Emva konyaka wophuhliso ukukhutshwa kwesihluzi sepakethi , ukuphuhlisa njengokutshintshwa kwee-iptables, i-ip6table, i-arptables kunye ne-ebtables ngokudibanisa i-interfaces yokucoca ipakethe ye-IPv4, IPv6, ARP kunye neebhulorho zenethiwekhi. Ipakethe ye-nftables ibandakanya iinxalenye zepakethe zokucoca ezisebenza kwindawo yomsebenzisi, ngelixa i-kernel-level umsebenzi inikezelwa yi-nf_tables subsystem, ebiyinxalenye ye-Linux kernel ukususela ekukhululweni kwe-3.13.
Inqanaba le-kernel libonelela kuphela i-generic protocol-independent interface ebonelela ngemisebenzi esisiseko yokukhupha idatha kwiipakethi, ukwenza imisebenzi yedatha, kunye nokulawula ukuhamba.
Ingqiqo yokucoca ngokwayo kunye ne-protocol-specific handlers ihlanganiswe kwi-bytecode kwindawo yomsebenzisi, emva koko le bytecode ilayishwa kwi-kernel isebenzisa ujongano lwe-Netlink kwaye iqhutywe kumatshini okhethekileyo okhumbuza i-BPF (i-Berkeley Packet Filters). Le ndlela ikuvumela ukuba unciphise kakhulu ubungakanani bekhowudi yokucoca esebenza kwinqanaba le-kernel kwaye uhambise yonke imisebenzi yokwahlulahlula imithetho kunye nengqiqo yokusebenza kunye neeprothokholi kwindawo yomsebenzisi.
Iinguqulelo eziphambili:
- Inkxaso ye-IPsec, evumela ukuhambelana kweedilesi zetonela ngokusekelwe kwipakethi, i-ID yesicelo se-IPsec, kunye ne-SPI (i-Security Parameter Index) ithegi. Umzekelo,
... ipsec kwi-ip saddr 192.168.1.0/24
... ipsec kwi spi 1-65536Kuyenzeka kwakhona ukujonga ukuba indlela iyadlula kwitonela ye-IPsec. Umzekelo, ukuvala itrafikhi hayi nge-IPSec:
β¦ imveliso yokucoca rt ipsec engekhoyo ulahlo
- Inkxaso ye-IGMP (iProtocol yoLawulo lweQela le-Intanethi). Umzekelo, ungasebenzisa umthetho ukulahla izicelo zobulungu beqela le-IGMP ezingenayo
nft yongeza umthetho netdev foo bar igmp uhlobo lobulungu-umbuzo counter drop
- Ukubanakho kokusebenzisa izinto eziguquguqukayo ukuchaza amatyathanga otshintsho (tsiba / goto). Umzekelo:
define define = ber
yongeza umthetho ip foo bar jump $dest - Inkxaso yeemaski ukuchonga iinkqubo zokusebenza (i-OS Fingerprint) esekwe kumaxabiso e-TTL kwisihloko. Umzekelo, ukuphawula iipakethi ezisekelwe kumthumeli we-OS, ungasebenzisa lo myalelo:
... meta yamanqaku iseti osf ttl tsiba imephu yegama {"Linux": 0x1,
"IiWindows": 0x2,
"MacOS": 0x3,
"akwaziwa" : 0x0 }
... osf ttl tsiba inguqulelo "Linux:4.20" - Ukukwazi ukufanisa idilesi ye-ARP yomthumeli kunye nedilesi ye-IPv4 yenkqubo ekujoliswe kuyo. Umzekelo, ukwandisa ikhawuntala yeepakethi ze-ARP ezithunyelwe kwidilesi 192.168.2.1, ungasebenzisa lo mgaqo ulandelayo:
itafile arp x {
ikhonkco y {
isihluzi sodidi lwehuku yegalelo eliphambili lokucoca; umgaqo-nkqubo wamkele;
arp saddr ip 192.168.2.1 counter ipakethi 1 bytes 46
}
} - Inkxaso yokuthunyelwa ekuhleni kwezicelo nge-proxy (tproxy). Umzekelo, ukuqondisa kwakhona iifowuni kwizibuko 80 kwizibuko lommeleli 8080:
itafile ip x {
ikhonkco y {
isihluzo sehuku yokulungiselela kwangaphambili -150; umgaqo-nkqubo wamkele;
tcp dport 80 tproxy ukuya: 8080
}
} - Inkxaso yokumakisha iisokethi kunye nokukwazi ukufumana ngakumbi uphawu olubekiweyo nge-setsockopt () kwimo ye-SO_MARK. Umzekelo:
inet yetafile x {
ikhonkco y {
isihluzo sehuku yokulungiselela kwangaphambili -150; umgaqo-nkqubo wamkele;
tcp dport 8080 uphawu iseti socket uphawu
}
} - Inkxaso yokuchaza amagama abhaliweyo aphambili kumatyathanga. Umzekelo:
nft yongeza ikhonkco ip x ekrwada {uhlobo lwehuku yesihluzo ukulungiselela ukubekwa phambili ekrwada; }
nft yongeza ityathanga ip x icebo lokucoca {udidi lwe hook ye hook yokukhokela isihluzo esiphambili; }
nft yongeza ityathanga ip x filter_kamva {uhlobo lwe hook yecebo lokucoca ulwelo oluphambili + 10; } - Inkxaso yeethegi ze-SELinux (Secmark). Umzekelo, ukuchaza "sshtag" ithegi kumxholo we-SELinux, ungabaleka:
nft yongeza isihluzo se-inet sesshtag "inkqubo_u:into_r:ssh_server_packet_t:s0"
Kwaye ke sebenzisa le lebhile kwimigaqo:
nft yongeza umthetho igalelo lokucoca i-inet tcp dport 22 meta secmark iseti "sshtag"
nft yongeza imephu ye-inet filtering secmapping {udidi inet_service: secmark; }
nft yongeza isihluzo se-inet secmapping {22: "sshtag"}
nft yongeza umthetho isihluzi sokufaka igalelo lemeta secmark iseti imephu yedport ye-tcp @secmapping - Ukukwazi ukucacisa izibuko ezinikezelwe kwiiprothokholi kwifom yokubhaliweyo, njengoko zichazwe kwifayile /etc/services. Umzekelo:
nft yongeza umthetho xy tcp dport "ssh"
nft uluhlu lwemithetho yolawulo -l
itafile x {
ikhonkco y {
...
tcp dport "ssh"
}
} - Ukukwazi ukujonga uhlobo lojongano lwenethiwekhi. Umzekelo:
yongeza umthetho inet ekrwada prerouting meta ifkind "vrf" yamkela
- Inkxaso ephuculweyo yokuhlaziya imixholo yeeseti ngokucacisa ngokucacileyo iflegi "eguqukayo". Umzekelo, ukuhlaziya iseti "s" ukongeza idilesi yemvelaphi kwaye usete kwakhona ingeniso ukuba akukho zipakethi zemizuzwana engama-30:
yongeza itheyibhile x
yongeza isethi xs {chwetheza ipv4_addr; ubukhulu 128; ixesha liphelile 30s; iiflegi eziguquguqukayo; }
yongeza ikhonkco xy {uhlobo lokucoca ihuku ephambili 0; }
yongeza umthetho xy uhlaziyo @s {ip saddr} - Ukukwazi ukuseta imeko yokuphela kwexesha eyahlukileyo. Umzekelo, ukukhuphela ngaphezulu ixesha elimiselweyo lokuphuma kweepakethi ezifika kwizibuko 8888, ungakhankanya:
itafile ip filter {
ct ixesha lokuphuma linamandla-tcp {
iprotocol tcp;
l3proto ip;
umgaqo-nkqubo = {esekiwe: 100, close_wait: 4, vala: 4}
}
imveliso yetsheyini {
...
I-tcp dport 8888 ct ixesha lokuvala iseti "i-aggressive-tcp"
}
} - Inkxaso ye-NAT yosapho lwe-inet:
itafile inet nat {
...
ip6 daddr ufile::2::1 dnat ukuya kwabafileyo:2::99
} - Ingxelo yempazamo yokuchwetheza ephuculweyo:
nft yongeza uvavanyo lokucoca ikhonkco
Imposiso: Akukho fayile okanye ulawulo olunjalo; Ubuthetha ukuba itheyibhile βisihluziβ kwi-ip yosapho?
yongeza uvavanyo lokucoca ikhonkco
^^^^^^ - Ukukwazi ukucacisa amagama ojongano kwiiseti:
seta sc {
chwetheza inet_service . ifname
izinto = {"ssh" . "eth0"}
} - Imithetho enokuqukunjelwa ehlaziyiweyo yesivakalisi:
nft yongeza itheyibhile x
nft yongeza flowtable x ft { hook ingress ephambili 0; izixhobo = { eth0, wlan0 }; }
...
nft yongeza umthetho x iprotocol yangaphambili ye-ip { tcp, udp } flow yongeza @ft - Uphuculo lwenkxaso ye-JSON.
umthombo: opennet.ru