Aufgabe nftables Filter Lösung
Zur Navigation springen
Zur Suche springen
Variablen
- cat /etc/nftables.var
define wandev = enp0s3
define dmzdev = enp0s9
define landev = enp0s8
define serverdev = enp0s10
define wanip = 192.168.10.213
define lan = 172.17.213.0/24
define server = 172.16.213.0/24
define mgmt = 172.18.213.0/24
define dmz = 10.88.213.0/24
define local_tcp_ports = { 4711 }
define localnets = { $lan , $server , $dmz, $mgmt}
define localdevs = { $wandev, $dmzdev, $landev }
define host = 192.168.10.200
define client = 172.17.213.49
define ns = 10.88.213.21
define mail = 10.88.213.34
define www = 10.88.213.41
define fw = 192.168.10.213
define ssh_port = 6666
define mail_tcp_ports = {25, 80 , 443, 465, 993 }
define www_tcp_ports = {80 , 443 }
define ns_udp_ports = { 53 }
define partner_net = { 10.88.212.0/24, 192.168.10.212, 192.168.10.12, 192.168.10.200 }
NFT Konfig
- cat /etc/nftables.conf
#!/usr/sbin/nft -f
flush ruleset
include "/etc/nftables.var"
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
ct state established,related accept
ct state new iif "lo" accept
ct state new iif $landev ip saddr $lan tcp dport $local_tcp_ports accept
ct state new iif $dmzdev ip saddr $dmz tcp dport $local_tcp_ports accept
ct state new iif $serverdev ip saddr $server tcp dport $local_tcp_ports accept
ct state new iif $wandev ip saddr $host accept
ct state new iif $wandev ip saddr $partner_net ip daddr $ns tcp dport 4711 accept
ct state new icmp type echo-request accept
log prefix " --nftables-drop-input-- "
}
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept
ct state new ip saddr $localnets accept
ct state new iif $wandev oif $dmzdev ip saddr $host ip daddr $ns tcp dport 22 accept
ct state new iif $wandev oif $landev ip daddr $client tcp dport 22 accept
ct state new iif $wandev oif $dmzdev ip daddr $mail tcp dport $mail_tcp_ports accept
ct state new iif $wandev oif $dmzdev ip daddr $www tcp dport $www_tcp_ports accept
ct state new iif $wandev oif $dmzdev ip daddr $ns udp dport $ns_udp_ports accept
ct state new iif $wandev oif $dmzdev ip saddr $partner_net ip daddr $mail tcp dport 22 accept
ct state new iif $wandev oif $dmzdev ip saddr $partner_net ip daddr $www tcp dport 22 accept
ct state new iif $wandev oif $dmzdev ip saddr $partner_net ip daddr $ns tcp dport 22 accept
log prefix " --nftables-drop-forward-- "
}
chain output {
type filter hook output priority filter; policy drop;
ct state established,related accept
ct state new accept
log prefix " --nftables-drop-output-- "
}
}
table inet nat {
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
ip daddr $wanip tcp dport 9922 dnat ip to $client:22
ip daddr $fw tcp dport $ssh_port dnat ip to $fw:4711
ip daddr $mail tcp dport $ssh_port dnat ip to $mail:22
ip daddr $www tcp dport $ssh_port dnat ip to $www:22
ip daddr $ns tcp dport $ssh_port dnat ip to $ns:22
}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oif $wandev ip saddr $lan snat to $wanip
oif $wandev ip saddr $server snat to $wanip
oif $wandev ip saddr $mgmt snat to $wanip
oif $wandev ip saddr $dmz ip daddr != { 10.88.0.0/16 } snat to $wanip
}
}