Pambuyo pa chaka cha chitukuko kumasulidwa kwa paketi fyuluta , kupanga m'malo mwa ma iptables, ip6table, arptables ndi ebtables mwa kugwirizanitsa zosefera za paketi za IPv4, IPv6, ARP ndi milatho ya maukonde. Phukusi la nftables limaphatikizapo zosefera za paketi zomwe zimagwira ntchito pamalo ogwiritsira ntchito, pomwe ntchito ya kernel imaperekedwa ndi nf_tables subsystem, yomwe yakhala gawo la Linux kernel kuyambira kutulutsidwa kwa 3.13.
Mulingo wa kernel umapereka mawonekedwe odziyimira pawokha a generic protocol omwe amapereka ntchito zoyambira kuchotsa deta m'mapaketi, kuchita ma data, ndikuwongolera kuyenda.
Zosefera zokhazokha komanso zogwirira ntchito zapadera zimaphatikizidwa mu bytecode mu malo ogwiritsira ntchito, pambuyo pake bytecode iyi imayikidwa mu kernel pogwiritsa ntchito mawonekedwe a Netlink ndikuchitidwa mu makina apadera okumbukira BPF (Berkeley Packet Filters). Njirayi imakuthandizani kuti muchepetse kwambiri kukula kwa code yosefera yomwe ikuyenda pamlingo wa kernel ndikusuntha ntchito zonse za malamulo ophatikizira ndi malingaliro ogwirira ntchito ndi ma protocol mu malo ogwiritsa ntchito.
Zatsopano zazikulu:
- Thandizo la IPsec, kulola kufanana kwa ma adilesi otengera paketi, ID ya pempho la IPsec, ndi tag ya SPI (Security Parameter Index). Mwachitsanzo,
... ipsec mu ip saddr 192.168.1.0/24
... ipsec mu spi 1-65536Ndizothekanso kuwona ngati njira idutsa mumsewu wa IPsec. Mwachitsanzo, kuletsa kuchuluka kwa magalimoto osati kudzera pa IPSec:
β¦ zotulutsa zosefera rt ipsec zikusowa dontho
- Thandizo la IGMP (Internet Group Management Protocol). Mwachitsanzo, mutha kugwiritsa ntchito lamulo kutaya zopempha zomwe zikubwera za umembala wa gulu la IGMP
nft yonjezerani lamulo netdev foo bar igmp mtundu wa umembala-funso lotsika
- Kuthekera kogwiritsa ntchito zosinthika kutanthauzira maunyolo osinthika (kulumpha / goto). Mwachitsanzo:
define define = ber
onjezani lamulo ip foo bar kulumpha $dest - Thandizo la masks kuti azindikire makina ogwiritsira ntchito (OS Fingerprint) kutengera ma TTL pamutu. Mwachitsanzo, kuti mulembe mapaketi kutengera wotumiza OS, mutha kugwiritsa ntchito lamulo ili:
... meta mark set osf ttl skip name map {"Linux": 0x1,
"Mawindo": 0x2,
"MacOS": 0x3,
"zosadziwika": 0x0 }
... osf ttl skip version "Linux:4.20" - Kutha kufanana ndi adilesi ya ARP ya wotumiza ndi adilesi ya IPv4 ya dongosolo lomwe mukufuna. Mwachitsanzo, kuti muwonjezere kauntala ya mapaketi a ARP otumizidwa kuchokera ku adilesi 192.168.2.1, mutha kugwiritsa ntchito lamulo ili:
tebulo arp x {
unyolo y {
mtundu fyuluta mbeza zolowetsa patsogolo fyuluta; kuvomereza ndondomeko;
arp saddr ip 192.168.2.1 mapaketi owerengera 1 mabayiti 46
}
} - Kuthandizira kutumiza zopempha momveka bwino kudzera pa proxy (tproxy). Mwachitsanzo, kutumiziranso mafoni ku doko 80 kupita ku doko la proxy 8080:
tebulo ip x {
unyolo y {
mtundu fyuluta mbedza prerouting patsogolo -150; kuvomereza ndondomeko;
tcp dport 80 tproxy ku: 8080
}
