mirror of https://github.com/tLDP/LDP
add nftables hints, fix generation scripts
This commit is contained in:
parent
cfe1118786
commit
6fdcd39576
File diff suppressed because it is too large
Load Diff
|
@ -1,5 +1,5 @@
|
|||
#LyX 2.0 created this file. For more info see http://www.lyx.org/
|
||||
\lyxformat 413
|
||||
#LyX 2.1 created this file. For more info see http://www.lyx.org/
|
||||
\lyxformat 474
|
||||
\begin_document
|
||||
\begin_header
|
||||
\textclass docbook-book
|
||||
|
@ -16,13 +16,13 @@
|
|||
\font_roman default
|
||||
\font_sans default
|
||||
\font_typewriter default
|
||||
\font_math auto
|
||||
\font_default_family default
|
||||
\use_non_tex_fonts false
|
||||
\font_sc false
|
||||
\font_osf false
|
||||
\font_sf_scale 100
|
||||
\font_tt_scale 100
|
||||
|
||||
\graphics default
|
||||
\default_output_format default
|
||||
\output_sync 0
|
||||
|
@ -33,15 +33,24 @@
|
|||
\use_hyperref false
|
||||
\papersize default
|
||||
\use_geometry false
|
||||
\use_amsmath 1
|
||||
\use_esint 0
|
||||
\use_mhchem 1
|
||||
\use_mathdots 1
|
||||
\use_package amsmath 1
|
||||
\use_package amssymb 1
|
||||
\use_package cancel 0
|
||||
\use_package esint 0
|
||||
\use_package mathdots 1
|
||||
\use_package mathtools 0
|
||||
\use_package mhchem 1
|
||||
\use_package stackrel 0
|
||||
\use_package stmaryrd 0
|
||||
\use_package undertilde 0
|
||||
\cite_engine basic
|
||||
\cite_engine_type default
|
||||
\biblio_style plain
|
||||
\use_bibtopic false
|
||||
\use_indices false
|
||||
\paperorientation portrait
|
||||
\suppress_date false
|
||||
\justification true
|
||||
\use_refstyle 0
|
||||
\index Stichwortverzeichnis
|
||||
\shortcut idx
|
||||
|
@ -107,7 +116,7 @@ status open
|
|||
|
||||
\begin_layout Plain Layout
|
||||
|
||||
<revision> <revnumber>0.66wip.de.1</revnumber> <date>2013-11-12</date> <authoriniti
|
||||
<revision> <revnumber>0.66wip.de.1</revnumber> <date>2014-05-02</date> <authoriniti
|
||||
als>PB</authorinitials></revision>
|
||||
\end_layout
|
||||
|
||||
|
@ -247,7 +256,7 @@ Copyright
|
|||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
Verfasst von und urheberrechtlich geschützt durch Peter Bieringer © 2001-2013.
|
||||
Verfasst von und urheberrechtlich geschützt durch Peter Bieringer © 2001-2014.
|
||||
\begin_inset Newline newline
|
||||
\end_inset
|
||||
|
||||
|
@ -260,7 +269,7 @@ Deutsche Übersetzung:
|
|||
|
||||
\begin_layout Standard
|
||||
Verfasst von und urheberrechtlich geschützt durch Georg Käfer © 2002-2003,
|
||||
weitergeführt von Peter Bieringer © 2004-2013.
|
||||
weitergeführt von Peter Bieringer © 2004-2014.
|
||||
\end_layout
|
||||
|
||||
\begin_layout Subsection
|
||||
|
@ -290,7 +299,7 @@ Dieses Linux IPv6 HOWTO ist ein Handbuch zur Anwendung und Konfiguration
|
|||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
Copyright © 2001-2013 Peter Bieringer
|
||||
Copyright © 2001-2014 Peter Bieringer
|
||||
\begin_inset Newline newline
|
||||
\end_inset
|
||||
|
||||
|
@ -10980,8 +10989,22 @@ reference "IPv6-security-auditing"
|
|||
\begin_layout Standard
|
||||
|
||||
\lang english
|
||||
Kernels ab Version 2.6.20 unterstützen den IPv6-Verbindungsstatus (connection
|
||||
tracking) vollständig.
|
||||
Kernels ab Version 2.6.20 (Februar 2007) unterstützen den IPv6-Verbindungsstatus
|
||||
(connection tracking) vollständig.
