ProHoster > Блог > wararka internetka > nftables baakada shaandhada 1.0.5 sii deynta

nftables baakada shaandhada 1.0.5 sii deynta

Siideynta shaandhada xirmada nftables 1.0.5 waa la sii daayay. Waxay midaynaysaa is-dhexgalka baakadaha shaandhaynta ee IPv4, IPv6, ARP, iyo buundooyinka shabakada (loogu talagalay in lagu beddelo iptables, ip6table, arptables, iyo ebtables). Maktabadda libnftnl 1.2.3 ee la socota, oo bixisa API heer hoose ah ee la falgalka nidaamka hoose ee nf_tables, ayaa la sii daayay isku mar.

Xirmada nftables waxay ka kooban tahay qaybaha shaandhada baakadka ee ka shaqeeya booska isticmaalaha, halka shaqada heerka kernel-ka ay bixiso nidaamka hoose ee nf_tables, kaas oo qayb ka ah kernel-ka. Linux Tan iyo markii la sii daayay 3.13, kaliya is-dhexgal guud oo madax-bannaan oo ku salaysan hab-maamuuska ayaa la bixiyaa heerka kernel-ka, kaas oo bixiya shaqo aasaasi ah oo loogu talagalay soo saarista xogta baakadaha, fulinta hawlgallada xogta, iyo xakamaynta socodka.

Shaandheyntu lafteeda ayaa nidaamisa, hawlwadeennada gaarka u ah hab-maamuuskana waxaa loo soo ururiyaa bytecode booska isticmaalaha, ka dibna bytecode-kan waxaa lagu shubaa kernel-ka iyadoo la adeegsanayo interface-ka Netlink waxaana lagu sameeyaa kernel-ka gaar ahaan mashiinka dalwaddii, oo xasuusinaya BPF (Berkeley Packet Filters). Habkani wuxuu u oggolaanayaa hoos u dhac weyn oo ku yimaada cabbirka koodka shaandhaynta ee ka shaqeynaya heerka kernel-ka wuxuuna u dhaqaajiyaa dhammaan falanqaynta xeerarka iyo macquulka hab-maamuuska booska isticmaalaha.

Isbeddellada ugu waaweyn:

  • Shuruucda hagaajinta ee loogu yeero marka la tilmaamayo "-o/--optimize" ikhtiyaarka, dhibaatooyinka isku-darka sharciyada, khariidadda- iyo liisaska-dajinta ayaa la xalliyay. # bisad ruleset.nft miiska ip x {silsilad y {nooca nat hook postrouting mudnaanta srcnat; hoos u dhaca siyaasadda; ip saddr 1.1.1.1 tcp dport 8000 snat ilaa 4.4.4.4:80 ip saddr 2.2.2.2 tcp dport 8001 snat to 5.5.5.5:90 1.1.1.1 tcp dport 8000 snat to 4.4.4.4.4:80 ruleset.nft:5:3-52: ip saddr 2.2.2.2 tcp dport 8001 snat to 5.5.5.5.5:90 in: snat to ip saddr . tcp dport map {1.1.1.1. 8000: 4.4.4.4. 80, 2.2.2.2. 8001: 5.5.5.5. 90 }
  • Marka la isku daro ethernet iyo vlan canares, liis go'an oo firfircoon ayaa la qeexaa, oo ku saleysan xuduudaha baakidhka. ku dar miiska netdev x ku dar silsilad netdev xy {nooca filter jillaab ingress qalab enp0s25 mudnaanta 0; } ku dar set netdev x macset {typeof ether daddr. vlan id; calamada firfircoon, waqti go'an; } ku dar qaanuunka netdev xy update @macset {ether daddr. vlan id timeout 60s} ku dar qaanuunka netdev xy ether saddr. vlan id {0a:0b:0c:0d:0e:0f . 42, 0a:0b:0c:0d:0e:0f . 4095 } counter aqbal
  • Soo bandhigida qawaaniinta leh liisaska khariidadaha oo ay ku jiraan waji-xidho magacyo is-dhexgal ah waa la hagaajiyay. filter filter miiska {silsilad INPUT {iifname vmap {"eth0": jump input_lan, "wg*": jump input_vpn}} silsilad input_lan {} silsilad input_vpn {}}
  • Isbeddellada dib-u-celinta go'an ee sababay falanqaynta qaamuuska khaldan ee xeerarka saxda ah.
  • Arrimo la xaliyay oo si tartiib tartiib ah iyo si toos ah isugu darka liisaska waaweyn ee leh curiyeyaasha qeexaya kala duwanaanta qiimaha.
  • Go'an shil markii lagu daro canaasirta liiska go'an ee aan ansax ahayn.

Source: opennet.ru

U soo iibso martigelin lagu kalsoonaan karo oo loogu talagalay bogagga leh ilaalinta DDoS, VPS VDS servers 🔥 Iibso martigelin degel oo lagu kalsoonaan karo oo leh ilaalinta DDoS, VPS VDS servers | ProHoster