} - Thandizo lolemba ma socket ndi kuthekera kopitilira kupeza chilembo kudzera pa setsockopt() mu SO_MARK mode. Mwachitsanzo:
tebulo inet x {
unyolo y {
mtundu fyuluta mbedza prerouting patsogolo -150; kuvomereza ndondomeko;
tcp dport 8080 chizindikiro choyika zitsulo
}
} - Thandizo lofotokozera mayina a malemba oyambirira pamaketani. Mwachitsanzo:
nft onjezani unyolo ip x yaiwisi {mtundu wa fyuluta mbedza prerouting yaiwisi yaiwisi; }
nft onjezani unyolo ip x fyuluta {mtundu wa fyuluta mbedza yotsogolera zosefera; }
nft onjezani unyolo ip x sefa_kenako {mtundu wa fyuluta mbedza yotsogolera zosefera + 10; } - Kuthandizira ma tag a SELinux (Secmark). Mwachitsanzo, kufotokozera tag ya "sshtag" mu SELinux, mutha kuthamanga:
nft onjezani secmark inet fyuluta sshtag "system_u:object_r:ssh_server_packet_t:s0"
Kenako gwiritsani ntchito chizindikiro ichi m'malamulo:
nft onjezani lamulo la inet zolowera tcp dport 22 meta secmark set "sshtag"
nft onjezani secmapping ya mapu a inet {mtundu wa inet_service: secmark; }
nft onjezani secmapping element inet secmapping {22: "sshtag"}
nft onjezani lamulo la inet zosefera meta secmark set tcp dport map @secmapping - Kutha kufotokoza madoko omwe amaperekedwa ku ma protocol m'malemba, monga momwe amafotokozera mu fayilo ya /etc/services. Mwachitsanzo:
nft onjezani lamulo xy tcp dport "ssh"
nft mndandanda malamulo -l
tebulo x {
unyolo y {
...
tcp dport "ssh"
}
} - Kutha kuyang'ana mtundu wa mawonekedwe a netiweki. Mwachitsanzo:
onjezani lamulo inet yaiwisi prerouting meta iifkind "vrf" kuvomereza
- Thandizo lokwezeka lakusintha zomwe zili m'maseti pofotokoza momveka bwino mbendera ya "dynamic". Mwachitsanzo, kusinthira "ma" kuti muwonjezere adilesi yoyambira ndikukhazikitsanso zolowera ngati palibe mapaketi amasekondi 30:
onjezani tebulo x
onjezani set xs {mtundu wa ipv4_addr; kukula 128; nthawi ya 30s; mbendera zamphamvu; }
onjezani unyolo xy {mtundu wa zosefera zolowera patsogolo 0; }
onjezani lamulo xy zosintha @s {ip saddr} - Kutha kukhazikitsa nthawi yosiyana yothera nthawi. Mwachitsanzo, kuti muchotse nthawi yokhazikika pamapaketi omwe afika padoko 8888, mutha kufotokoza:
tebulo ip fyuluta {
ct timeout aggressive-tcp {
protocol tcp;
l3proto ip;
ndondomeko = {inakhazikitsidwa: 100, close_wait: 4, kutseka: 4}
}
chain output {
...
tcp dport 8888 ct nthawi yomaliza yakhazikitsa "aggressive-tcp"
}
} - Thandizo la NAT la banja la inet:
tebulo inet {
...
ip6 adamwalira::2::1 dnat mpaka kufa:2::99
} - Lipoti la zolakwika za typo zowongoleredwa:
nft onjezani chain filter test
Cholakwika: Palibe fayilo kapena chikwatu chotere; mumatanthauza "sefa" mu banja ip?
onjezani chain filter test
^^^^^^^ - Kutha kufotokoza mayina a mawonekedwe m'maseti:
khalani sc {
lembani inet_service . ifname
zinthu = {"ssh" . "eti0"}
} - Ma syntax a malamulo osinthika osinthidwa:
nft kuwonjezera tebulo x
nft onjezani flowtable x ft {hook ingress patsogolo 0; zipangizo = { eth0, wlan0 }; }
...
nft kuwonjezera lamulo x patsogolo ip protocol {tcp, udp} flow add @ft - Thandizo la JSON labwino.
Source: opennet.ru