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
|
||||
\lang english
|
||||
Kernels ab Version 3.9.0 (April 2013) unterstützen NAT für IPv6 in Verbindung
|
||||
mit ip6tables >= 1.4.18
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
|
||||
\lang english
|
||||
Kernels ab Version 3.13 (April 2014) unterstützen ein neues Framework namens:
|
||||
nftables
|
||||
\end_layout
|
||||
|
||||
\begin_layout Subsection
|
||||
|
@ -12707,6 +12730,355 @@ Ein dedizierter Port kann zu einem internen System weitergeleitet werden,
|
|||
nation [fec0::1234]:80
|
||||
\end_layout
|
||||
|
||||
\begin_layout Section
|
||||
|
||||
\lang english
|
||||
Firewall-Setup mit nftables
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
|
||||
\lang english
|
||||
Mit nftables wurde die Unterstützung einer Tabelle names
|
||||
\begin_inset Quotes sld
|
||||
\end_inset
|
||||
|
||||
inet
|
||||
\begin_inset Quotes srd
|
||||
\end_inset
|
||||
|
||||
eingeführt in welcher Regeln für IPv4/IPv6 gleichzeitig gelten
|
||||
\end_layout
|
||||
|
||||
\begin_layout Subsection
|
||||
|
||||
\lang english
|
||||
Präparation zur Nutzung von nftables
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
|
||||
\lang english
|
||||
Installieren einer Linux-Distribution, welche die Unterstützung für nftables
|
||||
bereits eingebaut hat.
|
||||
Beim Schreiben dieses Absatzes (Mai 2014) war mindestens Fedora Rawhide
|
||||
(Vorläufer der Version 21) mit entsprechendem Support und nftables version
|
||||
0.2.0 versehen.
|
||||
\end_layout
|
||||
|
||||
\begin_layout Subsection
|
||||
|
||||
\lang english
|
||||
Basis-nftables Konfiguration
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
|
||||
\lang english
|
||||
Laden der Kernel-Module
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
|
||||
# modprobe nf_tables
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
|
||||
# modprobe nf_tables_ipv4
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
|
||||
# modprobe nf_tables_ipv6
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
|
||||
# modprobe nf_tables_inet
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
|
||||
\lang english
|
||||
Erzeugen der Filter-Tabellen
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
|
||||
# nft add table ip filter
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
|
||||
# nft add table ip6 filter
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
|
||||
# nft add table inet filter
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
|
||||
\lang english
|
||||
Erzeugen einer input chain in jeder Filter-Tabelle
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
|
||||
# nft add chain ip filter input { type filter hook input priority 1
|
||||
\backslash
|
||||
; }
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
|
||||
# nft add chain ip6 filter input { type filter hook input priority 1
|
||||
\backslash
|
||||
; }
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
|
||||
# nft add chain inet filter input { type filter hook input priority 0
|
||||
\backslash
|
||||
; }
|
||||
\end_layout
|
||||
|
||||
\begin_layout Subsection
|
||||
|
||||
\lang english
|
||||
Einfache Filter-Policy mit nftables
|
||||
\end_layout
|
||||
|
||||
\begin_layout Subsubsection
|
||||
|
||||
\lang english
|
||||
Konfiguration
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
|
||||
\lang english
|
||||
Erlauben von Paketen, die zu existierenden Einträgen in der Connection-Tracking-
|
||||
Tabelle gehören
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
|
||||
# nft add rule inet filter input ct state established,related counter accept
|
||||
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
|
||||
\lang english
|
||||
Erlauben von IPv4 und IPv6 ICMP echo-request (aka ping)
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
|
||||
# nft add rule ip filter input icmp type { echo-request } counter accept
|
||||
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
|
||||
# nft add rule ip6 filter input icmpv6 type echo-request counter accept
|
||||
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
|
||||
\lang english
|
||||
Erlauben einiger wichtiger IPv6 ICMP Pakete, ohne Zähler, dafür mit Hop-Limit-Pr
|
||||
üfung (erhöht die Sicherheit)
