATA[table inet filter {
|
||||||
|
chain input {
|
||||||
|
type filter hook input priority 0;
|
||||||
|
ct state established,related counter packets 0 bytes 0 accept
|
||||||
|
ip protocol icmp icmp type { echo-request} counter packets 0 bytes 0 accept
|
||||||
|
ip6 nexthdr ipv6-icmp icmpv6 type echo-request counter packets 0 bytes 0 accept
|
||||||
|
ip6 nexthdr ipv6-icmp ip6 hoplimit 1 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} accept
|
||||||
|
ip6 nexthdr ipv6-icmp ip6 hoplimit 255 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} accept
|
||||||
|
tcp dport ssh ct state new tcp flags & (syn | ack) == syn counter packets 0 bytes 0 accept
|
||||||
|
tcp dport >= 0 tcp dport <= 65535 counter packets 0 bytes 0 reject
|
||||||
|
udp dport >= 0 udp dport <= 65535 counter packets 0 bytes 0 drop
|
||||||
|
log prefix counter packets 0 bytes 0 drop
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]]></screen></sect3><sect3>
|
||||||
|
<title>Tipps für's Loggen</title>
|
||||||
|
<para>Für Logging wird ein zusätzliches Kernelmodul benötigt:</para><screen>
|
||||||
|
<![CDATA[# modprobe xt_LOG
|
||||||
|
]]></screen><para>ACHTUNG, MOMENTAN KANN DER LOG-LEVEL NICHT ANGEGEBEN WERDEN, dadurch werden nftables-Ereignisse mit Log-Level kern.emerg ausgegeben - ES BESTEHT DIE GEFAHR, DASS DIE KONSOLE DADURCH ÜBERFLUTET WIRD!</para>
|
||||||
|
<para>Für erste Tests mit der Log-Option kann es nützlich sein, das Loggens für emergency-Ereignisse in z.B. /etc/rsyslog.conf zu deaktivieren mit Hilfe eines “#” am Anfang der Zeile und Neustart des logging-Daemons</para><screen>
|
||||||
|
<![CDATA[#*.emerg :omusrmsg:*
|
||||||
|
]]></screen><para>Regel von oben, welche SSH auf Port 22 erlaubt, nun mit Logging:</para><screen>
|
||||||
|
<![CDATA[# nft add rule inet filter input tcp dport 22 ct state new tcp flags \& \(syn \| ack\) == syn log prefix \"inet/input/accept: \" counter accept
|
||||||
|
]]></screen></sect3></sect2><sect2>
|
||||||
|
<title>Filter-Policy mit nftables unter Benutzung der Tablellen “ip”, “ip6” und “inet”</title>
|
||||||
|
<para>Wie oben schon beschrieben, wenn die Regeln in den einzelnen Tabellen konfiguriert werden, muss gesichert sein, dass frühere “accepts” nicht aufgehoben werden. Eine einfache Lösung ist die Benutzung von Markierungen. Regeln, die Pakete erlauben, setzen die Marke mit “meta mark set xxxx”. Eine generische Regel erlaubt Pakete mit gesetzter Marke “mark xxxx”. Beispiel für ein resultierendes Filter-Regelwerk:</para><screen>
|
||||||
|
<![CDATA[# for table in ip ip6 inet; do nft list table $table filter; done
|
||||||
table ip filter {
|
table ip filter {
|
||||||
chain input {
|
chain input {
|
||||||
type filter hook input priority 1;
|
type filter hook input priority 0;
|
||||||
icmp type { echo-request} counter packets 0 bytes 0 accept
|
ct state established,related counter packets 241 bytes 25193 accept
|
||||||
|
counter packets 2 bytes 120 mark 0x00000100 accept
|
||||||
|
icmp type { echo-request} counter packets 0 bytes 0 meta mark set 0x00000100 accept
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
]]></screen><para>Tabelle für IPv6 Filter</para><screen>
|
|
||||||
<![CDATA[# nft list table ip6 filter
|
|
||||||
table ip6 filter {
|
table ip6 filter {
|
||||||
chain input {
|
chain input {
|
||||||
type filter hook input priority 1;
|
type filter hook input priority 0;
|
||||||
icmpv6 type echo-request counter packets 0 bytes 0 accept
|
ct state established,related counter packets 14 bytes 4077 accept
|
||||||
ip6 hoplimit 1 icmpv6 type
|
counter packets 4 bytes 408 mark 0x00000100 accept
|
||||||
¬ { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} accept
|
icmpv6 type echo-request counter packets 1 bytes 104 meta mark set 0x00000100
|
||||||
ip6 hoplimit 255 icmpv6 type
|
icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} counter packets 2 bytes 224 meta mark set 0x00000100 accept
|
||||||
¬ { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} accept
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
]]></screen><para>Tabelle für IP unabhängigen Filter</para><screen>
|
|
||||||
<![CDATA[# nft list table inet filter
|
|
||||||
table inet filter {
|
table inet filter {
|
||||||
chain input {
