Tom qab ib xyoos ntawm kev loj hlob pob ntawv lim tso tawm , txhim kho raws li kev hloov pauv rau iptables, ip6table, arptables thiab ebtables los ntawm kev sib koom ua ke pob ntawv lim interfaces rau IPv4, IPv6, ARP thiab network txuas hniav. Cov pob nftables suav nrog cov pob ntawv lim cov khoom siv uas khiav hauv cov neeg siv qhov chaw, thaum lub kernel-theem ua haujlwm yog muab los ntawm nf_tables subsystem, uas yog ib feem ntawm Linux ntsiav txij li tso tawm 3.13.
Kernel qib tsuas yog muaj cov txheej txheem dav dav-kev ywj pheej interface uas muab cov haujlwm yooj yim rau kev rho tawm cov ntaub ntawv los ntawm pob ntawv, ua cov ntaub ntawv ua haujlwm, thiab tswj kev ntws.
Cov logic filtering nws tus kheej thiab raws tu qauv tshwj xeeb tuav tau muab tso ua ke rau hauv bytecode nyob rau hauv cov neeg siv qhov chaw, tom qab uas no bytecode yog loaded rau hauv lub ntsiav siv Netlink interface thiab tua nyob rau hauv ib tug tshwj xeeb virtual tshuab reminiscent ntawm BPF (Berkeley Packet Filters). Txoj hauv kev no tso cai rau koj kom txo qis qhov loj ntawm cov lim dej ua haujlwm ntawm qib kernel thiab txav tag nrho cov haujlwm ntawm kev txheeb xyuas cov cai thiab cov laj thawj rau kev ua haujlwm nrog cov txheej txheem rau hauv cov neeg siv qhov chaw.
Main innovations:
- Kev txhawb nqa IPsec, tso cai sib piv ntawm qhov chaw nyob raws li pob ntawv, IPsec thov ID, thiab SPI (Security Parameter Index) tag. Piv txwv li,
... ipsec hauv ip saddr 192.168.1.0/24
... ipsec hauv spi 1-65536Nws tseem tuaj yeem kuaj xyuas seb txoj kev hla dhau ntawm IPsec qhov. Piv txwv li, txhawm rau thaiv tsheb tsis dhau ntawm IPSec:
β¦ lim tso zis rt ipsec ploj lawm
- Txhawb rau IGMP (Internet Group Management Protocol). Piv txwv li, koj tuaj yeem siv txoj cai pov tseg los ntawm IGMP pab pawg ua tswv cuab thov
nft ntxiv txoj cai netdev foo bar igmp hom kev ua tswv cuab- nug cov txee poob
- Muaj peev xwm siv qhov sib txawv los txhais cov kev hloov pauv (dhia / goto). Piv txwv li:
txhais dest = ber
ntxiv txoj cai ip foo bar dhia $dest - Kev them nyiaj yug rau lub qhov ncauj qhov ntswg txhawm rau txheeb xyuas cov kev khiav haujlwm (OS Fingerprint) raws li TTL qhov tseem ceeb hauv lub header. Piv txwv li, txhawm rau kos cov pob ntawv raws li tus neeg xa ntawv OS, koj tuaj yeem siv cov lus txib:
... meta mark set osf ttl hla lub npe daim ntawv qhia { "Linux" : 0x1,
"Windows": 0x2,
"MacOS": 0x3,
"tsis paub": 0x0 }
... osf ttl hla version "Linux: 4.20" - Muaj peev xwm ua tau raws li ARP chaw nyob ntawm tus neeg xa ntawv thiab IPv4 chaw nyob ntawm lub hom phiaj. Piv txwv li, txhawm rau nce lub txee ntawm ARP pob ntawv xa los ntawm qhov chaw nyob 192.168.2.1, koj tuaj yeem siv txoj cai hauv qab no:
rooj arp x {
saw y {
hom lim hook input qhov tseem ceeb lim; txoj cai txais;
arp saddr ip 192.168.2.1 txee packets 1 bytes 46
}
} - Kev them nyiaj yug rau pob tshab xa tawm ntawm kev thov los ntawm lub npe (tproxy). Piv txwv li, rau redirect hu rau chaw nres nkoj 80 mus rau npe chaw nres nkoj 8080:
tab ip x {
saw y {
hom lim nuv prerouting qhov tseem ceeb -150; txoj cai txais;