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
|
||||
# nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit, nd-router-adv
|
||||
ert, nd-neighbor-advert } ip6 hoplimit 1 accept # nft add rule ip6 filter
|
||||
input icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert
|
||||
} ip6 hoplimit 255 accept
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
|
||||
\lang english
|
||||
Erlauben von eingehenden SSH-Verbindungen für IPv4 und IPv6 unter Nutzung
|
||||
der IP-Version unabhängigen Tabelle
|
||||
\begin_inset Quotes sld
|
||||
\end_inset
|
||||
|
||||
inet
|
||||
\begin_inset Quotes srd
|
||||
\end_inset
|
||||
|
||||
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
|
||||
# nft add rule inet filter input tcp dport 22 ct state new tcp flags
|
||||
\backslash
|
||||
&
|
||||
\backslash
|
||||
(syn
|
||||
\backslash
|
||||
| ack
|
||||
\backslash
|
||||
) == syn counter accept
|
||||
\end_layout
|
||||
|
||||
\begin_layout Subsubsection
|
||||
|
||||
\lang english
|
||||
Ergebnis
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
|
||||
\lang english
|
||||
Tabelle für IPv4 Filter
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
|
||||
# nft list table ip filter
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
|
||||
table ip filter {
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
|
||||
chain input {
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
|
||||
type filter hook input priority 1;
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
|
||||
icmp type { echo-request} counter packets 0 bytes 0 accept
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
|
||||
}
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
|
||||
}
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
|
||||
\lang english
|
||||
Tabelle für IPv6 Filter
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
|
||||
# nft list table ip6 filter
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
|
||||
table ip6 filter {
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
|
||||
chain input {
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
|
||||
type filter hook input priority 1;
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
|
||||
icmpv6 type echo-request counter packets 0 bytes 0 accept
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
|
||||
ip6 hoplimit 1 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit,
|
||||
nd-router-advert} accept
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
|
||||
ip6 hoplimit 255 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit,
|
||||
nd-router-advert} accept
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
|
||||
}
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
|
||||
}
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
|
||||
\lang english
|
||||
Tabelle für IP unabhängigen Filter
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
|
||||
# nft list table inet filter
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
|
||||
table inet filter {
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
|
||||
chain input {
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
|
||||
type filter hook input priority 0;
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
|
||||
ct state established,related counter packets 44 bytes 2288 accept
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
|
||||
tcp dport ssh ct state new tcp flags & (syn | ack) == syn counter packets
|
||||
0 bytes 0 accept
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
|
||||
}
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
|
||||
}
|
||||
\end_layout
|
||||
|
||||
\begin_layout Chapter
|
||||
\begin_inset CommandInset label
|
||||
LatexCommand label
|
||||
|
@ -20858,7 +21230,7 @@ Die größten Mailinglisten sind in folgender Tabelle zusammengefasst:
|
|||
\begin_layout Standard
|
||||
\begin_inset Tabular
|
||||
<lyxtabular version="3" rows="8" columns="6">
|
||||
<features rotate="true" tabularvalignment="middle">
|
||||
<features rotate="90" tabularvalignment="middle">
|
||||
<column alignment="center" valignment="top" width="0pt">
|
||||
<column alignment="center" valignment="top" width="0pt">
|
||||
<column alignment="center" valignment="top" width="0pt">
|
||||
|
|
Binary file not shown.
