Ina ua mavae se tausaga o atinae fa'amama fa'amama afifi , fa'atupuina e fai ma sui mo iptables, ip6table, arptables ma ebtables e ala i le tu'ufa'atasia o feso'ota'iga fa'amama pusa mo IPv4, IPv6, ARP ma alalaupapa feso'otaiga. O le afifi nftables e aofia ai vaega faamama packet o loʻo taʻavale i avanoa faʻaoga, ae o le galuega o le kernel-level e saunia e le nf_tables subsystem, lea na avea ma vaega o le Linux kernel talu mai le faʻamalolo 3.13.
Ole maualuga ole kernel e maua ai na'o se fa'aoga tuto'atasi tuto'atasi lautele e maua ai galuega fa'avae mo le su'eina o fa'amaumauga mai fa'amaumauga, fa'atinoina o fa'amaumauga, ma le pulea o le tafe.
O le faʻavasegaina o manatu lava ia ma faʻataʻitaʻiga faʻapitoa faʻapitoa e tuʻufaʻatasia i le bytecode i avanoa faʻaoga, a maeʻa ona utaina lea o le bytecode i totonu o le fatu e faʻaaoga ai le Netlink interface ma faʻatinoina i se masini faʻapitoa faʻapitoa e faʻamanatuina le BPF (Berkeley Packet Filters). O lenei faiga e mafai ai e oe ona faʻaititia tele le tele o le faʻamama faʻailoga o loʻo taʻavale i le kernel level ma faʻagaioi uma galuega o le faʻavasegaina o tulafono ma le faʻaogaina mo le galulue faʻatasi ma protocols i avanoa faʻaoga.
Autu fa'afouga:
- Lagolago IPsec, faʻatagaina le fetaui o tuatusi alalaupapa e faʻavae i luga o le afifi, IPsec talosaga ID, ma le SPI (Security Parameter Index) tag. Faataitaiga,
... ipsec i le ip saddr 192.168.1.0/24
... ipsec i le spi 1-65536E mafai foi ona siaki pe o se auala e ui atu i se alalaupapa IPsec. Mo se faʻataʻitaʻiga, ia poloka le taʻavale ae le o le IPSec:
… faamama galuega faatino rt ipsec pa'ū misi
- Lagolago mo le IGMP (Internet Group Management Protocol). Mo se faʻataʻitaʻiga, e mafai ona e faʻaogaina se tulafono e lafoaʻi ai talosaga a le IGMP o loʻo oʻo mai
nft fa'aopoopo le tulafono netdev foo bar igmp type membership-query counter drop
- Avanoa o le faʻaogaina o fesuiaiga e faʻamatala ai filifili suiga (oso / goto). Faataitaiga:
fa'amatala fa'amoemoe = ber
faaopoopo tulafono ip foo pa oso oso $dest - Lagolago mo matapulepule e iloa ai faiga faʻaogaina (OS Fingerprint) faʻavae i luga ole TTL tau ile ulutala. Mo se faʻataʻitaʻiga, e faʻailoga pepa e faʻavae i luga o le sender OS, e mafai ona e faʻaogaina le poloaiga:
... fa'ailoga meta seti osf ttl faasee igoa faafanua { "Linux" : 0x1,
"Pupuni": 0x2,
"MacOS": 0x3,
"le iloa" : 0x0 }
... osf ttl fa'ase'e le version "Linux:4.20" - Malosiaga e fetaui ma le tuatusi ARP a le tagata e auina atu ma le tuatusi IPv4 o le polokalama faʻatatau. Mo se faʻataʻitaʻiga, ina ia faʻateleina le faʻataʻitaʻiga o afifi ARP na lafo mai le tuatusi 192.168.2.1, e mafai ona e faʻaogaina le tulafono lenei:
laulau arp x {
filifili y {
ituaiga faamama matau mea e ave i ai le faamuamua; talia faiga faavae;
arp saddr ip 192.168.2.1 pusa fa'atatau 1 paita 46
}
} - Lagolago mo le tu'uina atu manino o talosaga e ala i se sui (tproxy). Mo se faʻataʻitaʻiga, toe faʻafeiloaʻi telefoni i le port 80 i le sui port 8080:
laulau ip x {
filifili y {
fa'aigoa fa'amama matau fa'amuamua -150; talia faiga faavae;
tcp dport 80 tproxy i le:8080
}
