Die Firewall Linux in heterogenen Netzen Grundkonfiguration: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| Zeile 125: | Zeile 125: | ||
*nft -f /etc/nftables.conf | *nft -f /etc/nftables.conf | ||
*systemctl enable nftables | *systemctl enable nftables | ||
| − | + | *nft list ruleset | |
==Reboot== | ==Reboot== | ||
*'''reboot''' | *'''reboot''' | ||
Version vom 8. Oktober 2024, 10:32 Uhr
Die Firewall
Virtualbox Konfiguration
- Adapter1: Bridged Adapter br0
- Adapter2: Internal Network dmz
- Adapter3: Internal Network eth1/1
Setzen und anpassen des Hostnamen
- LAB=lab34
- hostnamectl set-hostname firewall.$LAB.linuggs.de
- hostnamectl
Static hostname: firewall.lab34.linuggs.de
Icon name: computer-vm
Chassis: vm 🖴
Machine ID: a736abd11f52406db0e02d7a3877059b
Boot ID: 089a7ce53e6a429797007e7e4acba90b
Virtualization: oracle
Operating System: Debian GNU/Linux 12 (bookworm)
Kernel: Linux 6.1.0-25-amd64
Architecture: x86-64
Hardware Vendor: innotek GmbH
Hardware Model: VirtualBox
Firmware Version: VirtualBox
- cat /etc/hosts
127.0.0.1 localhost 127.0.1.1 firewall.lab34.linuggs.de firewall
Installation des vlan Paketes
- apt install vlan
Anpassen der Netzwerk Konfiguration
- cat /etc/network/interfaces
source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback # WAN auto enp0s3 iface enp0s3 inet static address 172.30.34.14/24 gateway 172.30.34.254 iface enp0s3 inet6 static address 2a02:24d8:71:3040::3034/64 gateway 2a02:24d8:71:3040::1 #MGMT auto enp0s9 iface enp0s9 inet6 static address 2a02:24d8:71:3034::1/64 iface enp0s9 inet static address 172.26.52.1/24 #CLIENTS auto enp0s9.21 iface enp0s9.21 inet6 static address 2a02:24d8:71:3035::1/64 vlan-raw-device enp0s9 iface enp0s9.21 inet static address 172.26.53.1/24 vlan-raw-device enp0s9 #SERVER auto enp0s9.22 iface enp0s9.22 inet6 static address 2a02:24d8:71:3036::1/64 vlan-raw-device enp0s9 iface enp0s9.22 inet static address 172.26.54.1/24 vlan-raw-device enp0s9 #DMZ auto enp0s8 iface enp0s8 inet6 static address 2a02:24d8:71:3037::1/64 iface enp0s8 inet static address 172.26.55.1/24
Forwarding anschalten
- echo net.ipv4.ip_forward=1 >> /etc/sysctl.conf
- echo net.ipv6.conf.all.forwarding=1 >> /etc/sysctl.conf
Firewall die nur Nat macht
- vi /etc/nftables.conf
#!/usr/sbin/nft -f
flush ruleset
define wandev = enp0s3
define netz = { 172.26.52.0/22 }
table inet filter {
chain input {
type filter hook input priority filter;
}
chain forward {
type filter hook forward priority filter;
}
chain output {
type filter hook output priority filter;
}
}
table inet nat {
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oif $wandev ip saddr $netz masquerade
}
}
Firewall aktivieren
- nft -f /etc/nftables.conf
- systemctl enable nftables
- nft list ruleset
Reboot
- reboot