Ngemva konyaka wentuthuko ukukhishwa kwesihlungi sephakethe , ukuthuthukiswa njengokumiselela ama-iptables, ip6table, arptables kanye nama-ebtable ngokuhlanganisa izixhumanisi zokuhlunga iphakethe ze-IPv4, IPv6, ARP kanye namabhuloho enethiwekhi. Iphakheji ye-nftables ihlanganisa izingxenye zokuhlunga zephakethe ezisebenza endaweni yomsebenzisi, kuyilapho umsebenzi wezinga le-kernel unikezwa i-nf_tables subsystem, ebiyingxenye ye-Linux kernel kusukela ekukhululweni okungu-3.13.
Izinga le-kernel linikeza kuphela isixhumi esibonakalayo esizimele esijwayelekile esihlinzeka ngemisebenzi eyisisekelo yokukhipha idatha emaphaketheni, ukwenza imisebenzi yedatha, nokulawula ukugeleza.
I-logic yokuhlunga ngokwayo kanye nezibambi eziqondene nephrothokholi kuhlanganiswa ku-bytecode esikhaleni somsebenzisi, ngemva kwalokho le-bytecode ilayishwa ku-kernel kusetshenziswa isixhumi esibonakalayo se-Netlink futhi sisetshenziswe emshinini obonakalayo okhethekile okhumbuza i-BPF (Izihlungi Zephakethe Le-Berkeley). Le ndlela ikuvumela ukuthi unciphise ngokuphawulekayo usayizi wekhodi yokuhlunga egijima ezingeni le-kernel futhi uhambise yonke imisebenzi yemithetho yokuhlukanisa kanye nengqondo yokusebenza namaphrothokholi endaweni yomsebenzisi.
Okuqanjiwe okuyinhloko:
- Ukusekelwa kwe-IPsec, okuvumela ukufanisa amakheli omhubhe ngokususelwe kuphakethe, i-ID yesicelo se-IPsec, kanye nomaka we-SPI (Security Parameter Index). Ngokwesibonelo,
... ipsec ku-ip saddr 192.168.1.0/24
... ipsec ku-spi 1-65536Kungenzeka futhi ukuhlola ukuthi umzila uyadlula yini emhubheni we-IPsec. Isibonelo, ukuvimba ithrafikhi hhayi nge-IPSec:
β¦ okukhiphayo kwesihlungi rt ipsec ukwehla okushodayo
- Ukusekelwa kwe-IGMP (Iphrothokholi Yokuphathwa Kweqembu Le-inthanethi). Isibonelo, ungasebenzisa umthetho ukuze ulahle izicelo zobulungu beqembu le-IGMP ezingenayo
nft engeza umthetho netdev foo bar igmp uhlobo ubulungu-umbuzo counter drop
- Amathuba okusebenzisa okuguquguqukayo ukuchaza amaketanga oguquko (gxuma/goto). Ngokwesibonelo:
define define = ber
engeza umthetho we-ip foo bar jump $dest - Usekelo lwamamaski ukuhlonza amasistimu wokusebenza (i-OS Fingerprint) ngokusekelwe kumanani e-TTL enhlokweni. Isibonelo, ukumaka amaphakethe ngokusekelwe ku-OS yomthumeli, ungasebenzisa umyalo:
... meta mark set osf ttl yeqa igama lemephu {"Linux" : 0x1,
"IWindows": 0x2,
"MacOS": 0x3,
"akwaziwa" : 0x0 }
... osf ttl yeqa inguqulo "Linux:4.20" - Ikhono lokufanisa ikheli le-ARP lomthumeli kanye nekheli le-IPv4 lesistimu eqondiwe. Isibonelo, ukukhulisa ikhawunta yamaphakethe e-ARP athunyelwe esuka ekhelini elithi 192.168.2.1, ungasebenzisa umthetho olandelayo:
ithebula i-arp x {
iketango y {
thayipha isihlungi se-hook yokufaka kuqala isihlungi; yamukela inqubomgomo;
arp saddr ip 192.168.2.1 counter amaphakethe 1 bytes 46
}
} - Ukusekelwa kokudluliselwa okusobala kwezicelo ngommeleli (tproxy). Isibonelo, ukuqondisa kabusha amakholi ku-port 80 kuya ku-proxy port 8080:
ithebula ip x {
iketango y {
uhlobo lokuhlunga hook prerouting kuqala -150; yamukela inqubomgomo;
I-tcp dport 80 tproxy kuya ku-:8080
}
} - Usekelo lokumaka amasokhethi anamandla okuqhubeka nokuthola umaki osethiwe nge-setsockopt() kumodi ye-SO_MARK. Ngokwesibonelo:
inet yetafula x {
iketango y {
uhlobo lokuhlunga hook prerouting kuqala -150; yamukela inqubomgomo;
I-tcp dport 8080 imaka isethi yesokhethi umaki
}
} - Ukusekelwa kokucacisa amagama ombhalo abalulekile wamaketango. Ngokwesibonelo:
nft engeza iketanga ip x eluhlaza {uhlobo lwesihlungi sehuku prerouting kuqala eluhlaza; }
nft engeza iketanga ip x isihlungi {hlobo lokuhlunga ihuku lokuhambisa kuqala isihlungi esibalulekile; }
nft engeza iketanga ip x filter_kamuva {uhlobo lokuhlunga ihuku lokuhambisa kuqala isihlungi esibalulekile + 10; } - Ukusekelwa kwamathegi e-SELinux (Secmark). Isibonelo, ukuchaza ithegi ethi "sshtag" kumongo we-SELinux, ungaqalisa:
nft engeza isihlungi se-inet sesshtag "system_u:object_r:ssh_server_packet_t:s0"
Bese usebenzisa le lebula emithethweni:
nft engeza umthetho wokufaka isihlungi se-inet i-tcp dport 22 meta secmark setha "sshtag"
nft engeza imephu yesihlungi se-inet secmapping {hlobo inet_service : secmark; }
nft engeza isihlungi se-inet secmapping {22: "sshtag"}
nft engeza umthetho wokufakwa kwesihlungi se-meta secmark setha imephu ye-tcp dport @secmapping - Ikhono lokucacisa izimbobo ezinikezwe izivumelwano ngefomu lombhalo, njengoba zichazwe kufayela /etc/services. Ngokwesibonelo:
nft engeza umthetho xy tcp dport "ssh"
isethi yemithetho yohlu lwe-nft -l
ithebula x {
iketango y {
...
tcp dport "ssh"
}
} - Ikhono lokuhlola uhlobo lwesixhumi esibonakalayo senethiwekhi. Ngokwesibonelo:
engeza umthetho inet raw prerouting meta ifkind "vrf" accept
- Usekelo oluthuthukisiwe lokubuyekeza okuqukethwe kwamasethi ngokucacisa ngokusobala ifulegi elithi "dynamic". Isibonelo, ukuze ubuyekeze isethi "s" ukwengeza ikheli lomthombo bese usetha kabusha okufakiwe uma engekho amaphakethe amasekhondi angu-30:
engeza ithebula x
engeza isethi xs {uhlobo ipv4_addr; usayizi 128; ukuphela kwe-30s; amafulegi ashukumisayo; }
engeza uchungechunge xy {uhlobo lwesihlungi sehuku yokufaka kuqala 0; }
engeza umthetho we-xy update @s {ip saddr } - Ikhono lokusetha umbandela wokuvala isikhathi ohlukile. Isibonelo, ukuze ukhiphe isikhathi sokuvala esimisiwe samaphakethe afika ku-port 8888, ungacacisa:
isihlungi setafula ip {
ct timeout aggressive-tcp {
iphrothokholi tcp;
l3proto ip;
policy = {established: 100, close_wait: 4, vala: 4}
}
okukhipha iketango {
...
I-tcp dport 8888 ct isikhathi sokuvala isethwe "i-aggressive-tcp"
}
} - Ukusekelwa kwe-NAT komndeni we-inet:
itafula inet nat {
...
ip6 daddr dead::2::1 dnat to dead:2::99
} - Ukubika iphutha lokuthayipha okuthuthukisiwe:
nft engeza ukuhlolwa kwesihlungi se-chain
Iphutha: Alikho ifayela elinjalo noma uhla lwemibhalo; ubuqonde ukuthi "isihlungi" sethebula ku-ip yomndeni?
engeza ukuhlolwa kwesihlungi seketango
^^^^^^ - Ikhono lokucacisa amagama esixhumi esibonakalayo ngamasethi:
setha sc {
thayipha inet_service . ifname
izici = {"ssh" . "eth0"}
} - I-syntax yemithetho egelezayo ebuyekeziwe:
nft engeza ithebula x
nft add flowtable x ft {hook ingress priority 0; amadivayisi = { eth0, wlan0 }; }
...
nft engeza umthetho x iphrothokholi ye-ip phambili {tcp, udp } geleza engeza @ft - Usekelo lwe-JSON oluthuthukisiwe.
Source: opennet.ru