|
@ -7,14 +7,14 @@
|
|||
<!ENTITY % output.print.bmp "IGNORE">
|
||||
]>
|
||||
|
||||
<!-- SGML file was created by LyX 2.0.6
|
||||
<!-- SGML file was created by LyX 2.1.0
|
||||
See http://www.lyx.org/ for more information -->
|
||||
<book lang="de">
|
||||
<bookinfo>
|
||||
<title>Linux IPv6 HOWTO (de)</title>
|
||||
<author><firstname>Peter</firstname><surname>Bieringer</surname><affiliation><address>pb at bieringer dot de</address></affiliation></author>
|
||||
<revhistory>
|
||||
<revision> <revnumber>0.66wip.de.1</revnumber> <date>2013-11-12</date> <authorinitials>PB</authorinitials></revision>
|
||||
<revision> <revnumber>0.66wip.de.1</revnumber> <date>2014-05-02</date> <authorinitials>PB</authorinitials></revision>
|
||||
<revision> <revnumber>0.65.de.1</revnumber> <date>2009-12-13</date> <authorinitials>PB</authorinitials></revision>
|
||||
<revision> <revnumber>0.64.de.1</revnumber> <date>2009-06-11</date> <authorinitials>PB</authorinitials></revision>
|
||||
<revision> <revnumber>0.61.de.1</revnumber> <date>2007-10-06</date> <authorinitials>PB</authorinitials></revision>
|
||||
|
@ -26,16 +26,16 @@
|
|||
<title><!-- anchor id="general-copright" -->Copyright, Lizenz und anderes</title>
|
||||
<sect2>
|
||||
<title>Copyright</title>
|
||||
<para>Verfasst von und urheberrechtlich geschützt durch Peter Bieringer © 2001-2013.
|
||||
<para>Verfasst von und urheberrechtlich geschützt durch Peter Bieringer © 2001-2014.
|
||||
</para>
|
||||
<para>Deutsche Übersetzung:</para>
|
||||
<para>Verfasst von und urheberrechtlich geschützt durch Georg Käfer © 2002-2003, weitergeführt von Peter Bieringer © 2004-2013.</para></sect2><sect2>
|
||||
<para>Verfasst von und urheberrechtlich geschützt durch Georg Käfer © 2002-2003, weitergeführt von Peter Bieringer © 2004-2014.</para></sect2><sect2>
|
||||
<title>Lizenz</title>
|
||||
<para>Dieses Linux IPv6 HOWTO wird unter der GNU GPL Version 2 herausgegeben:
|
||||
</para>
|
||||
<para>Dieses Linux IPv6 HOWTO ist ein Handbuch zur Anwendung und Konfiguration von IPv6 auf Linux-Systemen.
|
||||
</para>
|
||||
<para>Copyright © 2001-2013 Peter Bieringer
|
||||
<para>Copyright © 2001-2014 Peter Bieringer
|
||||
Deutsche Übersetzung Copyright © 2002-2003 Georg Käfer, weitergeführt von Peter Bieringer © 2004-2013.
|
||||
</para>
|
||||
<para>Diese Dokumentation ist freie Software; Sie können diese unter den Bedingungen der GNU General Public License, wie von der Free Software Foundation publiziert, entweder unter Version 2 oder optional jede höhere Version redistribuieren und/oder modifizieren.</para>
|
||||
|
@ -1624,7 +1624,9 @@ In Version 8.x wurde das Konfigurations-Setup bei SuSE komplett abgeändert.</pa
|
|||
<para>Von Haus aus unterstützt wird die IPv6-Firewall-Funktionalität im Kernel erst ab Version 2.4+. In älteren 2.2+ Versionen können sie nur mit Protocol 41 das generelle Tunnel von IPv6-in-IPv4-Paketen filtern.</para>
|
||||
<para>Achtung: Es gibt keine Garantie, dass die beschriebenen Regeln und Beispiele ihr System auch wirklich schützen können!</para>
|
||||
<para>Beobachten Sie nach der Installation ihr Regelset, siehe Abschnitt <xref linkend="IPv6-security-auditing">.</para>
|
||||
<para>Kernels ab Version 2.6.20 unterstützen den IPv6-Verbindungsstatus (connection tracking) vollständig.</para><sect2>
|
||||
<para>Kernels ab Version 2.6.20 (Februar 2007) unterstützen den IPv6-Verbindungsstatus (connection tracking) vollständig.</para>
|
||||
<para>Kernels ab Version 3.9.0 (April 2013) unterstützen NAT für IPv6 in Verbindung mit ip6tables >= 1.4.18</para>
|
||||
<para>Kernels ab Version 3.13 (April 2014) unterstützen ein neues Framework namens: nftables</para><sect2>
|
||||
<title>Weitere Informationen</title>
|
||||
<itemizedlist>
|
||||
<listitem><para><ulink url="http://www.netfilter.org/">Netfilter project</ulink></para></listitem><listitem><para><ulink url="https://lists.netfilter.org/mailman/listinfo/netfilter">maillist archive of netfilter users</ulink></para></listitem><listitem><para><ulink url="https://lists.netfilter.org/mailman/listinfo/netfilter-devel">maillist archive of netfilter developers</ulink></para></listitem><listitem><para><ulink url="http://www.bieringer.de/linux/IPv6/status/IPv6+Linux-status-kernel.html#netfilter6 ">Unofficial status informations</ulink></para></listitem></itemizedlist></sect2></sect1><sect1>
