Mgbe otu afọ mmepe gasịrị ntọhapụ nzacha ngwugwu , na-emepe emepe dị ka onye na-anọchi anya iptables, ip6table, arptables na ebtables site na ijikọ ọnụ ahịa nzacha ngwugwu maka IPv4, IPv6, ARP na netwọk netwọk. Ngwungwu nftables gụnyere ihe nzacha ngwugwu na-arụ n'ime oghere onye ọrụ, ebe nf_tables subsystem na-enye ọrụ ọkwa kernel, nke bụbu akụkụ nke kernel Linux kemgbe ewepụtara 3.13.
Ọkwa kernel na-enye naanị interface nke nwere onwe nke protocol nke na-enye ọrụ ndị bụ isi maka iwepụta data na ngwugwu, ịrụ ọrụ data, yana njikwa ọsọ.
A na-achịkọta ihe nzacha nzacha n'onwe ya na ndị na-ahụ maka usoro protocol n'ime bytecode na oghere onye ọrụ, mgbe nke a gasịrị, a na-etinye bytecode a n'ime kernel site na iji interface Netlink wee gbuo ya na igwe mebere pụrụ iche nke na-echetara BPF (Berkeley Packet Filters). Usoro a na-enye gị ohere ibelata nha nke koodu nzacha na-agba ọsọ na ọkwa kernel wee bugharịa ọrụ niile nke iwu nyocha na mgbagha maka ịrụ ọrụ na protocol n'ime oghere onye ọrụ.
Isi ihe ọhụrụ:
- Nkwado IPsec, na-enye ohere ijikọ adreesị ọwara dabere na ngwugwu, IPsec arịrịọ ID, na mkpado SPI (Security Parameter Index). Ọmụmaatụ,
... ipsec na ip saddr 192.168.1.0/24
... ipsec na spi 1-65536Ọ dịkwa ike ịlele ma ụzọ na-agafe ọwara IPsec. Dịka ọmụmaatụ, igbochi okporo ụzọ ọ bụghị site na IPSec:
… nzacha mmepụta rt ipsec efu dobe
- Nkwado maka IGMP (Internet Group Management Protocol). Dịka ọmụmaatụ, ịnwere ike iji iwu tụfuo arịrịọ ndị otu IGMP na-abata
nft tinye iwu netdev foo bar igmp ụdị membership-question counter drop
- Enwere ike iji mgbanwe kọwaa ụdọ mgbanwe (ịwụ elu / goto). Ọmụmaatụ:
kọwaa dest = ber
tinye iwu ip foo bar jump $dest - Nkwado maka masks iji chọpụta sistemụ arụmọrụ (Os Fingerprint) dabere na ụkpụrụ TTL dị na nkụnye eji isi mee. Dịka ọmụmaatụ, iji kaa akara ngwungwu dabere na OS onye ezipụ, ịnwere ike iji iwu a:
... meta mark set osf ttl skip aha map {"Linux": 0x1,
"Windows": 0x2,
"MacOS": 0x3,
"amaghị": 0x0}
... osf ttl mwụda ụdị "Linux:4.20" - Ikike iji kwekọọ na adreesị ARP nke onye na-ezipụ na adreesị IPv4 nke usoro ebumnuche. Dịka ọmụmaatụ, iji bulie counter nke ngwugwu ARP ezitere na adreesị 192.168.2.1, ị nwere ike iji iwu a:
okpokoro arp x {
yinye y {
ụdị nko ntinye ntinye mkpa nzacha; iwu nabata;
arp saddr ip 192.168.2.1 mpempe akwụkwọ 1 bytes 46
}
} - Nkwado maka izipu arịrịọ n'ụzọ doro anya site na proxy (tproxy). Dịka ọmụmaatụ, ibugharị oku na ọdụ ụgbọ mmiri 80 gaa na ọdụ ụgbọ mmiri proxy 8080:
okpokoro ip x {
yinye y {
ụdị nko nko na-ebute ụzọ -150; iwu nabata;
tcp dport 80 tproxy ruo: 8080
}
