ProHoster > Π‘Π»ΠΎΠ³ > wararka internetka > nftables baakada shaandhada 0.9.1 sii deynta

nftables baakada shaandhada 0.9.1 sii deynta

Sanad ka dib horumarka soo bandhigay siidaynta shaandhada baakadka 0.9.1, horumarinta sida beddelka iptables, ip6table, arptables iyo ebtables iyadoo midaysa interfaces shaandhaynta baakidhka ee IPv4, IPv6, ARP iyo network buundooyinka. Xirmada nftables waxaa ka mid ah qaybaha shaandhada baakidhka ee ku shaqeeya booska isticmaalaha, halka shaqada heerka kernel ay bixiso nf_tables subsystem, kaas oo qayb ka ahaa kernel Linux tan iyo markii la sii daayay 3.13.

Heerka kernel-ku wuxuu bixiyaa oo kaliya is-dhex-dhexaadiye madax-bannaan oo borotokoolka guud ah kaas oo bixiya hawlaha aasaasiga ah ee soo saarista xogta xirmooyinka, fulinta hawlaha xogta, iyo xakamaynta socodka.
Caqliga shaandhaynta laftiisa iyo maamulayaasha qaaska ah ee borotokoolka waxa lagu ururiyaa bytecode ee goobta isticmaalaha, ka dib bytecode-kan waxa lagu shubaa kernel-ka iyada oo la adeegsanayo Netlink interface waxaana lagu fuliyay mishiin khaas ah oo u eg BPF (Berkeley Packet Filters). Habkani wuxuu kuu ogolaanayaa inaad si weyn u yareyso cabbirka koodhka shaandhaynta ee ku socda heerka kernel oo aad u guurto dhammaan hawlaha qawaaniinta qawaaniinta iyo macquulka ah ee la shaqeynta borotokoolka booska isticmaalaha.

Hal-abuurka ugu muhiimsan:

  • Taageerada IPsec, oo u oggolaanaysa in la is waafajiyo ciwaannada tunnel-ka oo ku salaysan baakidh, Aqoonsiga Codsiga IPsec, iyo SPI (Index Parameter Index) sumadda. Tusaale ahaan,

    ... ipsec ee ip saddr 192.168.1.0/24
    ... ipsec ee spi 1-65536

    Waxa kale oo suurtogal ah in la hubiyo in dariiqu marayo tunnel IPsec. Tusaale ahaan, in la xannibo taraafikada aan la marin IPSec:

    … filter saarka rt ipsec dhibic maqan

  • Taageerada IGMP (Bartakoolka Maamulka Kooxda Internetka). Tusaale ahaan, waxaad isticmaali kartaa sharci si aad u tuurto codsiyada xubinimada kooxda IGMP ee imanaya

    nft ku dar qaanuunka netdev foo bar igmp nooca xubin-is-waydiyaha miiska hoos u dhaca

  • Suurtagalnimada isticmaalka doorsoomayaasha si loo qeexo silsiladaha kala-guurka (bood / goto). Tusaale ahaan:

    qeex dest = ber
    ku dar xeer ip foo bar booda $dest

  • Taageerada waji-xidhka si loo aqoonsado nidaamyada hawlgalka (Fara faraha) ee ku salaysan qiyamka TTL ee madaxa. Tusaale ahaan, si aad u calaamadiso xirmooyinka ku salaysan OS soo-diraha, waxaad isticmaali kartaa amarka:

    ... meta mark set osf ttl bood magaca khariidadda {"Linux": 0x1,
    "Daaqadaha": 0x2,
    "MacOS": 0x3,
    "aan la garanayn": 0x0}
    ... osf ttl ka boodi nooca "Linux: 4.20"

  • Awood u yeelashada ciwaanka ARP ee soo diraha iyo ciwaanka IPv4 ee nidaamka bartilmaameedka. Tusaale ahaan, si aad u kordhiso xisaabaadka xidhmooyinka ARP ee laga soo diray ciwaanka 192.168.2.1, waxaad isticmaali kartaa xeerkan:

    miiska arp x {
    silsilad y {
    nooca filtarka galinta mudnaanta filtarka; siyaasad aqbali;
    arp saddr ip 192.168.2.1 baakadaha counter 1 bytes 46
    }
    }

  • Taageerada gudbinta hufan ee codsiyada iyada oo loo marayo wakiil (tproxy). Tusaale ahaan, si loo jiheeyo wicitaanada dekeda 80 loona diro wakiilka 8080:

    miiska ip x {
    silsilad y {
    nooca shaandhada shaandhada horudhaca mudnaanta -150; siyaasad aqbali;
    tcp dport 80 tproxy ilaa :8080
    }
    }