|
||||
|
@ -1972,7 +1974,68 @@ Chain intOUT (1 references)
|
|||
<title>IPv6 Port Weiterleitung</title>
|
||||
<para>Ein dedizierter Port kann zu einem internen System weitergeleitet werden, z.B.</para><screen>
|
||||
<![CDATA[# ip6tables -t nat -A PREROUTING -i sixxs -p tcp --dport 8080 -j DNAT --to-destination [fec0::1234]:80
|
||||
]]></screen></sect2></sect1></chapter><chapter id='chapter-security' >
|
||||
]]></screen></sect2></sect1><sect1>
|
||||
<title>Firewall-Setup mit nftables</title>
|
||||
<para>Mit nftables wurde die Unterstützung einer Tabelle names “inet” eingeführt in welcher Regeln für IPv4/IPv6 gleichzeitig gelten</para><sect2>
|
||||
<title>Präparation zur Nutzung von nftables</title>
|
||||
<para>Installieren einer Linux-Distribution, welche die Unterstützung für nftables bereits eingebaut hat. Beim Schreiben dieses Absatzes (Mai 2014) war mindestens Fedora Rawhide (Vorläufer der Version 21) mit entsprechendem Support und nftables version 0.2.0 versehen.</para></sect2><sect2>
|
||||
<title>Basis-nftables Konfiguration</title>
|
||||
<para>Laden der Kernel-Module</para><screen>
|
||||
<![CDATA[# modprobe nf_tables
|
||||
# modprobe nf_tables_ipv4
|
||||
# modprobe nf_tables_ipv6
|
||||
# modprobe nf_tables_inet
|
||||
]]></screen><para>Erzeugen der Filter-Tabellen</para><screen>
|
||||
<![CDATA[# nft add table ip filter
|
||||
# nft add table ip6 filter
|
||||
# nft add table inet filter
|
||||
]]></screen><para>Erzeugen einer input chain in jeder Filter-Tabelle</para><screen>
|
||||
<![CDATA[# nft add chain ip filter input { type filter hook input priority 1 \; }
|
||||
# nft add chain ip6 filter input { type filter hook input priority 1 \; }
|
||||
# nft add chain inet filter input { type filter hook input priority 0 \; }
|
||||
]]></screen></sect2><sect2>
|
||||
<title>Einfache Filter-Policy mit nftables</title>
|
||||
<sect3>
|
||||
<title>Konfiguration</title>
|
||||
<para>Erlauben von Paketen, die zu existierenden Einträgen in der Connection-Tracking-Tabelle gehören</para><screen>
|
||||
<![CDATA[# nft add rule inet filter input ct state established,related counter accept
|
||||
]]></screen><para>Erlauben von IPv4 und IPv6 ICMP echo-request (aka ping)</para><screen>
|
||||
<![CDATA[# nft add rule ip filter input icmp type { echo-request } counter accept
|
||||
# nft add rule ip6 filter input icmpv6 type echo-request counter accept
|
||||
]]></screen><para>Erlauben einiger wichtiger IPv6 ICMP Pakete, ohne Zähler, dafür mit Hop-Limit-Prüfung (erhöht die Sicherheit)</para><screen>
|
||||
<![CDATA[# nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } ip6 hoplimit 1 accept # nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } ip6 hoplimit 255 accept
|
||||
]]></screen><para>Erlauben von eingehenden SSH-Verbindungen für IPv4 und IPv6 unter Nutzung der IP-Version unabhängigen Tabelle “inet”</para><screen>
|
||||
<![CDATA[# nft add rule inet filter input tcp dport 22 ct state new tcp flags \& \(syn \| ack\) == syn counter accept
|
||||
]]></screen></sect3><sect3>
|
||||
<title>Ergebnis</title>
|
||||
<para>Tabelle für IPv4 Filter</para><screen>
|
||||
<![CDATA[# nft list table ip filter
|
||||
table ip filter {
|
||||
chain input {
|
||||
type filter hook input priority 1;
|
||||
icmp type { echo-request} counter packets 0 bytes 0 accept
|
||||
}
|
||||
}
|
||||
]]></screen><para>Tabelle für IPv6 Filter</para><screen>
|
||||
<![CDATA[# nft list table ip6 filter
|
||||
table ip6 filter {
|
||||
chain input {
|
||||
type filter hook input priority 1;
|
||||
icmpv6 type echo-request counter packets 0 bytes 0 accept
|
||||
ip6 hoplimit 1 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} accept
|
||||
ip6 hoplimit 255 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} accept
|
||||
}
|
||||
}
|
||||
