Overblog Suivre ce blog
Administration Créer mon blog
30 décembre 2015 3 30 /12 /décembre /2015 16:34

FTTH is a coming to our homes. Let's see what to expect in real-life, and the caveats to look for.

In this article we'll see :

. a Gigabit Ethernet performance guide : understanding and using Gigabit Ethernet
. the testing and evaluating of the FTTH Internet access of an European ISP which offers 1GB/s download, 200 MB/s upload

Last edited December 31 2015

 

 

1. Model network

For this study, I'll use a simple home network, with two inexpensive SOHO equipments : an additional switch and a router to connect two other rooms :

FTTH and Gigabit Ethernet in real life

Switch 1 is a TP-link TP SG-105E ( 30 € )
Router 1 is a D-link DIR 818-LW ( 60 € )

 


2. Gigabit Ethernet

Gigabit Ethernet offers 1Gb/s ( ie 1 billion bit/s ) at layer2 ( ie including preamble and complete Ethernet frame ).
The copper wiring standard used in home networks is 1000BASE-T ( sometimes incorrectly referred to as 1000BASE-TX )

 

a. Gigabit Ethernet requirements

To achieve Gigabit Ethernet speed, we need :

. all communicating nodes to use Gigabit Ethernet
. each network segment 100 meters (330 feet) long max, using at least CAT 5 cables.


b. Gigabit Ethernet throughput

Gigabit Ethernet being 1 billion bits/s at layer 2, let's see the real usable payload.

From a 1538 bytes Ethernet frame, we can subtract :

- Ethernet : Preamble, header, FCS and inter-frame gap                     38 bytes
- IPv4 header                                                                                        20 bytes
- TCP header                                                                                        20 bytes

We can too compute how many packets per second ( pps ) a gigabit ethernet link should at least allow :

pps = 109/8/1538 = 81 274 pps

Here is the resulting bandwidths, in an easy chart :

FTTH and Gigabit Ethernet in real life

It is important to consider these values, when using network speedtests and benchmarks

 

c. Gigabit switches real throughput

a gigabit switch performance is described by several values. Here are the specs of a simple 5 ports switch, the TP-link TL-SG-105E :


PERFORMANCE
Packet Forwarding Rate               7.4Mpps
MAC Address Table                      8K
Packet Buffer Memory                  2Mb
Jumbo Frame                               16KB

One of the most important metric is the Mpps value. Although it is a marketing value ( doubled because of full-duplex, computed using a best-case scenario : long 1538 bytes frames, no options that could raise the processing needs, .. ), it casts some light over a switch performance.

Here, with 7.4 Mpps, we can assume 3.7 Mpps half-duplex.
Considering the value of Gigabit Ethernet = 81 274 pps we just calculated above, we have :
3 700 000/81 274 = 45.5 gigabit streams

this 5 ports switch shouldn't be limited by its packet forwarding rate.
We'll benchmark our test switch in the benchmarking chapter below

 

d. Gigabit routers real throughput

A gigabit router performance is described by two main metrics :
. its switching side performance ( Lan side )
. its routing performance ( Lan -> Wan, Wan -> Lan )

not all SOHO products manufacturers will publish these values. In the case of the Dlink DIR 618 LW used for this test, we don't have them.

We can look at SmallNetBuilders to have some datas ( LAN to WAN Throughput, WAN to LAN Throughput, Total Simultaneous Throughput, Maximum Simultaneous Connections ) :

http://www.smallnetbuilder.com/tools/charts/router/view

The point here is that a gigabit router won't automatically be able to route at gigabit speed.
We'll benchmark our test router in the benchmarking chapter below

 

e. Gigabit hosts real throughput

network end-devices ( computers, NAS, .. ) obviously need gigabit capabilities, but this won't be enough.
Here are some limiting factors to consider :

. processing power ( we can assume 1Hz per bit/s, so 1 GHz will be enough )
. bus limitation, bus sharing ( a network interface connected via PCI or USB2 will be limited )
. OS overheads ( OS firewall, antivirus software may slow down the effective bandwidth )
. storage media ( a NAS or a PC downloading test may be slowed down by its HDD speed )

 

f. Gigabit infrastructure cabling real throughput

One rule of thumb is to avoid running electric wires and Ethernet cables in parallel. Yet if they do, they should run 1cm away per metter of parallel run ( ie if they run in parallel for 2 meters, they should be at least 2 centimeters away from each other )

Infrastructure cabling should be checked for any defect ( bent or pinched cable, electro-magnetic interferences ) that could lower the effective performances.

Ethernet plugs wiring must follow several strict rules and guidelines. Clumsy home-made Ethernet cables can lower the cable performance. Use them only if you feel competent ant confident enough.

Beside visual inspection, network benchmarking is an effective way to verify an infrastructure cable can achieve its designated performance level.

 

 

3. Gigabit Ethernet benchmarking

We'll benchmark our test network, using iperf3.
Iperf3 measures the throughput of the TCP or UDP payload. As computed above, 1 Gbit/s ethernet = 949 Mbits/s of TCP payload. ( notes (1) (2) ). Thus, 949 Mbit/s will be our baseline.
I'll keep the best result out of 5 ( as long as the results are logical and coherent ).

FTTH and Gigabit Ethernet in real life

How to do a simple network benchmark between two computers using Iperf3 :

We need to download the Iperf3 portable folder on the two computers at https://iperf.fr/iperf-download.php

One PC will act as an Iperf3 client, the second one as an Iperf3 server

1. On both computers, we un-zip it
2. we open a command line, CD-in the iperf3 folder, and run :

server : iperf3 -s                                                     # CTRL+C to quit
client : iperf3 -c 192.168.1.20                          # we use the Ipfer3 server's IP here


Note 1 : Choosing which PC is the server is important :
The Iperf3 client needs to be able to reach the Iperf3 server through TCP 5201 ( routes, routers firewalls/NATs, Iperf3 server OS firewall )

Note2 : Instead of Cd-ing in the Iperf3 folder, we can use a full path :
C:\Users\Test\Documents\Imports\Iperf\iperf3 -s

TL SG-105E switching performance

Let's first benchmark the Switch 1 performance, by running iperf3 between PC3 and PC4 :

FTTH and Gigabit Ethernet in real life

average : 946 Mbits/sec
peak : 950 Mbits/s

we're really reaching the theoretical limit ( 949.3 Mbits/s ). we couldn't expect the switch to perform any better.

 

 

DIR 818LW switching performance :

Let's benchmark the Router 1 switching performance ( ie LAN to LAN ), by running iperf3 between PC2 and PC1 :

FTTH and Gigabit Ethernet in real life

average : 946 Mbits/s
peak : 949 Mbits/sec

Here too, we're reaching the theoretical limit ( 949.3 Mbits/s ). The switching performance is really OK.