|
chain input {
|
||||||
type filter hook input priority 0;
|
type filter hook input priority 0;
|
||||||
ct state established,related counter packets 44 bytes 2288 accept
|
ct state established,related counter packets 307 bytes 31974 accept
|
||||||
tcp dport ssh ct state new tcp flags & (syn | ack) == syn counter packets 0 bytes 0 accept
|
counter packets 6 bytes 528 mark 0x00000100 accept
|
||||||
|
tcp dport ssh ct state new tcp flags & (syn | ack) == syn log prefix "inet/input/accept: " meta mark set 0x00000100 counter packets 3 bytes 200 accept
|
||||||
|
log prefix "inet/input/reject: " counter packets 0 bytes 0 reject
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
]]></screen></sect3></sect2></sect1></chapter><chapter id='chapter-security' >
|
]]></screen></sect2></sect1></chapter><chapter id='chapter-security' >
|
||||||
<title><!-- anchor id="chapter-security" -->Sicherheit</title>
|
<title><!-- anchor id="chapter-security" -->Sicherheit</title>
|
||||||
<sect1>
|
<sect1>
|
||||||
<title>Sicherheit des Knoten</title>
|
<title>Sicherheit des Knoten</title>
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
Binary file not shown.
|
@ -1983,73 +1983,103 @@ Chain intOUT (1 references)
|
||||||
<![CDATA[# ip6tables -t nat -A PREROUTING -i sixxs -p tcp --dport 8080 -j DNAT --to-destination [fec0::1234]:80
|
<![CDATA[# ip6tables -t nat -A PREROUTING -i sixxs -p tcp --dport 8080 -j DNAT --to-destination [fec0::1234]:80
|
||||||
]]></screen></sect2></sect1><sect1>
|
]]></screen></sect2></sect1><sect1>
|
||||||
<title>Firewalling using nftables</title>
|
<title>Firewalling using nftables</title>
|
||||||
<para>nftables adds support for a IPv4/IPv6 aware table named “inet”, here only one rule matches both protocols</para><sect2>
|
<para>nftables adds in addition to protocol specific tables “ip” (IPv4) and “ip6” (IPv6) support for a IPv4/IPv6 aware table named “inet”. Using this table it's possible to add only one rule and match both protocols (in case of UDP and TCP).</para>
|
||||||
|
<para>Take care if rules are contained in more than one table, because the tables are checked in sequence:</para><screen>
|
||||||
|
<![CDATA[IPv4-Packet --> table "ip" --> table "inet" --> further checks
|
||||||
|
IPv6-Packet --> table "ip6" --> table "inet" --> further checks
|
||||||
|
]]></screen><para>If table “ip6” accepts the packet, also table “inet” must accept the packet, otherwise it can be dropped by a later drop rule.</para><sect2>
|
||||||
<title>Preparation for nftables usage</title>
|
<title>Preparation for nftables usage</title>
|
||||||
<para>Install a Linux distribution which has nftables support already included. At time of writing (May 2014) at least Fedora Rawhide (upcoming version 21) has support in conjunction with nftables version 0.2.0.</para></sect2><sect2>
|
<para>Install a Linux distribution which has nftables support already included. At time of writing (May 2014) at least Fedora Rawhide (upcoming version 21) has support in conjunction with nftables version 0.2.0.</para></sect2><sect2>
|
||||||
<title>Basic nftables configuration</title>
|
<title>Basic nftables configuration</title>
|
||||||
<para>Load kernel modules</para><screen>
|
<para>Load kernel modules:</para><screen>
|
||||||
<![CDATA[# modprobe nf_tables
|
<![CDATA[# modprobe nf_tables
|
||||||
# modprobe nf_tables_ipv4
|
# modprobe nf_tables_ipv4
|
||||||
# modprobe nf_tables_ipv6
|
# modprobe nf_tables_ipv6
|
||||||
# modprobe nf_tables_inet
|
# modprobe nf_tables_inet
|
||||||
]]></screen><para>Create filter tables</para><screen>
|
]]></screen><para>Flush iptables and ip6tables to avoid interferences:</para><screen>
|
||||||
<![CDATA[# nft add table ip filter
|
<![CDATA[# iptables -F
|
||||||
# nft add table ip6 filter
|
# ip6tables -F
|
||||||
# nft add table inet filter
|
]]></screen><para>Create filter table:</para><screen>
|
||||||
]]></screen><para>Create input chain in each filter table</para><screen>
|
<![CDATA[# nft add table inet filter
|
||||||
<![CDATA[# nft add chain ip filter input { type filter hook input priority 1 \; }
|
]]></screen><para>Create input chain:</para><screen>
|
||||||
# nft add chain ip6 filter input { type filter hook input priority 1 \; }
|