} - Nkwado maka akara sọket nwere ikike iji nweta n'ihu nweta akara a setịpụrụ site na setsockot() na ọnọdụ SO_MARK. Ọmụmaatụ:
table inet x {
yinye y {
ụdị nko nko na-ebute ụzọ -150; iwu nabata;
tcp dport 8080 akara setịpụ akara
}
} - Nkwado maka ịkọwa aha ederede mkpa maka agbụ. Ọmụmaatụ:
nft tinye yinye ip x raw {ụdị nko nko na-ebute ụzọ dị mkpa raw; }
nft tinye yinye ip x nzacha {ụdị nko nko na-ebute ụzọ nzacha; }
nft tinye yinye ip x filter_later {ụdị nko nko na-ebu ụzọ nzacha mkpa + 10; } - Nkwado maka mkpado SELinux (Secmark). Dịka ọmụmaatụ, iji kọwaa mkpado "sshtag" na ọnọdụ SELinux, ị nwere ike ịgba ọsọ:
nft tinye secmark inet filter sshtag "system_u:object_r:ssh_server_packet_t:s0"
wee jiri akara a na iwu:
nft tinye iwu inet nzacha ntinye tcp dport 22 meta secmark set “sshtag”
nft tinye maapụ inet filter secmapping {ụdị inet_service: secmark; }
nft tinye element inet filter secmapping {22: "sshtag"}
nft tinye iwu inet filter ntinye meta secmark tcp dport maapụ @secmapping - Ikike ịkọwa ọdụ ụgbọ mmiri e kenyere protocol n'ụdị ederede, dịka akọwara ha na faịlụ /etc/services. Ọmụmaatụ:
nft tinye iwu xy tcp dport "ssh"
nft ndepụta ruleset -l
okpokoro x {
yinye y {
...
tcp dport "ssh"
}
} - Ikike ịlele ụdị nke interface netwọk. Ọmụmaatụ:
tinye iwu inet raw prerouting meta iifkind "vrf" nabata
- Nkwado emelitere maka imelite ọdịnaya nke setịpụ ngwa ngwa site na ịkọwapụta ọkọlọtọ “dị ike”. Dịka ọmụmaatụ, imelite ntọala "s" ka ịgbakwunye adreesị isi iyi wee tọgharịa ntinye ma ọ bụrụ na enweghị ngwugwu maka sekọnd 30:
tinye okpokoro x
tinye set xs {ụdị ipv4_addr; nha 128; ogologo oge 30s; ọkọlọtọ dị ike; }
tinye yinye xy {ụdị nzacha nko ntinye mkpa 0; }
tinye iwu xy update @s {ip saddr} - Ikike ịtọ ọnọdụ nkwụsị oge dị iche. Dịka ọmụmaatụ, ka ịkagbu oge nkwụsị nke ndabara maka ngwugwu na-abata na ọdụ ụgbọ mmiri 8888, ị nwere ike ịkọwa:
okpokoro ip nzacha {
ct agwụla ike ike-tcp {
protocol tcp;
l3proto ip;
amụma = {guzobere: 100, nso_wait: 4, nso: 4}
}
mmepụta yinye {
...
tcp dport 8888 ct agwụla oge setịpụrụ "ike-tcp"
}
} - Nkwado NAT maka ezinụlọ inet:
table inet nat {
...
ip6 daddr nwuru:: 2:: 1 dnat nwuo:2::99
} - Mkpesa njehie typo emelitere:
nft tinye yinye nzacha ule
Njehie: Enweghị faịlụ ma ọ bụ ndekọ aha; ị pụtara table "nyo" na ezinụlọ ip?
tinye yinye nzacha ule
^^^^^ - Ikike ịkọwa aha interface na nhazi:
setịpụ sc {
ụdị inet_service . ọ bụrụ aha
ihe = {"ssh" . "eth0" }
} - syntax iwu erugharị emelitere:
nft tinye tebụl x
nft tinye flowtable x ft {nkwa ntinye mkpa 0; ngwaọrụ = {eth0, wlan0}; }
...
nft tinye iwu x na-aga n'ihu ip protocol {tcp, udp} mgbaba tinye @ft - Nkwado JSON emelitere.
isi: opennet.ru