 

 

DIR 818LW routing performance :

Let's benchmark the Router 1 routing performance, by running iperf3 between PC2 and PC4 :

FTTH and Gigabit Ethernet in real life

average : 487 Mbits/s
peak : 501 Mbits/s

Here we clearly have a cap. The Dlink DIR 818LW won't route above 501 Mbits/s. This will clearly limit our network performances.

 


Cabling performance :

Let's finally test any infrastructure Ethernet cable, to be sure the cabling is healthy ( no pinched or bent Ethernet cable, no electro-magnetic interference,… ).
Here need to check the long Ethernet cable between Switch 1 and the Internet Gateway.

Unfortunately, this long Ethernet cable can't be unplugged conveniently enough from the CPE, so I can only test PC3 to PC5 bandwidth ( which mixes-up the cable performance with the Internet Gateway switching side performance ).
Let's run an Iperf3 between PC3 and PC5 :

FTTH and Gigabit Ethernet in real life

average : 938 Mbits/s
peak : 948 Mbits/s

Clearly the cabling is good, and is not limiting our gigabyte ethernet performance.
I strongly encourage you to test the infrastructure cabling level of performance.

 

 

4. FTTH presentation

FTTH ( Fiber To The Home ) is the state of the art technology for high-bandwidth Internet.
Each client gets its own private fiber, unshared, from the optical Main Distribution Frame ( Optical Exchange Node ) to the client's wall-plug.

The technology used by the ISP tested here is 1000BASE-BX-10 ( 802.3ah ).


1000BASE-BX10

1000BASE-BX10 is capable of up to 10 km over a single strand of single-mode fiber, with a different wavelength going in each direction. The terminals on each side of the fibre are not equal, as the one transmitting downstream (from the center of the network to the outside) uses the 1,490 nm wavelength, and the one transmitting upstream uses the 1,310 nm wavelength.

( source : https://en.wikipedia.org/wiki/Gigabit_Ethernet#1000BASE-BX10 )

 

IEEE 802.3ah

IEEE 802.3ah, also named Ethernet in the First Mile (EFM), is a June 2004 IEEE 802.3 standard (Ethernet).
It defines three types of links :

. point to point using copper
. point to point using fiber
. point to multipoint using EPON fiber

in our case, we're using 1000BASE-BX10 :

“ 1000BASE-BX10 defined in clause 59, providing point-to-point 1000 Mbit/s Ethernet links over an individual single-mode fiber up to at least 10 km. “

( source : https://en.wikipedia.org/wiki/Ethernet_in_the_first_mile )


“ 1. What is Ethernet in the First Mile ?

Ethernet in the First Mile (EFM) is the nickname of IEEE Std 802.3ah-2004, an amendment to the Ethernet standard, specifying “Media Access Control Parameters, Physical Layers, and Management Parameters for Subscriber Access Networks”. The EFM standard was approved by the IEEE Standards Board in June 2004, and officially published on 7 September 2004.

The “Last Mile” is the name traditionally given to the part of a public communication network that links the last provider-owned node (the central office, the street cabinet or pole) with the customer premises equipment (CPE). The “First Mile” is the exact same thing, viewed from the customer's perspective.

EFM does not improve or replace the existing Ethernet. It is a set of additional specifications, allowing users to run the Ethernet protocol over previously unsupported media, such as single pairs of telephone wiring and single strands of single-mode fiber (SMF). This makes the EFM port types suited for use in subscriber access networks, i.e. the networks that connect subscribers to their service provider. “

( source : http://www.ethernetinthefirstmile.com/faq_gen.html )

 


FTTH benefits

the benefits of FTTH are :
. high bandwidth
. low latency
. immunity from electromagnetic fields

 


FTTH patch cable

the patch cable used by this ISP to link the CPE to the optical wall plug is a 9/125 SC-APC/SC-UPC :

FTTH and Gigabit Ethernet in real life

FTTH usage precautions :

the only requirement at home are :

. to avoid angling the fiber cable : we need a fiber cabling running straight or in wide curves.
. to keep the SC-APC/SC-UPC plugs clean, avoiding any dust or grease.
. to never try to look directly through a live fiber cable ( the infrared light won't bee seen, but it may cause eye injury )

 

 

5. FTTH benchmarking

Let's finally test our FTTH performances.
Of course we'll perform our tests right behind the Internet gateway, to avoid any additional performance loss.
So we'll be using PC 5 :

FTTH and Gigabit Ethernet in real life

Here are the tests that were performed :

Iperf3 download # Iperf3 download test using a public Iperf server
ipv6-test.com/speedtest # IPv4 speedtest
speedtest / lyon la fibre # www.speedtest.net using Lyon / LaFibre server
speedtest / paris freemobile # www.speedtest.net using Paris / FreeMobile server
mire.sfr.fr # SFR speedtest
testdebit.info # testdebit.info speedtest
direct 5 GO # Browser 5 GB file download using IPv4 on testdebit.info
wget -O /dev/null … # wget -O /dev/null http://1.testdebit.info/fichiers/5000Mo.dat
( Linux only )

 

The OS tested were :

Windows 10 + Microsoft Edge
Ubuntu 14.04 live DVD + Mozilla Firefox

( For some tips about Network Benchmarking with Windows and Linux OS, see 7. Notes / Network Benchmarking OS tips )


The tests were repeated many times, looking for repeatability and coherency.
The goal was to test the highest reached performance, so I kept the best score, as long as it was consistent with the global pool results.

Here are the final results :

FTTH and Gigabit Ethernet in real life

Ubuntu live DVD is really performing best. Of course, there was no Antivirus or firewall running on Ubuntu, so we can't really blame the Microsoft OS architecture.

The values above are the results of a downloading test, hiding the highs and lows during each test :
Under Ubuntu, iftop indicated some peaks at 984 Mbits/s during the tests, so we really have a gigabit fiber link !

The only oddity is the Iperf3 test, that kept capping at 200Mbits/s, whatever the settings and the tested Iperf public servers.

Testing FTTH is a really subtle task, as many factors come into account :

. OS tested, firewall, antivirus, CPU power, HDD
. ISP infrastructure sizing : is the ISP collect network and core network wide enough ?
. ISP peering links sizing : are the ISP peering links wide enough ?
. ISP speedtests cheats : is the ISP prioritizing the speedtest packets and websites ?

Overall, with a lot of efforts, we can only assert that we really have a 1Gbit/s link, and that we can use a significant enough portion of it during real tests.