<![CDATA[# nft add chain inet filter input { type filter hook input priority 0 \; }
|
||||||
# nft add chain inet filter input { type filter hook input priority 0 \; }
|
|
||||||
]]></screen></sect2><sect2>
|
]]></screen></sect2><sect2>
|
||||||
<title>Simple filter policy with nftables</title>
|
<title>Simple filter policy with nftables using only table “inet”</title>
|
||||||
<sect3>
|
<sect3>
|
||||||
<title>Configuration</title>
|
<title>Configuration</title>
|
||||||
<para>Allow packets which are related to existing connection tracking entries</para><screen>
|
<para>Allow packets which are related to existing connection tracking entries</para><screen>
|
||||||
<![CDATA[# nft add rule inet filter input ct state established,related counter accept
|
<![CDATA[# nft add rule inet filter input ct state established,related counter accept
|
||||||
]]></screen><para>Allow IPv4 and IPv6 ICMP echo-request (aka ping)</para><screen>
|
]]></screen><para>Allow IPv4 and IPv6 ICMP echo-request (aka ping)</para><screen>
|
||||||
<![CDATA[# nft add rule ip filter input icmp type { echo-request } counter accept
|
<![CDATA[# nft add rule inet filter input meta nfproto ipv4 icmp type { echo-request } counter accept
|
||||||
# nft add rule ip6 filter input icmpv6 type echo-request counter accept
|
# nft add rule inet filter input meta nfproto ipv6 icmpv6 type echo-request counter accept
|
||||||
]]></screen><para>Allow some important IPv6 ICMP traffic, without counter, but checking hop-limit for security</para><screen>
|
]]></screen><para>Allow some important IPv6 ICMP traffic, without counter, but checking hop-limit for security</para><screen>
|
||||||
<![CDATA[# nft add rule ip6 filter input icmpv6 type
|
<![CDATA[# nft add rule inet filter input meta nfproto ipv6
|
||||||
¬ { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert }
|
¬ icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} ip6 hoplimit 1 accept
|
||||||
¬ ip6 hoplimit 1 accept
|
# nft add rule inet filter input meta nfproto ipv6
|
||||||
# nft add rule ip6 filter input icmpv6 type
|
¬ icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} ip6 hoplimit 255 counter accept
|
||||||
¬ { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert }
|
]]></screen><para>Allow incoming SSH for IPv4 and IPv6</para><screen>
|
||||||
¬ ip6 hoplimit 255 accept
|
|
||||||
]]></screen><para>Allow incoming SSH for IPv4 and IPv6, using therefore the IP version aware table “inet”</para><screen>
|
|
||||||
<![CDATA[# nft add rule inet filter input tcp dport 22 ct state new tcp flags \& \(syn \| ack\) == syn counter accept
|
<![CDATA[# nft add rule inet filter input tcp dport 22 ct state new tcp flags \& \(syn \| ack\) == syn counter accept
|
||||||
|
]]></screen><para>Reject/drop others</para><screen>
|
||||||
|
<![CDATA[# nft add rule inet filter input tcp dport 0-65535 reject
|
||||||
|
# nft add rule inet filter input udp dport 0-65535 counter drop
|
||||||
|
# nft add rule inet filter input counter drop
|
||||||
]]></screen></sect3><sect3>
|
]]></screen></sect3><sect3>
|
||||||
<title>Result</title>
|
<title>Result</title>
|
||||||
<para>Table for IPv4 filter</para><screen>
|
<para>Table for IP version aware filter</para><screen>
|
||||||
<![CDATA[# nft list table ip filter
|
<![CDATA[table inet filter {
|
||||||
|
chain input {
|
||||||
|
type filter hook input priority 0;
|
||||||
|
ct state established,related counter packets 0 bytes 0 accept
|
||||||
|
ip protocol icmp icmp type { echo-request} counter packets 0 bytes 0 accept
|
||||||
|
ip6 nexthdr ipv6-icmp icmpv6 type echo-request counter packets 0 bytes 0 accept
|
||||||
|
ip6 nexthdr ipv6-icmp ip6 hoplimit 1 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} accept
|
||||||
|
ip6 nexthdr ipv6-icmp ip6 hoplimit 255 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} accept
|
||||||
|
tcp dport ssh ct state new tcp flags & (syn | ack) == syn counter packets 0 bytes 0 accept
|
||||||
|
tcp dport >= 0 tcp dport <= 65535 counter packets 0 bytes 0 reject
|
||||||
|
udp dport >= 0 udp dport <= 65535 counter packets 0 bytes 0 drop
|
||||||
|
log prefix counter packets 0 bytes 0 drop
|
||||||
|
}
|
||||||
|
}
|
||||||
|
]]></screen></sect3><sect3>
|
||||||
|
