ProHoster > Π‘Π»ΠΎΠ³ > wararka internetka > nftables baakada shaandhada 1.0.3 sii deynta

nftables baakada shaandhada 1.0.3 sii deynta

Siideynta xirmada filter nftables 1.0.3 waa la daabacay, midaynta xirmooyinka shaandhaynta baakidhka ee IPv4, IPv6, ARP iyo buundooyinka shabakada (loogu talagalay in lagu beddelo iptables, ip6table, arptables iyo ebtables). Isbedelada looga baahan yahay nftables 1.0.3 siideynta shaqada ayaa lagu daray Linux 5.18 kernel.

Xirmada nftables waxaa ka mid ah qaybaha shaandhada baakidhka ee ku shaqeeya booska isticmaalaha, halka shaqada heerka kernel ay bixiso nf_tables subsystem, kaas oo qayb ka ahaa kernel Linux tan iyo markii la sii daayay 3.13. Heerka kernel-ku wuxuu bixiyaa oo kaliya is-dhex-dhexaadiye madax-bannaan oo borotokoolka guud ah kaas oo bixiya hawlaha aasaasiga ah ee soo saarista xogta xirmooyinka, fulinta hawlaha xogta, iyo xakamaynta socodka.

Xeerarka shaandhaynta iyo maamulayaasha qaaska ah waxa lagu ururiyaa bytecode ee goobta isticmaalaha, ka dib bytecode-kan waxa lagu shubaa kernel-ka iyada oo la adeegsanayo Netlink interface waxaana lagu dhex diraa kernel mashiin khaas ah oo xasuusiya BPF (Berkeley Packet Filters). Habkani wuxuu kuu ogolaanayaa inaad si weyn u yareyso cabbirka koodhka shaandhaynta ee ku socda heerka kernel oo aad u guurto dhammaan hawlaha qawaaniinta qawaaniinta iyo macquulka ah ee la shaqeynta borotokoolka booska isticmaalaha.

Hal-abuurka ugu muhiimsan:

  • Deji liisaska hadda waxay taageertaa isbarbardhigga isku dhafka shabakadaha ee maaskaro, tusaale ahaan, lagu cayimay iyadoo la adeegsanayo calaamadda "*": table inet testifsets { set simple_wild {nooca ifname flags interval element = {"abcdef*", "kale", "ppp0"} } silsilad v4icmp {nooca mudnaanta gelida jillaab filter 0; siyaasad aqbali; iifname @simple_wild counter baakidhooyin 0 bytes 0 iifname {"abcdef*", "eth0"} baakadaha counter 0 bytes 0}}
  • Hirgaliyay isku darka tooska ah ee walxaha liiska go'an ee isgoysyada ah inta lagu jiro hawlgalka. Markii hore, markii ikhtiyaarka "isku-dhafka otomaatiga ah" la dejiyay, isku-darka ayaa lagu fuliyay marxaladda lagu dhawaaqayo qawaaniinta, laakiin hadda waxay sidoo kale shaqeysaa marka waxyaabo cusub lagu daro inta lagu jiro hawlgalka. Tusaale ahaan, marxaladda caddaynta, liiska loo dejiyay y { calamada muddada u dhexaysa is-dhexgalka walxaha = {1.2.3.0, 1.2.3.255, 1.2.3.0/24, 3.3.3.3, 4.4.4.4, 4.4.4.4-4.4.4.8 3.3.3.4 ip x y {3.3.3.5 -1.2.3.0, 24} waxay u ekaan doonaan curiyayaasha = {3.3.3.3-3.3.3.5, 4.4.4.4-4.4.4.8, 1.2.3.0-1.2.4.255}

    Marka aad ka saarto liiska shayada gaarka ah ee ku dhex jira shayyada kala duwan ee jira, kala qaybsanaanta ayaa la soo gaabiyay ama kala qaybsantay.

  • Taageerada isku-darka xeerarka turjumaada cinwaanka badan (NAT) ee liiska khariidad ayaa lagu daray qawaaniinta hagaajinta, oo loo yaqaan marka xulashada "-o/-optimize" la cayimo. Tusaale ahaan, set # cat ruleset.nft miiska ip x {silsiladda y {nooca nat hook postrouting mudnaanta srcnat; hoos u dhaca siyaasadda; ip saddr 1.1.1.1 tcp dport 8000 snat to 4.4.4.4:80 ip saddr 2.2.2.2 tcp dport 8001 snat to 5.5.5.5:90}}

    fulinta "nft -o -c -f ruleset.nft" waxay u rogi doontaa qawaaniinta "ip saddr" ee goonida ah liiska khariidad: snat to ip saddr . tcp dport map {1.1.1.1. 8000: 4.4.4.4. 80, 2.2.2.2. 8001: 5.5.5.5. 90}

    Sidoo kale, tibaaxaha cayriin waxaa loo rogi karaa liisaska khariidad: # cat ruleset.nft miiska ip x { […] 47 63x160,128e0e goto nat_dns_this_0 dhererka udp 373135363130333131303735353203-62 @th,78 160,128x0e0e goto nat_dns_saturn_31393032383939353831343037320 udp dhererka 5301-62th 78 160,128e goto nat_dns_saturn_0 dhererka udp 0-31363436323733373931323934300 @th,5301

    ka dib hagaajinta waxaan helnaa liiska khariidad: dhererka udp . @th,160,128 vmap { 47-63 . 0x0e373135363130333131303735353203: goto nat_dns_dnstc, 62-78. 0x0e31393032383939353831343037320e: goto nat_dns_this_5301, 62-78. 0x0e31363436323733373931323934300e: goto nat_dns_saturn_5301, 62-78. 0x0e32393535373539353636383732310e: goto nat_dns_saturn_5302, 62-78. 0x0e38353439353637323038363633390e: goto nat_dns_saturn_5303}

  • Isticmaalka tibaaxaha cayriin ee hawlgallada isku xidhka waa la oggol yahay. Tusaale ahaan: # nft ku dar xeer x y ip saddr . @ih,32,32 {1.1.1.1. 0x14, 2.2.2.2 . 0x1e } ama miiska x { dhigay y { typeof ip saddr . @ih,32,32 curiye = {1.1.1.1. 0x14} }
  • Taageero lagu daray si loo qeexo goobaha madaxa isku dhafka ah ee hawlgallada isku xidhka: miiska inet t { map m1 {nooca dhererka udp . @ih,32,32: xukun calamada xubnaha dhexda = {20-80. 0x14: aqbal, 1-10 . x hoos u dhaca siyaasadda; dhererka udp. @ih,0 vmap @m0 }}
  • Taageerada lagu daray ee dib u dejinta fursadaha TCP (kaliya waxay la shaqeysaa Linux kernel 5.18+): tcp flags syn reset tcp option sack-perm
  • Fulinta amarrada soo saarista silsiladda ("nft list chain x y") waa la dedejiyay.

Source: opennet.ru

Add a comment