 

 

6. Is Fiber FTTH really worth the run ?

There are several cases were Fiber Internet access really shines :

. Single user experience ( A little speedy browsing shows some 20+ Mbits/s peaks, saturating an ADSL2+ line. Add-in a little webTV player and we start experiencing slowdowns. )
. Several simultaneous users in the local network.
. Heavy downloads ( OS iso, torrent, … )
. Uploading ( while I didn't cover this specific issue, 200Mbits/s of upload speed really is an asset )
. Low latency ( web surfing really feels snappier )

For all of these reasons, Fiber Internet really is worth it.

As for FTTH fiber, as long as the local network has been optimized for it, it really pushes the limit higher, leaving a lot of additional room for simultaneous users/activities/downloadings, giving a really snappy and instantaneous experience !!

 

 

7. Notes


(1) https://en.wikipedia.org/wiki/Iperf

(2) http://archive.ncsa.illinois.edu/lists/iperf-users/jan08/msg00001.html


sources :

http://rickardnobel.se/actual-throughput-on-gigabit-ethernet/

http://networkengineering.stackexchange.com/questions/3129/bits-per-second-vs-packets-per-second

https://en.wikipedia.org/wiki/Gigabit_Ethernet

 

 

Network Benchmarking OS tips :

It is not easy to benchmark the Gigabit/FTTH throughput as the firewall or antivirus software will lower the performances.


Windows OS

Using Windows, we need to start in failsafe mode with network support, to have the firewall and antivirus disabled ( which leads to security issues that make me not use this solution )


Linux OS

Using a Linux OS, we can use a fresh live Ubuntu DVD ( which comes with no firewall by default )


we edit the repositories :

sudo gedit /etc/apt/sources.list

# we add the universe and multiverse repositories

sudo apt-get update
sudo apt-get install iftop # command line bandwidth monitor
sudo apt-get install flashplugin-installer # flash player, needed for some website speedtests
sudo iftop # launches the command line bandwidth monitor

one very interesting Linux option is the ability to save to /dev/null, removing any HDD cap :

wget -O /dev/null http://1.testdebit.info/fichiers/1000Mo.dat

Repost 0
Published by Computer Outlines - dans NETWORKS
commenter cet article
28 juillet 2014 1 28 /07 /juillet /2014 21:30

We'll be seeing here Ethernet, and the great 802.x Family.

Layer 2 networking Part 2 : Ethernet and the 802.x Family

1. Introducing the Ethernet Family

Ethernet is a technology based on shared medium usage. Its foundation is CSMA/CD ( Carrier Sense Multiple Access with Collision Detection ).

 

There are actually 4 Ethernet types :

. Ethernet v1 : The original ethernet, now depracated

. Ethernet v2 : Evolution from Ethernet v1, In use

. IEEE 802.x + LLC

. IEEE 802.x + LLC + SNAP

 

Ethernet v1 was published in 1980. Ethernet v2 was published in 1982.

IEEE 802.3 was published in 1983.

IEEE 802.x is a formal standardization effort of Ethernet v1 and v2.

 

Nowadays, both Ethernet v2 and 802.x are used. In the case of cable-Lan, Home consummers products usually preffer to use the Ethernet v2 Frame, as it is less CPU intensive.

IEEE 802.x is never used alone, but with LLC ( 802.2 ) or LLC + SNAP ( 802.2 + SNAP )

 

Why am I using 802.x instead of, say, 802.3 : Because the Ethernet family is vast, and encompasses different technologies. Here are some examples :

802.3 = Cable ( Ethernet cable )

802.11 = Wifi

802.15.1 = Bluetooth

 

Let's sum-up all this in a chart :

Layer 2 networking Part 2 : Ethernet and the 802.x Family

Let's complete this chart with some known protocols :

Layer 2 networking Part 2 : Ethernet and the 802.x Family
Repost 0
Published by computer outlines - dans NETWORKS Layer2
commenter cet article
28 juillet 2014 1 28 /07 /juillet /2014 14:16

This serie will focus on the Layer 2, and explore :

 

1. The Data link layer

2. The Ethernet Family and 802.x

3. Wifi detailed and wiresharked

4. Bluetooth tethering, using bridging and using routing

5. Spanning Tree Protocol, using a Linux STP switch and a Cisco STP Switch

 

 

The Layer 2 : Data Link Layer

 

Layer 2 networking Part 1 : The Data-Link Layer

The Layer 2 is the Data link layer in the OSI model. Some examples : Ethernet (multipoint), PPP, HDLC, ADCCP ( point to point ).

Some protocols that use layer2 : ARP, ATM, STP.

The Data Link layer is concerned with moving data across the physical links ( layer1) in the network ( layer3 ).

Layer 2 networking Part 1 : The Data-Link Layer

Typical layer2 appliances are bridges and switches. ( Where Hubs are layer1, and Routers are layer3 ).

The Data link layer is sometimes subdivided into MAC sublayer and LLC sublayer : MAC is the Media Access Control, LLC si the Logical Link Control :

Layer 2 networking Part 1 : The Data-Link Layer

quote : « The data link layer provides a reliable link between two directly connected nodes, by detecting and possibly correcting errors that may occur in the physical layer. »

 

The data link layer performs these five tasks :

 

. Layer2 addressing

. Frame Synchronization

. Errors detection in the physical layer

. Flow control

. MultI Access

 

Error Detection : The data link layer checks for errors occuring during transmission. A cyclic redundancy check (CRC) field is often employed to allow the receiving station to detect for transmission errors.

Flow control : The data link layer ensures emitting and receiving station's speed, for the receiving station not to get flooded.

Multi Access : in the case of shared medium, it is necessary to avoid collisions of trafic. Example : CSMA/CD for ethernet.

 

As an exemple, the ethernet frame ends with a 32-bit FCS ( a 32 bit CRC which is used to detect any link local corruption of data )

In case of corrupt data, the frame is dropped ( there is no acknowledgement or resend at layer 2 : it is layer 4 rôle ).

 

 

quote : « Framing: Data-link layer takes packets from Network Layer and encapsulates them into Frames. Then, sends each Frame bit-by-bit on the hardware. At receiver’s end Data link layer picks up signals from hardware and assembles them into frames. «

The packet from layer3 is encapsulated in a frame, that is sent bit-by-bit to the Layer 1 ( hardware layer ).

 

It is to be noted that layer 1 does not send this 'bit-sequence' per-se, but does some more encoding, to enable better performance ( see bandwidth vs throughput ).

 

 

Let's see the most common type of frame, an ethernet v2 frame :

Layer 2 networking Part 1 : The Data-Link Layer

The Preamble and Start of Frame Delimiter provide Frame Synchronization

Ethertype identifies the Data type ( IP, ARP, Netbios, .. )

FCS ( frame Check Sequence ) provides Error Detection

Repost 0
Published by computer friendly - dans NETWORKS
commenter cet article
12 juin 2014 4 12 /06 /juin /2014 09:41

This serie will explore NAS technologies, and the related issues. This first part will study the NAS functions of the DIR-626L, a neat 40 $/€ featurefull Router, with complete IPv6 capabilities.