<title>Hints for logging</title>
|
||||||
|
<para>To enable logging, an additonal kernel module must be loaded</para><screen>
|
||||||
|
<![CDATA[# modprobe xt_LOG
|
||||||
|
]]></screen><para>BUT TAKE CARE, IT LOOKS LIKE THAT NO LOG LEVEL CAN BE SPEFICIED CURRENTLY IN nftables, resulting that events are logged with kern.emerg - POSSIBILITY OF FLODDING THE CONSOLE WITH LOG ENTRIES!</para>
|
||||||
|
<para>Fir initial test with logging it can be useful to disable kernel console logging in e.g. /etc/rsyslog.conf by putting a “#” in front of the related entry and restart logging daemon</para><screen>
|
||||||
|
<![CDATA[#*.emerg :omusrmsg:*
|
||||||
|
]]></screen><para>Rule from above accepting SSH on port 22, but now with logging:</para><screen>
|
||||||
|
<![CDATA[# nft add rule inet filter input tcp dport 22 ct state new tcp flags \& \(syn \| ack\) == syn log prefix \"inet/input/accept: \" counter accept
|
||||||
|
]]></screen></sect3></sect2><sect2>
|
||||||
|
<title>Filter policy with nftables using tables “ip”, “ip6” and “inet”</title>
|
||||||
|
<para>As written above, if rules should be stored in related tables, it must be assured that earlier accepts are not discarded in the further table. This can be done using “meta mark set xxxx” on every accept rule and generic rules which accepts packets with “mark xxxx”. A resulting filter set would look like the following:</para><screen>
|
||||||
|
<![CDATA[# for table in ip ip6 inet; do nft list table $table filter; done
|
||||||
table ip filter {
|
table ip filter {
|
||||||
chain input {
|
chain input {
|
||||||
type filter hook input priority 1;
|
type filter hook input priority 0;
|
||||||
icmp type { echo-request} counter packets 0 bytes 0 accept
|
ct state established,related counter packets 241 bytes 25193 accept
|
||||||
|
counter packets 2 bytes 120 mark 0x00000100 accept
|
||||||
|
icmp type { echo-request} counter packets 0 bytes 0 meta mark set 0x00000100 accept
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
]]></screen><para>Table for IPv6 filter</para><screen>
|
|
||||||
<![CDATA[# nft list table ip6 filter
|
|
||||||
table ip6 filter {
|
table ip6 filter {
|
||||||
chain input {
|
chain input {
|
||||||
type filter hook input priority 1;
|
type filter hook input priority 0;
|
||||||
icmpv6 type echo-request counter packets 0 bytes 0 accept
|
ct state established,related counter packets 14 bytes 4077 accept
|
||||||
ip6 hoplimit 1 icmpv6 type
|
counter packets 4 bytes 408 mark 0x00000100 accept
|
||||||
¬ { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} accept
|
icmpv6 type echo-request counter packets 1 bytes 104 meta mark set 0x00000100
|
||||||
ip6 hoplimit 255 icmpv6 type
|
icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} counter packets 2 bytes 224 meta mark set 0x00000100 accept
|
||||||
¬ { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} accept
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
]]></screen><para>Table for IP version aware filter</para><screen>
|
|
||||||
<![CDATA[# nft list table inet filter
|
|
||||||
table inet filter {
|
table inet filter {
|
||||||
chain input {
|
chain input {
|
||||||
type filter hook input priority 0;
|
type filter hook input priority 0;
|
||||||
ct state established,related counter packets 44 bytes 2288 accept
|
ct state established,related counter packets 307 bytes 31974 accept
|
||||||
tcp dport ssh ct state new tcp flags & (syn | ack) == syn counter packets 0 bytes 0 accept
|
counter packets 6 bytes 528 mark 0x00000100 accept
|
||||||
|
tcp dport ssh ct state new tcp flags & (syn | ack) == syn log prefix "inet/input/accept: " meta mark set 0x00000100 counter packets 3 bytes 200 accept
|
||||||
|
log prefix "inet/input/reject: " counter packets 0 bytes 0 reject
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
]]></screen></sect3></sect2></sect1></chapter><chapter id='chapter-security' >
|
]]></screen></sect2></sect1></chapter><chapter id='chapter-security' >
|
||||||
<title><!-- anchor id="chapter-security" -->Security</title>
|
<title><!-- anchor id="chapter-security" -->Security</title>
|
||||||
<sect1>
|
<sect1>
|
||||||
<title>Node security</title>
|
<title>Node security</title>
|
||||||
|
|
Loading…
Reference in New Issue