ProHoster > Blog > litaba tsa inthanete > nftables pakete filthara 1.0.5 tokollo

nftables pakete filthara 1.0.5 tokollo

Ho lokolloa ha li-packet filter nftables 1.0.5 ho hatisitsoe, ho kopanya li-interfaces tsa ho sefa lipakete bakeng sa IPv4, IPv6, ARP le marokho a marang-rang (a reretsoeng ho nkela sebaka sa iptables, ip6table, arptables le ebtables). Ka nako e ts'oanang, ho lokolloa ha laebrari e tsamaeang le libnftnl 1.2.3 ho ile ha hatisoa, ho fana ka API ea boemo bo tlaase bakeng sa ho sebelisana le nf_tables subsystem.

Sephutheloana sa nftables se na le dikarolo tsa sefe sa pakete tse sebetsang sebakeng sa mosebedisi, ha mosebetsi wa boemo ba kernel o fanwa ke sistimi e nyane ya nf_tables, e leng karolo ya kernel. Linux Ho tloha ha ho lokolloa 3.13, ke sebopeho se ikemetseng sa protocol feela se fanoeng boemong ba kernel, se fanang ka ts'ebetso ea motheo bakeng sa ho ntša data ho tsoa lipaketeng, ho etsa ts'ebetso ea data, le taolo ea phallo.

Melao ea ho sefa ka boyona 'me bahlokomeli ba itseng ba protocol ba bokelloa ho ba bytecode sebakeng sa mosebelisi, ka mor'a moo bytecode ena e kenngoa ka har'a kernel ho sebelisoa sebopeho sa Netlink 'me e etsoa ka har'a kernel ka mokhoa o khethehileng. mochini o sebetsang ka ho toba, e hopotsang BPF (Berkeley Packet Filters). Mokhoa ona o dumella phokotso e kgolo ya boholo ba khoutu ya ho sefa e sebetsang boemong ba kernel mme o tsamaisa tlhahlobo yohle ya melao le logic ya protocol sebakeng sa mosebedisi.

Liphetoho tse kholo:

  • Ho melaoana e ntlafatsang, e bitsoang ha ho hlakisoa khetho ea "-o/—optimize", mathata a ho kopanya melao, 'mapa le manane a behiloeng a rarollotsoe. # cat ruleet.nft tafole ip x {ketane y { mofuta oa nat hook postrouting priority srcnat; ho theoha ha pholisi; ip saddr 1.1.1.1 tcp dport 8000 snat ho 4.4.4.4:80 ip saddr 2.2.2.2 tcp dport 8001 snat ho 5.5.5.5:90 } } # nft -o -c -fnft melaoana: melao ea Merft. :4-3: ip saddr 52 tcp dport 1.1.1.1 snat ho 8000:4.4.4.4 ruleset.nft:80:5-3: ip saddr 52 tcp dport 2.2.2.2 snat ho isa ho 8001 ho i. saddr. 'mapa oa tcp dport { 5.5.5.5 . 90: 1.1.1.1. 8000, 4.4.4.4. 80: 2.2.2.2. 8001}
  • Ha o kopanya likarolo tsa ethernet le vlan, lenane la sete e matla le hlalosoa, le tlatsitsoe ho latela liparamente tsa tsela ea pakete. eketsa tafole netdev x eketsa ketane netdev xy {mofuta oa filthara hook ingress sesebelisoa enp0s25 pele 0; } eketsa set netdev x macset {typeof ether daddr . vlan id; lifolakha tse matla, li felile; } kenya molao netdev xy update @macset {ether daddr. vlan id timeout 60s } eketsa molao netdev xy ether saddr . vlan id {0a:0b:0c:0d:0e:0f . 42, 0a:0b:0c:0d:0e:0f . 4095 } amohela khaonta
  • Pontšo ea melao e nang le manane a limmapa a nang le limaske ka mabitso a sebopeho se fetotsoe. table inet filter {ketane INPUT {iifname vmap {"eth0" : jump input_lan, "wg*" : jump input_vpn } } chain input_lan {} chain input_vpn {}}
  • Liphetoho tse feto-fetohang tse lebisang tlhophisong e fosahetseng ea lexical ea melao e nepahetseng li felisitsoe.
  • Mathata a ho sebetsa butle butle le ho kopanya manane a maholo ka boiketsetso a nang le likarolo tse hlalosang mefuta ea boleng a rarollotsoe.
  • Ho senyeha ho tsitsitseng ha ho eketsa likarolo lethathamong le fosahetseng.

Source: opennet.ru

Reka sebaka se tšepahalang sa libaka tse nang le ts'ireletso ea DDoS, li-server tsa VPS VDS 🔥 Reka sebaka se tšepahalang sa ho amohela webosaete ka tšireletso ea DDoS, li-server tsa VPS VDS | ProHoster