ProHoster > Blog > internet nhau > nftables packet filter kuburitswa 1.0.5

nftables packet filter kuburitswa 1.0.5

Kuburitswa kwepaketi sefa nftables 1.0.5 kwakabudiswa, kubatanidza packet kusefa nzvimbo dzeIPv4, IPv6, ARP uye network mabhiriji (ane chinangwa chekutsiva iptables, ip6table, arptables uye ebtables). Panguva imwecheteyo, kusunungurwa kwekambani raibhurari libnftnl 1.2.3 yakabudiswa, ichipa yakaderera-level API yekudyidzana nenf_tables subsystem.

Pakeji yenftables ine zvikamu zvepacket filter zvinoshanda munzvimbo yemushandisi, ukuwo basa rekernel-level richipihwa nenf_tables subsystem, iyo iri chikamu chekernel. Linux Kubva pakaburitswa 3.13, pane chete interface yakajairika isina protocol inopihwa padanho rekernel, ichipa mashandiro ekutanga ekubvisa data kubva mumapaketi, kuita mashandiro edata, uye kudzora kuyerera kwedata.

Kusefa kunotonga pachako uye ma handler akanangana neprotocol anounganidzwa kuita bytecode munzvimbo yemushandisi, mushure mezvo bytecode iyi inoiswa mukernel uchishandisa Netlink interface uye inoiswa mukernel mune imwe nzira yakakosha. muchina chaiwo, inoyeuchidza BPF (Berkeley Packet Filters). Nzira iyi inobvumira kudzikiswa kukuru kwehukuru hwekodhi yekusefa iri kushanda padanho rekernel uye inofambisa zvese zvinoongorora mitemo uye protocol logic munzvimbo yemushandisi.

Shanduko huru:

  • Mune mitemo inogadzirisa, inodanwa kana ichitsanangura iyo "-o/-optimize" sarudzo, matambudziko nekubatanidza mitemo, mepu uye seti zvinyorwa zvakagadziriswa. # katsi mitemo.nft tafura ip x {chain y {type nat hook postrouting priority srcnat; kudonha kwepolicy; ip saddr 1.1.1.1 tcp dport 8000 snat kusvika 4.4.4.4:80 ip saddr 2.2.2.2 tcp dport 8001 snat kusvika 5.5.5.5:90 } } # nft -o -c -nft -nft mitemo: Mert 4 mitemo. :3-52: ip saddr 1.1.1.1 tcp dport 8000 snat kusvika 4.4.4.4:80 ruleset.nft:5:3-52: ip saddr 2.2.2.2 tcp dport 8001 snat kusvika 5.5.5.5:90 kusvika 1.1.1.1p. saddr. tcp dport mepu { 8000 . 4.4.4.4: 80. 2.2.2.2, 8001. 5.5.5.5: 90. XNUMX}
  • Kana uchibatanidza ethernet uye vlan zvinhu, ine simba set list inotsanangurwa, yakazadzwa zvichibva papacket nzira paramita. wedzera tafura netdev x wedzera ketani netdev xy {mhando sefa hook ingress mudziyo enp0s25 pamberi 0; } wedzera set netdev x macset {typeof ether daddr . vlan id; mireza ine simba, nguva yapera; } wedzera mutemo netdev xy update @macset {ether daddr. vlan id timeout 60s } wedzera mutemo netdev xy ether saddr . vlan id { 0a:0b:0c:0d:0e:0f . 42, 0a:0b:0c:0d:0e:0f . 4095 } counter accept
  • Kuratidzwa kwemitemo ine rondedzero yemepu ine masks mumazita einterface yakagadziridzwa. tafura inet sefa {cheni INPUT {iifname vmap {"eth0" : jump input_lan, "wg*" : jump input_vpn }} chain input_lan {} chain input_vpn {} }
  • Regressive shanduko inotungamira kune isiriyo lexical parsing yemitemo chaiyo yakabviswa.
  • Matambudziko nekunonoka kugadzirisa uye kusanganisa otomatiki kwezvinyorwa zvakakura zvine zvinhu zvinotsanangura kukosha kwezvikamu zvakagadziriswa.
  • Yakagadziriswa kuparara kana uchiwedzera zvinhu kune zvisirizvo seti runyorwa.

Source: opennet.ru

Tenga inovimbika yekutambira kwemasaiti ane DDoS dziviriro, VPS VDS maseva 🔥 Tenga webhusaiti yakavimbika ine dziviriro yeDDoS, maseva eVPS VDS | ProHoster