Mushure megore rebudiriro packet filter kusunungurwa , kuvandudza sechinotsiva iptables, ip6table, arptables uye ebtables nekubatanidza packet kusefa nzvimbo dzeIPv4, IPv6, ARP uye network mabhiriji. Iyo nftables package inosanganisira packet filter zvikamu zvinomhanya munzvimbo yevashandisi, nepo kernel-level basa rinopihwa nenf_tables subsystem, yanga iri chikamu cheLinux kernel kubva pakaburitswa 3.13.
Iyo kernel level inopa chete generic protocol-yakazvimirira interface inopa zvakakosha mabasa ekubvisa data kubva pamapakiti, kuita data mashandiro, uye kuyerera kuyerera.
Iyo yekusefa logic pachayo uye maprotocol-chaiwo mabati anounganidzwa mubytecode munzvimbo yemushandisi, mushure meizvozvo iyi bytecode inoiswa mukernel uchishandisa iyo Netlink interface uye inouraiwa mune yakakosha muchina unoyeuchidza BPF (Berkeley Packet Filters). Iyi nzira inokubvumira kuti uderedze zvakanyanya saizi yekusefa kodhi inomhanya padanho re kernel uye kufambisa mabasa ese emitemo yekuparadzanisa uye pfungwa dzekushanda nemaprotocol munzvimbo yemushandisi.
Zvitsva zvikuru:
- IPsec tsigiro, inobvumira kuenzanisa kero dzemugero zvichienderana nepakiti, IPsec yekukumbira ID, uye SPI (Security Parameter Index) tag. Semuyenzaniso,
... ipsec in ip saddr 192.168.1.0/24
... ipsec mu spi 1-65536Izvo zvakare zvinogoneka kutarisa kana nzira inopfuura nepaIPsec tunnel. Semuenzaniso, kuvhara traffic kwete kuburikidza neIPSec:
β¦ sefa inobuda rt ipsec inoshaya kudonha
- Tsigiro yeIGMP (Internet Group Management Protocol). Semuenzaniso, unogona kushandisa mutemo kurasa zvikumbiro zvenhengo dzeboka reIGMP
nft wedzera mutemo netdev foo bar igmp mhando nhengo-mubvunzo counter kudonha
- Kugona kwekushandisa zvinosiyanisa kutsanangura shanduko yekuchinja (jump / goto). Semuyenzaniso:
tsanangura define = ber
wedzera mutemo ip foo bar jump $ dest - Tsigiro yemasiki yekuona masisitimu anoshanda (OS Fingerprint) yakavakirwa paTTL tsika mumusoro. Semuenzaniso, kumaka mapaketi zvichibva pane anotumira OS, unogona kushandisa rairo:
... meta mark set osf ttl skip name mepu {"Linux": 0x1,
"Windows": 0x2,
"MacOS": 0x3,
"hazvizivikanwe" : 0x0 }
... osf ttl skip version "Linux:4.20" - Kugona kuenzanisa kero yeARP yeanotumira uye iyo IPv4 kero yeiyo inotarirwa system. Semuenzaniso, kuwedzera counter yeARP mapaketi anotumirwa kubva kukero 192.168.2.1, unogona kushandisa mutemo unotevera:
tafura arp x {
cheni y {
type filter hook input priority filter; mutemo accept;
arp saddr ip 192.168.2.1 counter packets 1 bytes 46
}
} - Tsigiro yekutumira pachena kwezvikumbiro kuburikidza neproxy (tproxy). Semuenzaniso, kutungamira mafoni kuchiteshi 80 kune proxy port 8080:
tafura ip x {
cheni y {
mhando sefa hook prerouting pamberi -150; mutemo accept;
tcp dport 80 tproxy kusvika :8080
}
} - Tsigiro yekumaka zvigadziko nekugona kuenderera mberi nekuwana iyo seti mucherechedzo kuburikidza setsockopt() mune SO_MARK modhi. Semuyenzaniso:
tafura inet x {
cheni y {
mhando sefa hook prerouting pamberi -150; mutemo accept;
tcp dport 8080 mark set socket mark
}
} - Tsigiro yekutsanangudza mazita ezvinyorwa zvekutanga emaketani. Semuyenzaniso:
nft wedzera ketani ip x mbishi {mhando sefa hook prerouting yekutanga mbishi; }
nft wedzera ketani ip x sefa {mhando sefa hook prerouting yekutanga sefa; }
nft wedzera ketani ip x sefa_ gare gare {mhando sefa hook prerouting yekutanga sefa + 10; } - Tsigiro yeSELinux tags (Secmark). Semuenzaniso, kutsanangura iyo "sshtag" tag mune SELinux mamiriro, unogona kumhanya:
nft wedzera secmark inet sefa sshtag "system_u:object_r:ssh_server_packet_t:s0"
Uye zvino shandisa iyi label mumitemo:
nft wedzera mutemo inet sefa yekuisa tcp dport 22 meta secmark set "sshtag"
nft wedzera mepu inet sefa secmapping {rudzi inet_service: secmark; }
nft wedzera chinhu inet sefa secmapping {22: "sshtag"}
nft wedzera mutemo inet sefa yekuisa meta secmark set tcp dport mepu @secmapping - Kugona kutsanangura zviteshi zvakapihwa maprotocol muchimiro chemavara, sezvavanotsanangurwa mu /etc/services faira. Semuyenzaniso:
nft wedzera mutemo xy tcp dport "ssh"
nft list mitemo -l
tafura x {
cheni y {
...
tcp dport "ssh"
}
} - Kugona kutarisa mhando ye network interface. Semuyenzaniso:
wedzera mutemo inet raw prerouting meta iifkind "vrf" gamuchira
- Rutsigiro rwakavandudzwa rwekuvandudza zvine simba zviri mukati meseti nekutsanangura zvakajeka mureza we "dynamic". Semuenzaniso, kugadzirisa seti "s" yekuwedzera kero yekwakabva uye kuseta zvakare yekupinda kana pasina mapaketi kwemasekonzi makumi matatu:
wedzera tafura x
wedzera set xs {rudzi ipv4_addr; saizi 128; nguva yekupedza 30s; mireza dynamic; }
wedzera ketani xy {mhando sefa hook yekuisa pamberi 0; }
wedzera mutemo xy update @s {ip saddr } - Kugona kuseta yakaparadzana nguva yekupedza mamiriro. Semuenzaniso, kupfuudza iyo yakasarudzika nguva yekubuda kwemapaketi anosvika pachiteshi 8888, unogona kutsanangura:
tafura ip sefa {
ct timeout anehasha-tcp {
protocol tcp;
l3proto ip;
mutemo = {yakasimbiswa: 100, close_wait: 4, kuvhara: 4}
}
cheni yakabuda {
...
tcp dport 8888 ct nguva yekupedza yakaiswa "aggressive-tcp"
}
} - Tsigiro yeNAT yemhuri inet:
tafura inet nat {
...
ip6 baba vakafa::2::1 dnat kusvika kufa:2::99
} - Yakavandudzwa typo kukanganisa kushuma:
nft wedzera chain filter test
Mhosho: Hapana faira rakadaro kana dhairekitori; waireva tafura "sefa" mumhuri ip?
wedzera chain filter test
^^^^^^ - Kugona kutsanangura mazita ekushandisa mumaseti:
seta sc {
nyora inet_service . ifname
zvinhu = {"ssh" . "eth0"}
} - Yakagadziridzwa inoyerera mitemo syntax:
nft wedzera tafura x
nft wedzera inoyerera x ft { hook ingress pamberi 0; zvishandiso = {eth0, wlan0}; }
...
nft wedzera mutemo x kumberi ip protocol {tcp, udp } kuyerera wedzera @ft - Yakavandudzwa JSON rutsigiro.
Source: opennet.ru