} - Lagolago mo le makaina o sockets ma le gafatia e maua atili ai le seti faʻailoga e ala i setsockopt() i le SO_MARK mode. Faataitaiga:
laulau inet x {
filifili y {
fa'aigoa fa'amama matau fa'amuamua -150; talia faiga faavae;
tcp dport 8080 fa'ailoga fa'ailoga socket
}
} - Lagolago mo le fa'ama'oti igoa fa'amuamua mo filifili. Faataitaiga:
nft fa'aopoopo le filifili ip x raw { type filter hook prerouting priority raw; }
nft fa'aopoopo filifili ip x fa'amama { fa'amama fa'aigoa fa'auluina fa'ameamea fa'amuamua; }
nft fa'aopoopo filifili ip x filter_later { type filter hook prerouting priority filter + 10; } - Lagolago mo SELinux pine (Secmark). Mo se faʻataʻitaʻiga, e faʻamatalaina le "sshtag" tag i se SELinux context, e mafai ona e tamoe:
nft fa'aopoopo secmark inet filter sshtag "system_u: object_r: ssh_server_packet_t:s0"
Ona faʻaaoga lea o le igoa lenei i tulafono:
nft fa'aopoopo le tulafono inet filter input tcp dport 22 meta secmark seti "sshtag"
nft faaopoopo faafanua inet faamama secmapping { type inet_service : secmark; }
nft fa'aopoopo elemene inet filter secmapping {22 : "sshtag"}
nft fa'aopoopo le tulafono inet filter input meta secmark seti tcp dport map @secmapping - Malosiaga e faʻamaonia ai ports ua tuʻuina atu i faʻasalalauga i tusitusiga, e pei ona faʻamatalaina i le faila /etc/services. Faataitaiga:
nft faaopoopo tulafono xy tcp dport "ssh"
nft lisi tulafonoseti -l
laulau x {
filifili y {
...
tcp dport "ssh"
}
} - Malosiaga e siaki le ituaiga o fesoʻotaʻiga fesoʻotaʻiga. Faataitaiga:
fa'aopoopo le tulafono inet raw prerouting meta iifkind "vrf" talia
- Faʻaleleia le lagolago mo le faʻafouina faʻafouina o mea o loʻo i totonu o seti e ala i le faʻamaonia manino o le "malosi" fuʻa. Mo se faʻataʻitaʻiga, ia faʻafou seti "s" e faʻaopoopo le tuatusi faʻapogai ma toe faʻafou le faʻamatalaga pe a leai ni pepa mo le 30 sekone:
faaopoopo le laulau x
fa'aopoopo seti xs {ituaiga ipv4_addr; tele 128; taimi malolo 30s; fu'a malosi; }
fa'aopoopo le filifili xy {ituaiga faamama matau mea e fa'amuamua 0; }
fa'aopoopo le tulafono xy update @s { ip saddr } - Malosiaga e seti ai se tu'utu'uga taimi e fa'agata. Mo se faʻataʻitaʻiga, e faʻamalo le taimi faʻaletonu mo pepa e taunuʻu i luga o le taulaga 8888, e mafai ona e faʻamaonia:
laulau ip filter {
ct taimi fa'agata-tcp {
protocol tcp;
l3proto ip;
faiga fa'avae = {fa'avae: 100, tapunia_fa'atali: 4, tapunia: 4}
}
filifili filifili {
...
tcp dport 8888 ct taimi fa'agata seti "fa'asa-tcp"
}
} - Lagolago NAT mo aiga inet:
laulau inet nat {
...
ip6 daddr oti::2::1 dnat to mate:2::99
} - Fa'aleleia le fa'asalalauina o mea sese:
nft fa'aopoopo filifili filifili su'ega
Sese: Leai se faila po'o se lisi; o le uiga o lau laulau "filili" ile aiga ip?
fa'aopoopo su'ega fa'amama filifili
^^^^^^ - Malosiaga e fa'amaoti igoa fa'aoga i seti:
seti sc {
type inet_service . ifname
elemene = { "ssh" . "eth0" }
} - Fa'afou tulafono fa'asologa fa'asologa:
nft faaopoopo laulau x
nft fa'aopoopo le laulau fa'afefe x ft { fa'amuamua fa'aulu fa'amau 0; masini = { eth0, wlan0 }; }
...
nft faaopoopo tulafono x agai i luma ip protocol { tcp, udp } flow add @ft - Fa'aleleia le lagolago a le JSON.
puna: opennet.ru