 

The DIR 626-L Firmware tested here is : FW v1.03

The SharePort Mobile App version is : June 12 2014

 

Edited June 21 2014

NAS 1 : DLink DIR 626L

1. The USB Shareport


The USB SharePort™ supports FAT32 and NTFS, with a 500GB limit.


There are two menu categories related to the Shareport functions :


    . Media Server
    . Shareport

 

2. The Media Server


There are only two options here :


. Enable / Disable
. Media Server name

All medias added on the USB Shareport ( USB dongle or USB-HDD ) will be published by the DNLA Server.
The DLNA catalogue is re-indexed with the DIR-626L reboot. You need to reboot to have new added medias instantly indexed. ( Waiting a little time seems to do the reindexing automatically too )


The Media Server is independent from network share permissions (Shareport Menu ). Everything is read-allowed. There is no restriction.

The Media server can't be accessed from WAN / there is no option for this.

The DLNA access is very intuitive :

Under Windows ( Windows7+ ) go to network places.
Ubuntu / Gnome3 has no native tools yet.  Still VLC is a good DLNA client.


Do note that DNLA only streams media files ( video, audio and pictures ), documents ( .doc, .rtf, .txt, .pdf ) are not supported. Furthermore, some media formats are not supported.

The DIR 626-L is certified DLNA 1.5


Understanding DNLA


DLNA is short for Digital Living Network Alliance. It is an access API, for system and vendor independence, but the files are downloaded, as with a regular http access ( mp3, ... ), it is not a netcast.
DLNA aim is to offer simplified media sharing/interoperability


DLNA is derived from UPnP. It is more restrictive than UPnP (less media formats supported ) and adds some features (like copy protection, DRM, ...).


It defines a standard for moving movies, photos, music and other media from device to device. One of its aim is being zeroconf.


More finely, DLNA defines three concepts/roles : Server, Renderer, and Controller :

Server : content storage

renderer : Displaying the movie, playing the music, ...

Controller : Remote Control ( may be part of the renderer, or be a separate entity : Tablet, Smartphone, ... )

 

Theorically, DNLA messages have a TTL of 4, thus supporting a few hops. In practice, I haven't seen any multi-hops  ( ie Cross-Router ) implementation or success.

Finally, here are the DLNA specifications about supported medias ( source www.dlna.org ) :

NAS 1 : DLink DIR 626L
NAS 1 : DLink DIR 626L

 

 

3. The Shareport Menu

The Shareport menu is where we can do all the management : ports used, users, permissions, shares, wan access, ...

 

The first section is to allow shareport, setup http and https ports, and allow/disallow remote access :


Web file Access : Enable / Disable ( basic switch for the function )
HTTP port
HTTPS port
Allow Remote Access : Enable / Disable ( allows Wan access )

The default port for HTTP is 8181 and for HTTPS is 4433.

 

User management section :


beside the default :
. admin account ( read/write on all folders )
. guest account ( read access on (no folder yet ) )
We can create additionals users with passwords, modify passwords, or delete users.

Passwords are 15 characters long maximum, and support special characters ( except for the SharePort Mobile App, see below ).


Shares ( mounting points ) and permissions section :

If the guest account or new users are to be used, share-point permissions are to be created, to give permissions and scope.

 

Do note a little tricky aspect : After creating/modifying a user, you have to hite the 'SAVE' button on the top of the page, or the changes will be discarded. Same for share-points permissions.

 

4. Enhanced Security: using custom ports

For a better security, it is wise to change from the defaults ports used.

First, a few notes about ports selection :

 

quote : " The Internet Assigned Numbers Authority (IANA) is responsible for the global coordination of the DNS Root, IP addressing, and other Internet protocol resources. It is good practice to follow their port assignment guidelines. Having said that, port numbers are divided into three ranges: Well Known Ports, Registered Ports, and Dynamic and/or Private Ports. The Well Known Ports are those from 0 through 1023 and SHOULD NOT be used. Registered Ports are those from 1024 through 49151 should also be avoided too. Dynamic and/or Private Ports are those from 49152 through 65535 and can be used. Though nothing is stopping you from using reserved port numbers, our suggestion may help avoid technical issues with port allocation in the future. "
see http://www.iana.org/assignments/port-numbers


We won't use well known ports (  0-1023 ). We neither use registered ports ( Ports 1024-49151 ). Let's change the default settings to use private ports. Just pick them randomly in the 49152-65535 range.
I use an Excel Spreadsheet for easy and fast random draws. The OpenCalc formula for private ports used here is : =ENT(ALEA()*16384+49152)

Hold F9 to roll the dices :

NAS 1 : DLink DIR 626L

( Do note that this formula is simplistic, as it is not even time-seeded. Use seeded formulas for better entropy ).

 

 

5. Practical tests : Lan Access

Let's check the Local ( Lan ) functionning, using a PC and a Tablet as clients :

 

 

NAS 1 : DLink DIR 626L

Using a web browser, the NAS user GUI is accessed using ( with 192.168.2.1 as the NAS LAN IP, keeping default ports ) :

Using these addresses for IPv4 :

http://192.168.2.1:8181
https://192.168.2.1::4433

Using these addresses for IPv6 :

http://[2001:db8:0:2::1]:8181

https://[2001:db8:0:2::1]:4433

 

 

the https is functionning ok, and IPv6 is supported.

Still, two issues quickly arises :

Uploading files


Using a browser access, or the D-Link Shareport Mobile, only allows to upload one file at a time.
DNLA gives no write access.

What are the options to upload multiple files at once ( like a music album ) ?

One solution is to turn-off the router, take-out the usb-dongle and plug it in a computer.

Another solution, that is quite worrisome to me, is through smb :
You just manually map the drive using :

\\192.168.2.1\                                  ( for Windows )

smb:\\192.168.2.1\                          ( for Linux or Mac )


There is no login, and it gives all read/write access over the whole storage space.
It doesn't seem to leak to the WAN side still.

 

DLink SharePort Mobile App

Beside the Web GUI, DLink provides for an IPhone/Android App. There are a numbers of limitations to the SharePort Mobile App :


1. The https port doesn't seem supported ( thus no crypto !! )
2. It doesn't seem to support IPv6
3. It doesn't work with passwords using special characters ( only numbers+ letters upper/lower cases ). Maximum length : 15.

The positive aspects :
1. It does use credentials

 

 

6. Practical tests : Local Wan Access

Let's check the Local Wan functionning, staying inside the Home Network, using a PC and a Tablet as clients :

 

 

NAS 1 : DLink DIR 626L

Nothing much changes here, we just have to allow WAN access in the Shareport Menu.

