Nftables Firewall Basis Konfiguration: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| Zeile 31: | Zeile 31: | ||
*In der Praxis sollte man das genau überlegen. | *In der Praxis sollte man das genau überlegen. | ||
*Für unsere Übung ist das aber ok. | *Für unsere Übung ist das aber ok. | ||
| + | #!/usr/sbin/nft -f | ||
| + | flush ruleset | ||
| + | define local_tcp_ports = { 22 } | ||
| + | '''define save_interfaces = { enp0s8, enp0s9, enp0s10 }''' | ||
| + | table inet filter { | ||
| + | chain input { | ||
| + | type filter hook input priority filter; policy drop; | ||
| + | ct state established,related accept | ||
| + | ct state new iif "lo" accept | ||
| + | ct state new tcp dport $local_tcp_ports accept | ||
| + | '''ct state new iif $save_interfaces accept''' | ||
| + | } | ||
| + | |||
| + | chain forward { | ||
| + | type filter hook forward priority filter; policy drop; | ||
| + | ct state established,related accept | ||
| + | '''ct state new iif $save_interfaces accept''' | ||
| + | } | ||
| + | chain output { | ||
| + | type filter hook output priority filter; policy drop; | ||
| + | ct state established,related accept | ||
| + | ct state new accept | ||
| + | } | ||
| + | |||
| + | } | ||
| + | =Das Logging= | ||
| + | *Kurz vor dem erreichen der Default Policy wird geloggt | ||
#!/usr/sbin/nft -f | #!/usr/sbin/nft -f | ||
flush ruleset | flush ruleset | ||
Version vom 28. Februar 2023, 16:25 Uhr
Die Basis Konfiguration
- Die Basiskonfiguration besagt das von der Firewall nach aussen alles erlaubt ist.
- Wir schalten hier auch noch den 22 Zugang frei.
#!/usr/sbin/nft -f
flush ruleset
define local_tcp_ports = { 22 }
define save_interfaces = { enp0s8, enp0s9, enp0s10 }
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
ct state established,related accept
ct state new iif "lo" accept
ct state new tcp dport $local_tcp_ports accept
}
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept
}
chain output {
type filter hook output priority filter; policy drop;
ct state established,related accept
ct state new accept
}
}
Weiter gehts
- Wir schalten die lokalen Netze gegenseitig frei.
- So wie auch den Zugriff auf unsere Firewall
- In der Praxis sollte man das genau überlegen.
- Für unsere Übung ist das aber ok.
#!/usr/sbin/nft -f
flush ruleset
define local_tcp_ports = { 22 }
define save_interfaces = { enp0s8, enp0s9, enp0s10 }
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
ct state established,related accept
ct state new iif "lo" accept
ct state new tcp dport $local_tcp_ports accept
ct state new iif $save_interfaces accept
}
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept
ct state new iif $save_interfaces accept
}
chain output {
type filter hook output priority filter; policy drop;
ct state established,related accept
ct state new accept
}
}
Das Logging
- Kurz vor dem erreichen der Default Policy wird geloggt
#!/usr/sbin/nft -f
flush ruleset
define local_tcp_ports = { 22 }
define save_interfaces = { enp0s8, enp0s9, enp0s10 }
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
ct state established,related accept
ct state new iif "lo" accept
ct state new tcp dport $local_tcp_ports accept
ct state new iif $save_interfaces accept
}
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept
ct state new iif $save_interfaces accept
}
chain output {
type filter hook output priority filter; policy drop;
ct state established,related accept
ct state new accept
}
}