]]></screen><para>Tabelle für IP unabhängigen Filter</para><screen>
|
||||
<![CDATA[# nft list table inet filter
|
||||
table inet filter {
|
||||
chain input {
|
||||
type filter hook input priority 0;
|
||||
ct state established,related counter packets 44 bytes 2288 accept
|
||||
tcp dport ssh ct state new tcp flags & (syn | ack) == syn counter packets 0 bytes 0 accept
|
||||
}
|
||||
}
|
||||
]]></screen></sect3></sect2></sect1></chapter><chapter id='chapter-security' >
|
||||
<title><!-- anchor id="chapter-security" -->Sicherheit</title>
|
||||
<sect1>
|
||||
<title>Sicherheit des Knoten</title>
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -1,5 +1,5 @@
|
|||
#LyX 2.0 created this file. For more info see http://www.lyx.org/
|
||||
\lyxformat 413
|
||||
#LyX 2.1 created this file. For more info see http://www.lyx.org/
|
||||
\lyxformat 474
|
||||
\begin_document
|
||||
\begin_header
|
||||
\textclass docbook-book
|
||||
|
@ -15,13 +15,13 @@
|
|||
\font_roman default
|
||||
\font_sans default
|
||||
\font_typewriter default
|
||||
\font_math auto
|
||||
\font_default_family default
|
||||
\use_non_tex_fonts false
|
||||
\font_sc false
|
||||
\font_osf false
|
||||
\font_sf_scale 100
|
||||
\font_tt_scale 100
|
||||
|
||||
\graphics default
|
||||
\default_output_format default
|
||||
\output_sync 0
|
||||
|
@ -32,15 +32,24 @@
|
|||
\use_hyperref false
|
||||
\papersize default
|
||||
\use_geometry false
|
||||
\use_amsmath 1
|
||||
\use_esint 0
|
||||
\use_mhchem 1
|
||||
\use_mathdots 1
|
||||
\use_package amsmath 1
|
||||
\use_package amssymb 1
|
||||
\use_package cancel 0
|
||||
\use_package esint 0
|
||||
\use_package mathdots 1
|
||||
\use_package mathtools 0
|
||||
\use_package mhchem 1
|
||||
\use_package stackrel 0
|
||||
\use_package stmaryrd 0
|
||||
\use_package undertilde 0
|
||||
\cite_engine basic
|
||||
\cite_engine_type default
|
||||
\biblio_style plain
|
||||
\use_bibtopic false
|
||||
\use_indices false
|
||||
\paperorientation portrait
|
||||
\suppress_date false
|
||||
\justification true
|
||||
\use_refstyle 0
|
||||
\index Index
|
||||
\shortcut idx
|
||||
|
@ -102,7 +111,7 @@ status open
|
|||
|
||||
\begin_layout Plain Layout
|
||||
|
||||
<revision> <revnumber>0.66wip</revnumber> <date>2013-11-12</date> <authorinitials
|
||||
<revision> <revnumber>0.66wip</revnumber> <date>2014-05-02</date> <authorinitials
|
||||
>PB</authorinitials></revision>
|
||||
\end_layout
|
||||
|
||||
|
@ -255,7 +264,7 @@ Copyright
|
|||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
Written and Copyright (C) 2001-2013 by Peter Bieringer
|
||||
Written and Copyright (C) 2001-2014 by Peter Bieringer
|
||||
\end_layout
|
||||
|
||||
\begin_layout Subsection
|
||||
|
@ -288,7 +297,7 @@ Copyright
|
|||
\lang ngerman
|
||||
©
|
||||
\lang english
|
||||
2001-2013 Peter Bieringer
|
||||
2001-2014 Peter Bieringer
|
||||
\begin_inset Newline newline
|
||||
\end_inset
|
||||
|
||||
|
@ -10174,8 +10183,17 @@ reference "IPv6-security-auditing"
|
|||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
Since kernel version 2.6.20 IPv6 connection tracking is fully working (and
|
||||
does not break IPv4 NAT anymore like versions before)
|
||||
Since kernel version 2.6.20 (February 2007) IPv6 connection tracking is fully
|
||||
working (and does not break IPv4 NAT anymore like versions before)
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
Since kernel version 3.9.0 (April 2013) NAT for IPv6 is supported with ip6tables
|
||||
>= 1.4.18
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
Since kernel version 3.13 (April 2014) new framework introduced named: nftables
|
||||
\end_layout
|
||||
|
||||
\begin_layout Subsection
|
||||
|
@ -10560,7 +10578,7 @@ Perhaps it's necessary to create a softlink for iptables libraries where
|
|||
\end_layout
|
||||
|
||||
\begin_layout Section
|
||||
Usage
|
||||
Usage of ip6tables
|
||||
\end_layout
|
||||
|
||||
\begin_layout Subsection
|
||||
|
@ -11624,6 +11642,277 @@ A dedicated specified port can be forwarded to an internal system, e.g.
|
|||
nation [fec0::1234]:80
|
||||
\end_layout
|
||||
|
||||