One funny interesting and very logical TIP to note :

using the DIR 626L WAN IP in our brower/app settings, allows the PC and the Tablet to freely roam through both subnets, as :

. When on the Wan side of the DIR 626L, they access the Wan IP

. When on the Lan side, they just cross the router to reach its Wan side

Thus no reconfiguration is needed.

 

 

7. Practical tests : Remote (Internet) Wan Access

Let's check the Global Wan functionning, accessing from the Internet using a PC and a Tablet as clients :

NAS 1 : DLink DIR 626L

Nothing changes from the In-Network Wan access, except that we need some port forwarding for IPv4. As for IPv6, we only need to take care of our Internet Gateway's firewall.

As a quick reminder, here is the port forwarding topology. Notice we did choose random, private ports, for the Intenet Gateway to forward :

 

NAS 1 : DLink DIR 626L

Everything works OK, and as expected.

Using these addresses for IPv4 :

http://203.0.113.27:53546
https://203.0.113.27:54505

Using these addresses for IPv6 :

http://[2001:db8:0:1::254]:53546

https://[2001:db8:0:1::254]:54505

 

The SharePort Mobile App still doesn't support the https port, neither IPv6.

 

 

8. Security Issues

 

We finish our tour with security issues, in the Wan Internet Access scenario. This for the three types of access ( Web HTTP, Web HTTPS, SharePort Mobile App ).

As a reminder, here is what is to be expected from HTTP and HTTPS :

HTTP Web Access :

          login : cleartext

          password : cleartext

          data confidentiality : no

          data integrity : no

 

HTTPS Web Access :

          login : encrypted

          password : encrypted

          data confidentiality : yes

          data integrity : yes

 

The SharePort Mobile App using only the HTTP port, it is tied to its fundamental insecurity.

 

 

9 Final Thoughts

 

The DIR 626-L is a great little piece of hardware for a first step in the NAS technologies world, being fitted with a full IPv6 capability, and an intuitive and easy to use firewall, as we've seen in previous posts.

My only concerns comes from the SharePort Mobile App and the SMB access :

While really cool and funny to use, the SharePort Mobile App doesn't support IPv6. It doesn't support special characters in passwords. Worse, it isn't able to use the https port. For all these reasons, I deem it as totally insecure, and unfit for any Wan use. As for using it inside your personnal Lan, it's your choice ( and the amount of trust you have in your Lan security). Waiting for an update of this app.

As for the Open SMB access, it defeats any Lan-side user-management. As much as it may be a welcomed solution to the 'uploading multiple files at once' problem, it creates a real Lan insecurity, as any Lan host may write and delete any files and folder. You have again to be trusting your Lan.

So I'm waiting for an update to the App and to the DIR-626L Firmware, to perfect this great piece of hardare.

 

 

 

Repost 0
Published by computer outlines
commenter cet article
12 avril 2014 6 12 /04 /avril /2014 10:52

How to setup NFtables to do external syslog logging.

 

The hability to do firewall logging is great, but a network admin needs to remote/consolidate its logs to an external syslog server. For this we'll be using Rsyslog, and the Ulogd2 spooler.


The OS used here is Ubuntu GNOME 14.04 (Trusty Tahr)  ( for nftables needs OS kernel 3.13 ).
Here is the network topology used :

 

NF8b

 
We'll be using the nflog:2 group for logging.

 

 

1. ULOGD2 and dependencies

Ulogd2 needs these dependencies : libnfnetlink, libnetfilter_log, libnetfilter_conntrack

we first need all the nftables / git / makefile dependencies :

sudo -s
apt-get update

apt-get install libmnl0                already installed
apt-get install libmnl-dev

apt-get install git
apt-get install autoconf
apt-get install libtool
apt-get install pkg-config
apt-get install flex
apt-get install bison
apt-get install libgmp3-dev
apt-get install libreadline6-dev
apt-get install autogen

( apt-get install docbook2x docbook-utils )

we install ulogd2 dependencies :

git clone git://git.netfilter.org/libnfnetlink
cd libnfnetlink
sh autogen.sh
./configure
make
make install

cd ..

git clone git://git.netfilter.org/libnetfilter_log
cd libnfnetfilter_log
sh autogen.sh                                                           ( works ok, but ' unexpected operator ' message during autogen !? )
./configure
make
make install

cd ..

git clone git://git.netfilter.org/libnetfilter_conntrack
cd libnetfilter_conntrack
sh autogen.sh
./configure
make
make install
cd ..

we finally install syslogd2 :

sudo apt-get install ulogd2

 

( NFtables should be already installed. If not, see notes )

 

 

 

2. Nftables logging setup

we have to check nflog protocol logging:

 

cat /proc/net/netfilter/nf_log

you might get this :


# cat /proc/net/netfilter/nf_log
 0 NONE (nfnetlink_log)
 1 NONE (nfnetlink_log)
 2 nfnetlink_log (nfnetlink_log)
 3 NONE (nfnetlink_log)
 4 NONE (nfnetlink_log)
 5 NONE (nfnetlink_log)
 6 NONE (nfnetlink_log)
 7 NONE (nfnetlink_log)
 8 NONE (nfnetlink_log)
 9 NONE (nfnetlink_log)
10 NONE (nfnetlink_log)
11 NONE (nfnetlink_log)
12 NONE (nfnetlink_log)
#

Let's see this. The line number is the protocol.

2=IPv4, 4=Novell IPX, 10=IPv6, ...

The syntax is Protocol Number / Active Module ( Available Modules ).

So here we have nfnetlink active for IPv4 only.

( line 10 is : '10 NONE (nfnetlink_log)' )

we need to enable IPv6 nfnetlink_log :

echo "nfnetlink_log" > /proc/sys/net/netfilter/nf_log/10

we should get this :

# cat /proc/net/netfilter/nf_log
 0 NONE (nfnetlink_log)
 1 NONE (nfnetlink_log)
 2 nfnetlink_log (nfnetlink_log)
 3 NONE (nfnetlink_log)
 4 NONE (nfnetlink_log)
 5 NONE (nfnetlink_log)
 6 NONE (nfnetlink_log)
 7 NONE (nfnetlink_log)
 8 NONE (nfnetlink_log)
 9 NONE (nfnetlink_log)
10 nfnetlink_log (nfnetlink_log)
11 NONE (nfnetlink_log)
12 NONE (nfnetlink_log)
#

( See part 7 for /proc/net/netfilter/nf_log persistence at reboot )

 

 

 

3. RSYSLOG setup

with a basic /etc/rsyslog.conf :


*.*    @192.168.0.12:514
*.*    @[2001:db8:0:0::12]:514

sudo service rsyslog restart

( do note that this will log two times, once to the IPv4 address and once to the IPv6 address.
do suppress the line you do not need )

we can monitor the syslog using wireshark too ( usefull for debugging ) using these filters :

 

ip.addr == 192.168.0.12
ipv6.addr == 2001:db8:0:0.12

 

 

4. ULOGD2 setup

sudo gedit /etc/ulogd.conf

we uncomment line 95 ( Syslog via NFlog ) :
# this is a stack for logging packets to syslog after a collect via NFLOG
stack=log3:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG

we launch ulogd :
sudo /usr/sbin/ulogd
( or sudo service ulogd2 restart )

do notice this part in ulogd.conf :

 

[log3]
# netlink multicast group (the same as the iptables --nflog-group param)
group=2 # Group has to be different from the one use in log1/log2
numeric_label=1 # you can label the log info based on the packet verdict

this is where the nflog:2 group is linked in.