tcp dport 80 tproxy rau: 8080
}
} - Kev them nyiaj yug rau cov cim qhov (sockets) uas muaj peev xwm ntxiv tau cov cim cim ntawm setsockopt() hauv SO_MARK hom. Piv txwv li:
table inet x {
saw y {
hom lim nuv prerouting qhov tseem ceeb -150; txoj cai txais;
tcp dport 8080 mark set socket mark
}
} - Kev them nyiaj yug rau kev qhia meej cov npe ntawv tseem ceeb rau chains. Piv txwv li:
nft ntxiv saw ip x raw { hom lim nuv prerouting qhov tseem ceeb raw; }
nft ntxiv saw ip x lim { hom lim nuv prerouting qhov tseem ceeb lim; }
nft ntxiv saw ip x filter_later { hom lim nuv prerouting qhov tseem ceeb lim + 10; } - Kev them nyiaj yug rau SELinux tags (Secmark). Piv txwv li, txhawm rau txheeb xyuas "sshtag" tag hauv SELinux cov ntsiab lus, koj tuaj yeem khiav:
nft ntxiv secmark inet filter sshtag "system_u:object_r:ssh_server_packet_t:s0"
Thiab tom qab ntawd siv daim ntawv lo hauv cov cai:
nft ntxiv txoj cai inet lim tswv yim tcp dport 22 meta secmark teeb "sshtag"
nft ntxiv daim ntawv qhia inet lim secmapping { hom inet_service : secmark; }
nft ntxiv cov ntsiab lus inet lim secmapping { 22 : "sshtag" }
nft ntxiv txoj cai inet lim tswv yim meta secmark teeb tcp dport daim ntawv qhia @secmapping - Muaj peev xwm txheeb xyuas cov chaw nres nkoj tau muab rau cov txheej txheem hauv daim ntawv nyeem, raws li lawv tau teev tseg hauv /etc/services file. Piv txwv li:
nft ntxiv txoj cai xy tcp dport "ssh"
nft npe ruleset -l
rooj x {
saw y {
...
tcp dport "ssh"
}
} - Muaj peev xwm txheeb xyuas hom network interface. Piv txwv li:
ntxiv txoj cai inet nyoos prerouting meta iifkind "vrf" txais
- Txhim kho kev txhawb nqa rau dynamically hloov kho cov ntsiab lus ntawm cov teeb tsa los ntawm kev qhia meej meej "dynamic" chij. Piv txwv li, txhawm rau hloov kho teeb "s" ntxiv qhov chaw nyob thiab rov pib nkag yog tias tsis muaj pob ntawv rau 30 vib nas this:
add tab x
ntxiv teeb xs { hom ipv4_addr; loj 128; sij hawm 30s; chij dynamic; }
ntxiv chain xy { hom lim nuv input qhov tseem ceeb 0; }
ntxiv txoj cai xy hloov tshiab @s { ip saddr } - Muaj peev xwm los teeb tsa lub sijhawm sib cais. Piv txwv li, txhawm rau hla lub sijhawm ncua sij hawm rau cov pob ntawv tuaj txog ntawm chaw nres nkoj 8888, koj tuaj yeem hais qhia:
rooj ip filter {
ct timeout aggressive-tcp {
raws tu qauv tcp;
l3ip ;ua.
txoj cai = {tsim: 100, close_wait: 4, kaw: 4}
}
chain output {
...
tcp dport 8888 ct timeout teem "ntxim-tcp"
}
} - NAT kev txhawb nqa rau tsev neeg inet:
table inet nat {
...
ip6 daddr tuag::2::1 dnat tuag:2::99
} - Txhim kho typo yuam kev ceeb toom:
nft ntxiv chain filter test
yuam kev: Tsis muaj cov ntaub ntawv lossis cov npe; Koj puas tau txhais cov lus "filter" hauv tsev neeg ip?
ntxiv chain filter test
^^^^^^ - Muaj peev xwm txheeb xyuas cov npe interface hauv pawg:
teem sc {
ntaus inet_service . if npe
element = { "ssh". "eth0" }
} - Hloov kho cov cai flowtable syntax:
nft tab x
nft ntxiv flowtable x ft { nuv ingress qhov tseem ceeb 0; devices = {eth0, wlan0 }; }
...
nft ntxiv txoj cai x forward ip raws tu qauv { tcp, udp } ntws ntxiv @ft - Txhim kho JSON kev txhawb nqa.
Tau qhov twg los: opennet.ru