Kamora selemo sa ntshetsopele ho lokolloa ha sefahla sa pakete , e nts'etsopele e le sebaka sa li-iptables, ip6table, arptables le ebtables ka ho kopanya li-interfaces tsa ho sefa lipakete bakeng sa IPv4, IPv6, ARP le marokho a marang-rang. Sephutheloana sa nftables se kenyelletsa likarolo tsa sefahla sa pakete tse sebetsang sebakeng sa mosebelisi, ha mosebetsi oa boemo ba kernel o fanoa ke nf_tables subsystem, eo esale e le karolo ea Linux kernel ho tloha ha e lokolloa 3.13.
Boemo ba kernel bo fana feela ka sebopeho se ikemetseng se ikemetseng se fanang ka mesebetsi ea mantlha bakeng sa ho ntša data ho lipakete, ho etsa ts'ebetso ea data, le taolo ea phallo.
Mokhoa oa ho sefa ka boeona le li-protocol-specific handlers li hlophisitsoe ka bytecode sebakeng sa mosebedisi, ka mor'a moo bytecode ena e kenngoa ka har'a kernel e sebelisa sebopeho sa Netlink ebe e etsoa ka mochine o khethehileng o hopotsang BPF (Berkeley Packet Filters). Mokhoa ona o u lumella ho fokotsa haholo boholo ba khoutu ea ho sefa e mathang boemong ba kernel le ho tsamaisa mesebetsi eohle ea melao le logic ea ho sebetsa le li-protocol sebakeng sa mosebedisi.
Litlhahiso tse ka sehloohong:
- Tšehetso ea IPsec, e lumellang ho bapisa liaterese tsa kotopo tse ipapisitseng le pakete, ID ea kopo ea IPsec, le tag ea SPI (Security Parameter Index). Ka mohlala,
... ipsec ho ip saddr 192.168.1.0/24
... ipsec ho spi 1-65536Hape hoa khoneha ho hlahloba hore na tsela e feta ka har'a kotopo ea IPsec. Mohlala, ho thibela sephethephethe eseng ka IPSec:
… sefa tlhahiso rt ipsec e sieo lerotholi
- Tšehetso bakeng sa IGMP (Internet Group Management Protocol). Mohlala, o ka sebelisa molao ho lahla likopo tse kenang tsa litho tsa sehlopha sa IGMP
nft eketsa molao netdev foo bar igmp mofuta oa setho-potso ea counter drop
- Monyetla oa ho sebelisa mefuta-futa ho hlalosa liketane tsa phetoho (jump / goto). Ka mohlala:
hlalosa define = ber
eketsa molao oa ip foo bar jump $dest - Ts'ehetso ea limaske ho tsebahatsa lits'ebetso tsa ts'ebetso (OS Fingerprint) e ipapisitseng le boleng ba TTL sehloohong. Mohlala, ho tšoaea lipakete ho latela OS ea moromeli, u ka sebelisa taelo ena:
... meta mark set osf ttl tlola 'mapa oa mabitso {"Linux": 0x1,
"Windows": 0x2,
"MacOS": 0x3,
"tse sa tsejoeng" : 0x0 }
... osf ttl skip version "Linux:4.20" - Bokhoni ba ho ts'oana le aterese ea ARP ea moromeli le aterese ea IPv4 ea sistimi e shebiloeng. Mohlala, ho eketsa k'hamphani ea lipakete tsa ARP tse rometsoeng ho tsoa atereseng ea 192.168.2.1, u ka sebelisa molao o latelang:
tafole arp x {
ketane y {
mofuta filthara hook input priority filter; leano amohela;
arp saddr ip 192.168.2.1 counter packets 1 bytes 46
}
} - Ts'ehetso ea ho fetisa likopo pepeneneng ka proxy (tproxy). Mohlala, ho tsamaisa mehala ho port 80 ho proxy port 8080:
tafole ip x {
ketane y {
mofuta filthara hook prerouting pele -150; leano amohela;
tcp dport 80 tproxy ho ea ho:8080
}
} - Ts'ehetso ea ho tšoaea li-sockets ka bokhoni ba ho tsoela pele ho fumana letšoao le behiloeng ka setsockopt() ka mokhoa oa SO_MARK. Ka mohlala:
inet ea tafole x {
ketane y {
mofuta filthara hook prerouting pele -150; leano amohela;
tcp dport 8080 letšoao la set sokete letšoao
}
} - Tšehetso ea ho totobatsa mabitso a mongolo oa bohlokoa bakeng sa liketane. Ka mohlala:
nft eketsa ketane ip x e tala {hook ea mofuta oa filter prerouting ea pele e tala; }
nft eketsa ketane ip x filthara {mofuta oa filthara hook prerouting prerouting filter; }
nft eketsa ketane ip x filter_later {mofuta oa hook hook prerouting priority filter + 10; } - Ts'ehetso bakeng sa li-tag tsa SELinux (Secmark). Mohlala, ho hlalosa tag ea "sshtag" maemong a SELinux, o ka matha:
nft eketsa secmark inet filter sshtag "system_u:object_r:ssh_server_packet_t:s0"
Ebe u sebelisa label ena melaong:
nft eketsa molao oa inet filter input tcp dport 22 meta secmark set "sshtag"
nft eketsa secmapping ea 'mapa oa inet {mofuta oa inet_service: secmark; }
nft eketsa secmapping ea "inet filter" ea element {22: "sshtag"}
nft eketsa molao oa inet filter input meta secmark set tcp dport map @secmapping - Bokhoni ba ho hlakisa likou tse abetsoeng liprothokholo ka mokhoa oa mongolo, joalo ka ha li hlalositsoe ho file ea /etc/services. Ka mohlala:
nft eketsa molao xy tcp dport "ssh"
nft lethathamo la melaoana -l
tafole x {
ketane y {
...
tcp dport "ssh"
}
} - Bokhoni ba ho hlahloba mofuta oa sebopeho sa marang-rang. Ka mohlala:
eketsa molao inet raw prerouting meta iifkind "vrf" amohela
- Tšehetso e ntlafetseng bakeng sa ho ntlafatsa litaba tsa lihlopha ka ho hlakisa "folakha" ea "dynamic". Mohlala, ho ntlafatsa seta "s" ho eketsa aterese ea mohloli le ho seta bocha haeba ho se na lipakete tsa metsotsoana e 30:
eketsa tafole x
eketsa set xs {thaepa ipv4_addr; boholo ba 128; ho qeta lilemo tse 30; lifolakha tse matla; }
eketsa ketane xy { mofuta oa hook ea ho kenya pele 0; }
eketsa molao oa xy update @s {ip saddr } - Bokhoni ba ho beha boemo bo arohaneng ba nako. Mohlala, ho hlakola nako ea ho qetela ea nako bakeng sa lipakete tse fihlang boema-kepeng ba 8888, o ka hlakisa:
tafole ip filter {
ct timeout aggressive-tcp {
protocol tcp;
l3proto ip;
pholisi = {established: 100, close_wait: 4, koala: 4}
}
tlhahiso ea ketane {
...
tcp dport 8888 ct timeout set "aggressive-tcp"
}
} - Tšehetso ea NAT bakeng sa lelapa la inet:
tafole net nat {
...
ip6 daddr dead::2::1 dnat to dead:2::99
} - Tlaleho e ntlafalitsoeng ea phoso ea ho thaepa:
nft eketsa tlhahlobo ea sefahla sa ketane
Phoso: Ha ho faele kapa buka e joalo; na u ne u bolela "sefe" tafoleng ho ip ea lelapa?
eketsa chain filter teko
^^^^^^^ - Bokhoni ba ho hlakisa mabitso a li-interface ka lihlopha:
beha sc {
thaepa inet_service . ifname
likarolo = {"ssh" . "eth0"}
} - Syntax e ntlafalitsoeng ea melao e tsamaisanang:
nft eketsa tafole x
nft eketsa flowtable x ft {hook ingress bohlokoa 0; lisebelisoa = { eth0, wlan0 }; }
...
nft eketsa molao x protocol ea pele ea ip {tcp, udp} phallo eketsa @ft - Ts'ehetso e ntlafalitsoeng ea JSON.
Source: opennet.ru