ProHoster > Π‘Π»ΠΎΠ³ > wararka internetka > nftables baakada shaandhada 0.9.5 sii deynta

nftables baakada shaandhada 0.9.5 sii deynta

la daabacay siidaynta shaandhada baakadka 0.9.5, horumarinta beddelka iptables, ip6table, arptables iyo ebtables iyada oo la mideynayo xirmooyinka shaandhaynta baakidhka ee IPv4, IPv6, ARP iyo buundooyinka shabakadda. Xirmada nftables waxaa ka mid ah qaybaha shaandhada baakidhka ee ku shaqeeya booska isticmaalaha, halka shaqada heerka kernel ay bixiso nf_tables subsystem, kaas oo qayb ka ahaa kernel Linux tan iyo markii la sii daayay 3.13. Isbeddellada looga baahan yahay nftables 0.9.5 siideynta shaqada ayaa lagu daray kernel-ka Linux 5.7.

Marka la eego heerka kernel-ka, kaliya interface-ka-madax-bannaan ee borotokoolka guud ayaa la bixiyaa kaas oo bixiya hawlaha aasaasiga ah ee soo saarista xogta xirmooyinka, fulinta hawlaha xogta, iyo xakamaynta socodka. Shaandhaynta laftooda iyo maamulayaasha qaaska ah ee hab-maamuuska ah waxa lagu soo ururiyaa bytecode meel-isticmaalka, ka dib bytecode-kan waxa lagu shubaa kernel-ka iyada oo la isticmaalayo Netlink interface waxaana lagu dhex diraa kernel mashiin khaas ah oo u eg BPF (Berkeley Packet Filters). Habkani wuxuu suurtogal ka dhigayaa in si weyn loo yareeyo cabbirka koodhka shaandhaynta ee ku socda heerka kernel oo u dhaqaajiyo dhammaan hawlaha qawaaniinta kala-soocidda iyo macquulka ah ee la shaqeynta borotokoolka ee booska isticmaalaha.

Hal-abuurka ugu muhiimsan:

  • Taageerada xirmooyinka iyo xisaabaadka taraafikada ee la xidhiidha walxaha la dhigay ayaa lagu daray sets. Counter-yada waxa lagu dadajiyaa iyada oo la isticmaalayo erayga muhiimka ah ee "counter":

    miiska ip x {
    dhigay y {
    nooca ip saddr
    counter
    curiyayaasha = {192.168.10.35, 192.168.10.101, 192.168.10.135}
    }

    silsilad z {
    nooca shaandhada shaandhada shaandhada mudnaanta leh; siyaasad aqbali;
    ip daddr @y
    }
    }

  • Si aad u dejiso qiyamka bilowga ah ee xisaabiyeyaasha, tusaale ahaan, si loo soo celiyo xisaabiyihii hore ka dib dib u bilawga, waxaad isticmaali kartaa amarka "nft -f":

    # bisad ruleset.nft
    miiska ip x {
    dhigay y {
    nooca ip saddr
    counter
    element = {192.168.10.35 baakadaha counter 1 bytes 84, 192.168.10.101 \
    counter p 192.168.10.135 baakadaha counter 0 bytes 0}
    }

    silsilad z {
    nooca shaandhada shaandhada shaandhada mudnaanta leh; siyaasad aqbali;
    ip daddr @y
    }
    }
    # nft -f ruleset.nft
    #Nft liiska xeerarka
    miiska ip x {
    dhigay y {
    nooca ip saddr
    counter
    element = {192.168.10.35 baakadaha counter 1 bytes 84, 192.168.10.101 \
    counter p 192.168.10.135 baakadaha counter 0 bytes 0}
    }

    silsilad z {
    nooca shaandhada shaandhada shaandhada mudnaanta leh; siyaasad aqbali;
    ip daddr @y
    }
    }

  • Taageerada counter-ta ayaa sidoo kale lagu daray in la socon karo:

    miiska ip foo {
    bar socon karta {
    jillaab mudnaanta -100
    aaladaha = {eth0, eth1}
    counter
    }

    silsilad hore {
    nooca shaandhada shaandhada hore ee shaandhada mudnaanta leh;
    socodka ku dar @bar counter
    }
    }

    Waxaad arki kartaa liiska xisaabiyeyaasha adoo isticmaalaya amarka "conntrack -L":

    tcp 6 src=192.168.10.2 dst=10.0.1.2 sport=47278 dport=5201 xirmo=9 bytes=608 \
    src=10.0.1.2 dst=10.0.1.1 sport=5201 dport=47278 xirmo=8 bytes=428 [OFFLOAD] mark=0 \
    sctx = isticmaal aan lahayn = 2 tcp 6 src = 192.168.10.2 dst=10.0.1.2 sport=47280 dport=5201 \
    xirmo=1005763 bytes=44075714753 src=10.0.1.2 dst=10.0.1.1 sport=5201 dport=47280 \
    xirmo=967505 bytes=50310268

  • Qaababka isku-xidhka (isku-xidhka, xidhmooyin gaar ah oo cinwaanno iyo dekedo ah oo fududaynaya is-barbardhigga), waa suurtogal in la isticmaalo dardaaranka "typeof", kaas oo go'aaminaya nooca xogta ee walxaha qaybaha qaybaha cutubka:

    miiska ip foo {
    deji liis cad {
    nooca ip saddr . tcp dport
    curiyayaasha = {192.168.10.35 . 80, 192.168.10.101. 80}
    }

    silsilad silsilad {
    nooca jillaab filtarka horudhaca shaandhada mudnaanta leh; hoos u dhaca siyaasadda;
    ip aabe. tcp dport @whitelist aqbal
    }
    }

  • Nooca dardaaranka hadda wuxuu sidoo kale khuseeyaa ku biirista liiska khariidada:

    miiska ip foo {
    khariidad addr2mark {
    nooca ip saddr . tcp dport: calaamadda meta
    curiyayaasha = {192.168.10.35 . 80: 0x00000001,
    192.168.10.135. 80: 0x00000002 }
    }

    silsilad silsilad {
    nooca jillaab filtarka horudhaca shaandhada mudnaanta leh; hoos u dhaca siyaasadda;
    meta mark dhigay ip daddr . tcp dport map @addr2mark aqbal
    }
    }

  • Taageerada lagu daray ee kala-duwanaanshaha waxay ku biirtaa kuwa aan la magacaabin (aan la magacaabin):

    # nft ku dar qaanuunka inet filter gelinta ip daddr. tcp dport\
    {10.0.0.0/8. 10-23, 192.168.1.1-192.168.3.8. 80-443} aqbali

  • Awoodda lagu tuuro baakadaha wata calamada 802.1q (VLAN) marka la farsameynayo buundooyinka shabakada waxaa la bixiyaa:

    # nft ku dar qaanuunka buundada foo bar ether nooca vlan diido dib u dejinta tcp

  • Taageero lagu daray isbarbardhigga aqoonsiga fadhiga TCP (ID Conntrack). Si loo go'aamiyo aqoonsiga conntrack, waxaad isticmaali kartaa ikhtiyaarka "-output id":

    # conntrack -L β€” soo saarida id
    udp 17 18 src=192.168.2.118 dst=192.168.2.1 sport=36424 dport=53 xirmo=2 \
    bytes=122 src=192.168.2.1 dst=192.168.2.118 sport=53 dport=36424 xirmo=2 bytes=320 \
    [la hubo] calam=0 isticmaal=1 id=2779986232

    # nft ku dar qaanuunka foo bar ct id 2779986232 counter

Source: opennet.ru

Add a comment