  • Taageerada calaamadaynta saldhigyada awood u leh in lagu sii helo calaamadda loo dejiyay iyada oo loo marayo setsockot() qaabka SO_MARK. Tusaale ahaan:

    miiska miiska x {
    silsilad y {
    nooca shaandhada shaandhada horudhaca mudnaanta -150; siyaasad aqbali;
    tcp dport 8080 sumadda godka go'an
    }
    }

  • Taageerada qeexida magacyada qoraalka mudnaanta leh ee silsiladaha. Tusaale ahaan:

    nft ku dar silsilad ip x cayriin {nooca shaandhada shaandhada horudhaca mudnaanta cayriin; }
    nft ku dar silsilad ip x filter {nooca shaandhada filtarka horudhaca shaandhada mudnaanta leh; }
    nft ku dar silsiladda ip x filter_later {nooca shaandhada shaandhada horudhaca shaandhada mudnaanta leh + 10; }

  • Taageerada SELinux tags (Secmark). Tusaale ahaan, si aad u qeexdo summada "sshtag" ee macnaha guud ee SELinux, waxaad socodsiin kartaa:

    nft ku dar sshtag sshtag "system_u: object_r: ssh_server_packet_t: s0"

    Ka dibna u isticmaal summadan xeerarka:

    nft ku dar qaanuunka inet filter gelinta tcp dport 22 meta secmark set β€œsshtag”

    nft ku dar khariidadda inet filter shaandhaynta {nooca inet_service: secmark; }
    nft ku dar element inet filter secmapping {22: "sshtag"}
    nft ku dar qaanuunka inet filter galinta meta secmark set tcp dport map @ secmapping

  • Awoodda lagu qeexo dekedaha loo qoondeeyay hab-maamuuska qaab qoraal ah, sida ay ku qeexan yihiin faylka /etc/services. Tusaale ahaan:

    nft ku dar qaanuunka xy tcp dport "ssh"
    nft liiska xeerarka -l
    miiska x {
    silsilad y {
    ...
    tcp dport "ssh"
    }
    }

  • Awoodda lagu hubinayo nooca isku xirka shabakada Tusaale ahaan:

    ku dar qaanuunka inet cayriin prerouting meta iifkind "vrf" aqbal

  • Taageerada la wanaajiyey ee loogu talagalay in si firfircoon loo cusboonaysiiyo waxa ku jira sets iyadoo si cad loo qeexayo calanka "firfircoon". Tusaale ahaan, si loo cusboonaysiiyo set β€œs” si loogu daro ciwaanka isha oo dib u dajin gelida galinta hadii aanay jirin xidhmo 30 ilbiriqsi ah:

    ku dar miiska x
    ku dar set xs {nooca ipv4_addr; cabbirka 128; wakhtiga 30s; calamada firfircoon; }
    ku dar silsiladda xy {nooca mudnaanta gelida jillaab filter 0; }
    ku dar qaanuunka xy update @s {ip saddr}

  • Kartida lagu dejinayo xaalad waqtiyeed oo gooni ah. Tusaale ahaan, si aad meesha uga saarto wakhtiga kama-dambaysta ah ee xirmooyinka ka soo degaya dekedda 8888, waxaad qeexi kartaa:

    miiska ip filter {
    ct timeout gardaro-tcp {
    borotokoolka tcp;
    l3proto ip;
    siyaasadda = {la aasaasay: 100, dhow_sugi: 4, dhow: 4}
    }
    wax soo saarka silsiladda {
    ...
    tcp dport 8888 ct waqti go'ay "gardarrada-tcp"
    }
    }

  • Taageerada NAT ee qoyska inet:

    miiska inet nat {
    ...
    ip6 daddr dhintay:: 2:: 1 dnat u dhintay:2::99
    }

  • Ka warbixinta qaladka typo ee la hagaajiyay:

    nft ku dar tijaabada filter filter

    Khalad: Ma jiro faylkaas ama hagaha; ma waxaad ula jeedaa miiska "shaandhaynta" ee qoyska ip?
    ku dar tijaabada filter filter
    ^^^^^

  • Awoodda lagu qeexo magacyada interface ee qaybaha:

    dhig sc {
    nooca inet_service. haddii magac
    element = {"ssh" . "eth0" }
    }

  • Xeerarka socodka la cusboonaysiiyay:

    nft ku dar miiska x
    nft ku dar flowtable x ft {mudnaanta jilitaanka 0; aaladaha = {eth0, wlan0}; }
    ...
    nft ku dar qaanuunka x borotokoolka hore ee ip {tcp, udp} socodka ku dar @ft

  • Taageerada JSON oo la hagaajiyay.

Source: opennet.ru

Add a comment