5. NFtables Test

nft -f /home/lake/nftables/files/nftables/ipv4-filter
nft -f /home/lake/nftables/files/nftables/ipv6-filter

nft flush table filter
nft flush table ip6 filter

nft add rule filter output ip daddr 208.67.222.222 counter log group 2 prefix "IPv4_OpenDNS_"
nft add rule ip6 filter output ip6 daddr 2620:0:ccc::2 counter log group 2 prefix "IPv6_OpenDNS_"

nft list table filter
nft list table ip6 filter

ping -c 4 208.67.222.222
ping6 -c 4 2620:0:ccc::2
sudo tail /var/log/syslog

 

It should work, we should see syslog messages in Wireshark and on our Syslog Server..
We get them as DAEMON.NOTICE


Let's precise our rsyslog filter. We edit /etc/rsyslog.conf :


DAEMON.NOTICE    @192.168.0.12:514                                                                   ( Use Upper Cases )
DAEMON.NOTICE    @[2001:db8:0:0::12]:514

We get a better filter of what is sent through Syslog.

 

Do remember to use Upper Cases for facility / level definitions ( ie. use DAEMON.NOTICE, not daemon.notice )

 

 

 

6. ULOGD2 Custom Facility / Level

Let's finally customize our ULOGD2 facility/level so that we can filter what is sent to our external syslog server:

 

sudo gedit /etc/ulogd.conf

 

we add a [sys1] stance below the [emu1] stance :
--------------------------------------------------------------------------------------------------------
[emu1]
file="/var/log/ulog/syslogemu.log"
sync=1

[sys1]
file="/var/log/ulog/syslog.log"
facility=LOG_LOCAL2
level=LOG_NOTICE
---------------------------------------------------------------------------------------------------------

we relaunch ulogd :
sudo service ulogd2 restart

we get now LOCAL2.NOTICE syslogs.

we can finally set rsyslog.conf to only send LOCAL2.NOTICE to the external Syslog Server :

using in /etc/rsyslog.conf :
LOCAL2.NOTICE        @192.168.1.100:514                                                                                ( Use Upper Cases )
LOCAL2.NOTICE        @[2001:db8:0:0::12]:514

 

 

7. ulogd2 using two nflog groups


We may need to have ulogd2 gather and relay several nflog groups.
Let's use the previous Part 7 Internet Gateway with NFlog, that uses two groups.
We'll use nflog group 2 and nflog group 3 ( so to avoid collisions with group 1 which is already registered by ulogd2 for the log2 facility )

we'll just copy the log3 stack declaration, so to make a log 4 stack just below :

# this is a stack for logging packets to syslog after a collect via NFLOG
stack=log3:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG

# this is a stack for logging packets to syslog after a collect via NFLOG
stack=log4:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG


we'll too copy the [log3] declaration, so to make it a [log4]. Notice we make [log4] to use group 3 :

[log3]
group=2 # Group has to be different from the one use in log1/log2
numeric_label=1

[log4]
group=3 # Group has to be different from the one use in log1/log2
numeric_label=1

we just have to restart ulogd2 :
sudo service ulogd2 restart

 

 

8. Ulogd2 using two nflog groups with two syslog facilities

Furthermore, it may be handy to have our two groups use distinct syslog facilities, so to have an easier sorting on the syslog server.
We use two nflog stacks, that use distinct sys1 and sys3 output pipes :

# this is a stack for logging packets to syslog after a collect via NFLOG
stack=log3:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG

# this is a stack for logging packets to syslog after a collect via NFLOG
stack=log4:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys3:SYSLOG

we use two nflog descriptors :

[log3]
group=2 # Group has to be different from the one use in log1/log2
numeric_label=1

[log4]
group=3 # Group has to be different from the one use in log1/log2
numeric_label=1


we add a [sys3] descriptor below [sys1], with its distinct facility :

[sys1]
file="/var/log/ulog/syslog.log"
facility=LOG_LOCAL2
level=LOG_NOTICE

[sys3]
file="/var/log/ulog/syslog.log"
facility=LOG_LOCAL1
level=LOG_NOTICE


we just have to restart ulogd2 :

sudo service ulogd2 restart

( don't forget to update /etc/rsyslog.conf. exemple :

LOCAL2.NOTICE    @192.168.1.100:514
LOCAL1.NOTICE    @192.168.1.100:514                                                           )

 

 

 

 

9. Notes

 

Firewall logging ' auto-feedback ' effect :

 

special care must be taken to avoid a positive-feedback loop :

 

You don't want the firewall to log and syslog the outgoing syslog messages
( unless you want to test which software part of the chain Firewall --> Network hardware --> syslog server will surrender first under a flood of packets )

 

here is a typical output chain, that avoids the positive-feedback-loop effect,

by accepting output syslog messages ( port 514 ) BEFORE they may get syslogged :

add rule filter output ct state established accept
add rule filter output ct state related accept
add rule filter output oif lo accept
add rule filter output udp dport 514 accept
add rule filter output ct state new counter log prefix "IPv4_OUT" group 2 accept

Ulogd2 local HDD logging :

 

the log1 stack is enabled by default ( uncommented in /etc/ulogd.conf ).
. it uses group 0 ( may be set )
. logs in /var/log/ulog/syslogemu.log

see the [log1] descriptor.

 

nb2 : log2 seems a better fit

 

 

Ulogd2 custom plugin :

 

We may change sys1 to systc1 in these two stances, for better cleanness, so to avoid any stack entanglement.
But it doesn't seem really necessary :

 

# this is a stack for logging packets to syslog after a collect via NFLOG
stack=log3:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,systc1:SYSLOG

...
[systc1]
file="/var/log/ulog/syslog.log"
facility=LOG_LOCAL2
level=LOG_NOTICE

 

 

syslog prefix syntaxes :

 

WORD
WORD1_WORD2
"WORD1 WORD2"
Actually, 63 characters, spaces, upper and lower cases, numbers and special characters allowed.