\begin_layout Section
|
||||
Firewalling using nftables
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
nftables adds support for a IPv4/IPv6 aware table named
|
||||
\begin_inset Quotes sld
|
||||
\end_inset
|
||||
|
||||
inet
|
||||
\begin_inset Quotes srd
|
||||
\end_inset
|
||||
|
||||
, here only one rule matches both protocols
|
||||
\end_layout
|
||||
|
||||
\begin_layout Subsection
|
||||
Preparation for nftables usage
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
Install a Linux distribution which has nftables support already included.
|
||||
At time of writing (May 2014) at least Fedora Rawhide (upcoming version
|
||||
21) has support in conjunction with nftables version 0.2.0.
|
||||
\end_layout
|
||||
|
||||
\begin_layout Subsection
|
||||
Basic nftables configuration
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
Load kernel modules
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
# modprobe nf_tables
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
# modprobe nf_tables_ipv4
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
# modprobe nf_tables_ipv6
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
# modprobe nf_tables_inet
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
Create filter tables
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
# nft add table ip filter
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
# nft add table ip6 filter
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
# nft add table inet filter
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
Create input chain in each filter table
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
# nft add chain ip filter input { type filter hook input priority 1
|
||||
\backslash
|
||||
; }
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
# nft add chain ip6 filter input { type filter hook input priority 1
|
||||
\backslash
|
||||
; }
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
# nft add chain inet filter input { type filter hook input priority 0
|
||||
\backslash
|
||||
; }
|
||||
\end_layout
|
||||
|
||||
\begin_layout Subsection
|
||||
Simple filter policy with nftables
|
||||
\end_layout
|
||||
|
||||
\begin_layout Subsubsection
|
||||
Configuration
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
Allow packets which are related to existing connection tracking entries
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
# nft add rule inet filter input ct state established,related counter accept
|
||||
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
Allow IPv4 and IPv6 ICMP echo-request (aka ping)
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
# nft add rule ip filter input icmp type { echo-request } counter accept
|
||||
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
# nft add rule ip6 filter input icmpv6 type echo-request counter accept
|
||||
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
Allow some important IPv6 ICMP traffic, without counter, but checking hop-limit
|
||||
for security
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
# nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit, nd-router-adv
|
||||
ert, nd-neighbor-advert } ip6 hoplimit 1 accept # nft add rule ip6 filter
|
||||
input icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert
|
||||
} ip6 hoplimit 255 accept
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
Allow incoming SSH for IPv4 and IPv6, using therefore the IP version aware
|
||||
table
|
||||
\begin_inset Quotes sld
|
||||
\end_inset
|
||||
|
||||
inet
|
||||
\begin_inset Quotes srd
|
||||
\end_inset
|
||||
|
||||
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
# nft add rule inet filter input tcp dport 22 ct state new tcp flags
|
||||
\backslash
|
||||
&
|
||||
\backslash
|
||||
(syn
|
||||
\backslash
|
||||
| ack
|
||||
\backslash
|
||||
) == syn counter accept
|
||||
\end_layout
|
||||
|
||||
\begin_layout Subsubsection
|
||||
Result
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
Table for IPv4 filter
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
