einfaches nftables regelwerk für einen router/firewall
unter debian 10 das nftables package installieren, dann konfiguration in /etc/nftables.conf. steuerung via systemctl oder nft.
#!/usr/sbin/nft -f
flush ruleset
define INT_NET = { 192.168.1.0/24, 192.168.2.0/24 }
define INT_IF = { eth0, eth2 }
define EXT_IF = eth1
define EXT_HOST = 172.16.1.66
define WEB = 192.168.2.31
include "/etc/nftables.blacklist"
# das wäre das, was ich bei iptables mit ipsets mache. nur anders. ;)
table netdev filter {
set blacklist {
type ipv4_addr
flags interval
elements = $BLACKLIST
}
chain ingress {
type filter hook ingress device eth0 priority 0; policy accept;
ip saddr @blacklist counter drop
}
}
table inet firewall {
chain inbound {
type filter hook input priority 0; policy drop;
ct state established,related accept
ct state invalid drop
iifname lo accept
ip protocol icmp limit rate 4/second accept
ip6 nexthdr ipv6-icmp limit rate 4/second accept
ip protocol igmp limit rate 4/second accept
iifname $INT_IF udp dport { 67, 68 } accept
iifname $INT_IF tcp dport 22 ip saddr $INT_NET accept
log prefix "[nftables] Inbound Denied: " flags all counter drop
}
chain forward {
type filter hook forward priority 0; policy drop;
ct state established,related accept
ct state invalid drop
ip saddr { $INT_NET, $EXT_HOST } accept
ip daddr $WEB tcp dport 80 limit rate 10/second log prefix "[nftables] Web Server Access: " accept
log prefix "[nftables] Forward Denied: " flags all counter drop
}
chain outbound {
type filter hook output priority 0; policy accept;
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oifname $EXT_IF masquerade
}
}
/etc/nftables.blacklist:
define BLACKLIST = {
172.16.1.64,
172.16.1.127,
172.16.2.63
}
Quellen:
https://wiki.nftables.org/wiki-nftables/index.php/Simple_ruleset_for_a_server
https://wiki.gentoo.org/wiki/Nftables/Examples
bin immer noch nicht so ganz überzeugt von nftables... :-|