 

 

iptables syntax :

 

sudo iptables -A OUTPUT -d 8.8.4.4 -j NFLOG --nflog-group 2 --nflog-prefix TESTG2


NFTABLES Specifics :

git clone git://git.netfilter.org/libnftnl
cd libnftnl
sh autogen.sh
./configure
make
make install
ldconfig

cd ..
git clone git://git.netfilter.org/nftables
cd nftables
sh autogen.sh
./configure
make
make install

--

 

Repost 0
Published by computer outlines - dans Nftables
commenter cet article
12 avril 2014 6 12 /04 /avril /2014 10:00

We'll see here the logging function of nftables : NFLOG.


NFLOG allows to place a log hook in the NFtables, allowing to set monitoring points in the chains : As an exemple, logging allowed IN packets vs dropped IN packets, etc ...
It allows for Firewall monitoring, as well as subtler troubleshooting.

 

We'll be using our Part 6 : NFtables Linux Internet Gateway here and see how to set monitoring points :
 
NF5d

To be noted is that NFLOG is also used by IPTables.

 

 

 

1. The Netfilter Logging Framework


Since Linux 2.6.14 it's possible to pass via userspace packets that have been logged by the kernel packet filter.

There are two tools :

QUEUE et NFQUEUE                 : used by external application for decisions ( SNORT IDS/IPS, NuFW, ulogd, ... )
LOG et NFLOG                             : used for external logging ( Wireshark, Syslog, ... )

NFlog is a new target for iptables and Nftables to log packet via a virtual device.
The NFLOG target copies packets and send them to a specified netlink socket.

 

 

 

2. NFlog


Nflog needs to be enabled on a protocol basis. To verify what is loaded :

 

cat /proc/net/netfilter/nf_log

 

you might get this :

# cat /proc/net/netfilter/nf_log
 0 NONE (nfnetlink_log)
 1 NONE (nfnetlink_log)
 2 nfnetlink_log (nfnetlink_log)
 3 NONE (nfnetlink_log)
 4 NONE (nfnetlink_log)
 5 NONE (nfnetlink_log)
 6 NONE (nfnetlink_log)
 7 NONE (nfnetlink_log)
 8 NONE (nfnetlink_log)
 9 NONE (nfnetlink_log)
10 NONE (nfnetlink_log)
11 NONE (nfnetlink_log)
12 NONE (nfnetlink_log)
#

Let's see this. The line number is the protocol.

2=IPv4, 4=Novell IPX, 10=IPv6, ...

The syntax is Protocol Number / Active Module ( Available Modules ).

So here we have nfnetlink active for IPv4 only.

( line 10 is : '10 NONE (nfnetlink_log)' )

we need to enable IPv6 nfnetlink_log :

echo "nfnetlink_log" > /proc/sys/net/netfilter/nf_log/10

we should get this :

# cat /proc/net/netfilter/nf_log
 0 NONE (nfnetlink_log)
 1 NONE (nfnetlink_log)
 2 nfnetlink_log (nfnetlink_log)
 3 NONE (nfnetlink_log)
 4 NONE (nfnetlink_log)
 5 NONE (nfnetlink_log)
 6 NONE (nfnetlink_log)
 7 NONE (nfnetlink_log)
 8 NONE (nfnetlink_log)
 9 NONE (nfnetlink_log)
10 nfnetlink_log (nfnetlink_log)
11 NONE (nfnetlink_log)
12 NONE (nfnetlink_log)
#


So line 2 is for IPv4, line 10 is for IPv6

 

To enable Nflog for IPv4 :
echo "nfnetlink_log" > /proc/sys/net/netfilter/nf_log/2

 

To enable Nflog for IPv6 :
echo "nfnetlink_log" > /proc/sys/net/netfilter/nf_log/10

Note : this is not persistent through a reboot. And oddly, even a boot bash gets overriden. As there isn't a way I did find yet  to use a /etc/systcl.conf or alike, I end up using a 1 minute cron job :

 

sudo crontab -e

 

add this :
* * * * * sh /etc/init.d/fwlog.sh

 

the cron job uses this bash file :

 

gedit fwlog.sh
-------------------------------------------------------------------------------------
#!/bin/bash
echo "nfnetlink_log" > /proc/sys/net/netfilter/nf_log/2
echo "nfnetlink_log" > /proc/sys/net/netfilter/nf_log/10
exit 0
---------------------------------------------------------------------------------------

 

sudo chmod +x /etc/init.d/fwlog.sh

 

 

 

3. Simple NFTABLES LOG

 

Let's see the most simple log syntax :
nft add rule filter output log


This will log all output packets to the default NFLOG socket ( ie NFLOG:0 ).  This is the NFLOG interface that do appear in Wireshark.


Another option is to use the command line to get the capture, and open later the capture using wireshark :

 

dumpcap -i nflog -w nflog.pcap                                                        ( nb : does not work as root )
wireshark -r nflog.pcap

 

 

 

4. NFTABLES LOG with Prefixes


A little more sophisticated syntax is to use prefixes, to tag different log points. Ex :
sudo nft add rule filter input counter log prefix "INPUT"
sudo nft add rule filter output ct state new counter log prefix "OUTPUT" accept

This will add a different 'tag' to the logged packets, still logging to the default NFLOG socket ( NFLOG:0 ).

The display can be filtered in Wireshark, using these filters :

 

nflog.prefix == "INPUT"
nflog.prefix == "OUTPUT"

NB : the prefix must use no space, ie use  : "ALLOWED_OUT"

Furthermore, a special Prefix collum can be created in Wireshark to display these prefixes Live :

 

NF7c

 

  To do so, do a NEW COLLUMN :

 

NF7e

 

    field type : custom
    field name : nflog.prefix
    tick 'displayed'
 


The capture can still be performed using the command line :


dumpcap -i nflog -w nflog.pcap
wireshark -r nflog.pcap

 

 

 

5. Nftables LOG using groups

A more sophisticated approach is to use 'GROUPS', ie different netlink sockets, for different log points or zones.


The netlink group is a netlink multicast group to which packets are sent. The default value is 0. Its value is 0-36 635 ( 2^16-1 ).

