IPv6 Firewall Router: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
(Die Seite wurde neu angelegt: „<pre> #!/usr/sbin/nft -f define local_tcp_ports = { 22 } define webserver = "2a02:24d8:71:2445::102" define wandev = ens4 define landev = ens5 define transit_…“)
 
 
(6 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 1: Zeile 1:
 +
=Simple IPv4 Firwall=
 
<pre>
 
<pre>
#!/usr/sbin/nft -f
+
table ip filter {
 +
chain input {
 +
type filter hook input priority filter; policy drop;
 +
ct state established,related accept
 +
ct state new iif "ens4" tcp dport 22 accept
 +
ct state new iif "ens5" accept
 +
ct state new iifname "lo" accept
 +
log prefix "--nftables-drop-input--"
 +
}
 +
 
 +
chain forward {
 +
type filter hook forward priority filter; policy drop;
 +
ct state established,related accept
 +
ct state new iif "ens5" oif "ens4" accept
 +
log prefix "--nftables-drop-forward--"
 +
}
 +
 
 +
chain output {
 +
type filter hook output priority filter; policy drop;
 +
ct state established,related accept
 +
ct state new accept
 +
log prefix "--nftables-drop-output--"
 +
}
 +
}
 +
table ip nat {
 +
chain postrouting {
 +
type nat hook postrouting priority srcnat; policy accept;
 +
oif "ens4" masquerade
 +
}
 +
}
 +
</pre>
 +
 
 +
=Simple Dual Stack Firewall=
  
define local_tcp_ports = { 22 }
 
define webserver = "2a02:24d8:71:2445::102"
 
define wandev = ens4
 
define landev = ens5
 
define transit_4 = "192.168.44.0/24"
 
define transit_6 = "2a02:24d8:71:2444::/64"
 
define lan_4 = 192.168.45.0/24
 
define lan_6 = "2a02:24d8:71:2445::/64"
 
  
  
flush ruleset
+
<pre>
 
table inet filter {
 
table inet filter {
    chain input {
+
chain input {
        type filter hook input priority filter; policy drop;
+
type filter hook input priority filter; policy drop;
        ct state established,related accept
+
ct state established,related accept
        ct state new tcp dport $local_tcp_ports accept  
+
ct state new iif "ens3" tcp dport 22 accept
        ct state new iifname "lo" accept
+
ct state new iif "ens4" accept
        ct state new icmp type echo-request accept  
+
ct state new iifname "lo" accept
        ip6 nexthdr icmpv6 accept
+
ip6 nexthdr ipv6-icmp accept
        log prefix "--nftables-drop-input--"
+
log prefix "--nftables-drop-input--"
    }
+
}
    chain forward {
+
 
        type filter hook forward priority filter; policy drop;
+
chain forward {
        ct state established,related accept
+
type filter hook forward priority filter; policy drop;
        ct state new iif $landev oif $wandev accept
+
ct state established,related accept
        ct state new iif $wandev oif $landev ip6 daddr $webserver tcp dport 80  accept
+
ct state new iif "ens4" oif "ens3" accept
        log prefix "--nftables-drop-forward--"
+
log prefix "--nftables-drop-forward--"
    }
+
}
  
    chain output {
+
chain output {
        type filter hook output priority filter; policy drop;
+
type filter hook output priority filter; policy drop;
        ct state established,related accept
+
ct state established,related accept
        ip6 nexthdr icmpv6 accept
+
ip6 nexthdr ipv6-icmp accept
        ct state new accept
+
ct state new accept
        log prefix "--nftables-drop-output--"
+
log prefix "--nftables-drop-output--"
    }
+
}
 
}
 
}
 
 
table ip nat {
 
table ip nat {
 
chain postrouting {
 
chain postrouting {
type nat hook postrouting priority 100;
+
type nat hook postrouting priority srcnat; policy accept;
oif ens4 masquerade
+
oif "ens3" masquerade
}
+
}
 
}
 
}
 +
 +
 
</pre>
 
</pre>

Aktuelle Version vom 31. Januar 2024, 10:55 Uhr

Simple IPv4 Firwall

table ip filter {
	chain input {
		type filter hook input priority filter; policy drop;
		ct state established,related accept
		ct state new iif "ens4" tcp dport 22 accept
		ct state new iif "ens5" accept
		ct state new iifname "lo" accept
		log prefix "--nftables-drop-input--"
	}

	chain forward {
		type filter hook forward priority filter; policy drop;
		ct state established,related accept
		ct state new iif "ens5" oif "ens4" accept
		log prefix "--nftables-drop-forward--"
	}

	chain output {
		type filter hook output priority filter; policy drop;
		ct state established,related accept
		ct state new accept
		log prefix "--nftables-drop-output--"
	}
}
table ip nat {
	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
		oif "ens4" masquerade
	}
}

Simple Dual Stack Firewall

table inet filter {
	chain input {
		type filter hook input priority filter; policy drop;
		ct state established,related accept
		ct state new iif "ens3" tcp dport 22 accept
		ct state new iif "ens4" accept
		ct state new iifname "lo" accept
		ip6 nexthdr ipv6-icmp accept
		log prefix "--nftables-drop-input--"
	}

	chain forward {
		type filter hook forward priority filter; policy drop;
		ct state established,related accept
		ct state new iif "ens4" oif "ens3" accept
		log prefix "--nftables-drop-forward--"
	}

	chain output {
		type filter hook output priority filter; policy drop;
		ct state established,related accept
		ip6 nexthdr ipv6-icmp accept
		ct state new accept
		log prefix "--nftables-drop-output--"
	}
}
table ip nat {
	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
		oif "ens3" masquerade
	}
}
Abgerufen von „http://wiki.ixheim.de/index.php?title=IPv6_Firewall_Router&oldid=51422