# nft list table ip filter
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
table ip filter {
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
chain input {
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
type filter hook input priority 1;
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
icmp type { echo-request} counter packets 0 bytes 0 accept
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
}
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
}
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
Table for IPv6 filter
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
# nft list table ip6 filter
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
table ip6 filter {
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
chain input {
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
type filter hook input priority 1;
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
icmpv6 type echo-request counter packets 0 bytes 0 accept
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
ip6 hoplimit 1 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit,
|
||||
nd-router-advert} accept
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
ip6 hoplimit 255 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit,
|
||||
nd-router-advert} accept
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
}
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
}
|
||||
\end_layout
|
||||
|
||||
\begin_layout Standard
|
||||
Table for IP version aware filter
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
# nft list table inet filter
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
table inet filter {
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
chain input {
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
type filter hook input priority 0;
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
ct state established,related counter packets 44 bytes 2288 accept
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
tcp dport ssh ct state new tcp flags & (syn | ack) == syn counter packets
|
||||
0 bytes 0 accept
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
}
|
||||
\end_layout
|
||||
|
||||
\begin_layout Code
|
||||
}
|
||||
\end_layout
|
||||
|
||||
\begin_layout Chapter
|
||||
\begin_inset CommandInset label
|
||||
LatexCommand label
|
||||
|
@ -27849,7 +28138,7 @@ Major Mailinglists are listed in following table:
|
|||
\begin_layout Standard
|
||||
\begin_inset Tabular
|
||||
<lyxtabular version="3" rows="8" columns="6">
|
||||
<features tabularvalignment="middle">
|
||||
<features rotate="0" tabularvalignment="middle">
|
||||
<column alignment="center" valignment="top" width="0pt">
|
||||
<column alignment="center" valignment="top" width="0pt">
|
||||
<column alignment="center" valignment="top" width="0pt">
|
||||
|
@ -28825,7 +29114,8 @@ Releases 0.x
|
|||
|
||||
\begin_layout Description
|
||||
0.66 2010-04-20/PB: extend QoS section with examples, 20130513/PB: add IPv6
|
||||
NAT hints, 20130521/PB: review dhcpd, 20131019/bie: general review
|
||||
NAT hints, 20130521/PB: review dhcpd, 20131019/bie: general review, 20140502/bi
|
||||
e: add hints for nftables
|
||||
\end_layout
|
||||
|
||||
\begin_layout Description
|
||||
|
|
Binary file not shown.
File diff suppressed because one or more lines are too long
|
@ -5,7 +5,7 @@
|
|||
list="Linux+IPv6-HOWTO.sgml Linux+IPv6-HOWTO.de.sgml"
|
||||
|
||||
for lyx in $list; do
|
||||
./generate.sh $lyx
|
||||
./generate.sh $lyx $*
|
||||
done
|
||||
|
||||
echo -en "\a"
|
||||
|
|
|
@ -197,9 +197,9 @@ create_html_multipage() {
|
|||
}
|
||||
|
||||
create_html_singlepage() {
|
||||
echo "INFO : Create HTML singlepage '$file_html'"
|
||||
echo "INFO : Create HTML singlepage '$file_html' from '$file_input'"
|
||||
[ $loglevel -ge 7 ] && set -x
|
||||
$JADE -t sgml -i html -V nochunks -d "${file_ldpdsl}#html" -o $file_html $file_input >/dev/null
|
||||
$JADE -t sgml -i html -V nochunks -d "${file_ldpdsl}#html" $file_input >$file_html
|
||||
local retval=$?
|
||||
[ $loglevel -ge 7 ] && set +x
|
||||
|
||||
|
|
Loading…
Reference in New Issue