 

As an example, all dropped incomming packets ( INPUT and FORWARDING IN ) could be set to a group, and all outgoing packets ( OUTPUT and FORWARDING OUT ) to another,  or groups could be used to part different destinations IPs... Here is an exemple :

 

nft add rule filter forward ip daddr 192.168.2.10 log group 10
nft add rule filter forward ip daddr 192.168.2.34 log group 34

 

This will log to the NFLOG sockets NFLOG:10 and NFLOG:34

 

Wireshark doesn't seem to have a GUI way to select these sockets. The only way I know to display these sockets is to launch Wireshark using the command line :

 

wireshark -i nflog:34 -i nflog:10 -k

we can try pinging 192.168.2.10 and 192.168.2.34 from the 192.168.1.0/24 network, and see the live nflog messages in wireshark :

 

NF7d 

The GROUP is named ' Ressource ID ' in wireshark. Here are the wireshark display filters :

 

nflog.res_id == 34
nflog.res_id == 10

More, a custom GROUP collumn can be created for live capture display :

 

NF7a

 

NEW COLLUMN :

 

NF7f

 

    field type : custom
    field name : nflog.res_id

    tick 'displayed'
 

The command line capture syntax is :

 

dumpcap -i nflog:10 -i nflog:34 -w nflog.pcap
wireshark -r nflog.pcap

quote " The resource ID is in network byte order (big-endian). On one netlink socket it's possible to listen to several nflog groups; the resource ID is the nflog group for the packet "
source : http://www.tcpdump.org/linktypes/LINKTYPE_NFLOG.html

 

 

 

6. Basic FW example using Prefixes and Groups

 

Here is our Internet Gateway ruleset, with NFlog logging :

 

NF5d

 

The main ideas are :

 

. enable comprehensive NFlog prefixes
. use group 1 for Linux Host firewal itself ( INPUT and OUTPUT chains )
. use group 2 for network forwarding ( FORWARD chains )
. the ICMP policies tries to be RFC compliant

-------------------------------------------------------------------------------------------------------------------------------------------------------------------
flush table filter
flush table ip6 filter

add rule filter input ct state established accept
add rule filter input ct state related accept
add rule filter input iif lo accept
add rule filter input icmp type echo-request counter log prefix "IPv4_PING_IN" group 1 accept
add rule filter input tcp dport ssh counter log prefix "IPv4_SSH_IN" group 1 accept
add rule filter input iif eth0 udp dport 67 counter log prefix "IPv4_DHCP_LAN_IN" group 1 accept
add rule filter input counter log prefix "IPv4_IN_DROPPED" group 1 drop

add rule filter output ct state established accept
add rule filter output ct state related accept
add rule filter output oif lo accept
add rule filter output ct state new counter log prefix "IPv4_OUT" group 1 accept

add rule filter forward iif eth1 oif eth0 ct state established accept
add rule filter forward iif eth1 oif eth0 ct state related accept
add rule filter forward iif eth1 oif eth0 icmp type echo-request counter log prefix "IPv4_PING_FORWARD_IN_DROPPED" group 2 drop

add rule filter forward iif eth0 oif eth1 ct state established accept
add rule filter forward iif eth0 oif eth1 ct state related accept

add rule filter forward iif eth0 oif eth1 ct state new counter log prefix "IPv4_FORWARD_OUT" group 2 accept
add rule filter forward iif eth1 oif eth0 counter log prefix "IPv4_FORWARD_IN_DROPPED" group 2 drop

add rule ip6 filter input ct state established accept
add rule ip6 filter input ct state related accept
add rule ip6 filter input iif lo accept
add rule ip6 filter input tcp dport ssh counter log prefix "IPv6_SSH_IN" group 1 accept
add rule ip6 filter input iif eth0 udp dport 547 counter log prefix "IPv6_DHCP_LAN_IN" group 1 accept

add rule ip6 filter input icmpv6 type nd-neighbor-solicit accept
add rule ip6 filter input icmpv6 type echo-request counter log prefix "IPv6_PING_IN" group 1 accept
add rule ip6 filter input icmpv6 type nd-router-advert accept
add rule ip6 filter input icmpv6 type nd-neighbor-advert accept

add rule ip6 filter input counter log prefix "IPv6_IN_DROPPED" group 1 drop

add rule ip6 filter output ct state established accept
add rule ip6 filter output ct state related accept
add rule ip6 filter output oif lo accept
add rule ip6 filter output ct state new counter log prefix "IPv6_OUT" group 1 accept

add rule ip6 filter forward iif eth1 oif eth0 ct state established accept
add rule ip6 filter forward iif eth1 oif eth0 ct state related accept
add rule ip6 filter forward iif eth1 oif eth0 icmpv6 type echo-request counter log prefix "IPv6_PING_FORWARD_IN_ACCEPTED" group 2 accept

add rule ip6 filter forward iif eth0 oif eth1 ct state established accept
add rule ip6 filter forward iif eth0 oif eth1 ct state related accept

add rule ip6 filter forward iif eth0 oif eth1 ct state new counter log prefix "IPv6_FORWARD_OUT" group 2 accept
add rule ip6 filter forward iif eth1 oif eth0 counter log prefix "IPv6_FORWARD_IN_DROPPED" group 2 drop

add table nat
flush table nat
add chain nat post { type nat hook postrouting priority 0 ; }
add chain nat pre { type nat hook prerouting priority 0 ; }

add rule nat post ip saddr 192.168.2.100 oif eth1 snat 192.168.1.220
add rule nat pre udp dport 53 ip saddr 192.168.2.0/24 dnat 8.8.8.8:53

add table ip6 nat
add chain ip6 nat postrouting { type nat hook postrouting priority 0 ; }
add chain ip6 nat pre { type nat hook prerouting priority 0 ; }

add rule ip6 nat pre udp dport 53 ip6 saddr 2001:470:c82c:2::/64 dnat 2001:4860:4860:0:0:0:0:8888:53
----------------------------------------------------------------------------------------------------------------------------------------------------------------


we can monitor the firewall using wireshark with this command line :
wireshark -i nflog:1 -i nflog:2 -k
 
NF7b



7. Notes

 

IPTABLES syntaxes :

 

As Nflog is used by IPTables too, here are the IPTables syntaxes, which are handy for quick debugging :

 

iptables -A OUTPUT -j NFLOG

iptables -A INPUT -j NFLOG --nflog-group 10

iptables -A OUTPUT -j NFLOG --nflog-prefix  TEST1


Repost 0
Published by computer outlines - dans Nftables
commenter cet article
11 avril 2014 5 11 /04 /avril /2014 10:37

We'll see here how to use Nftables to implement an Internet Gateway, ie a Nftables Router with IPv4 NAT and IPv4/IPv6 DNS proxy.
This harticles relies on Part 5 : A Nftables Linux Router. See this part for complete explainations on how to forward using Nftables.

Here is the network topology :

 NF5d


1. What we need to build an Nftables Linux Internet Gateway

We want the Linux OS to be firewalled from the exterior ( both Wan and Lan ), allowing only ssh access in, and any access out

We want Lan > Wan traffic to be always allowed, and only reply traffic to be allowed in

We want IPv4 NAT and IPv4 / IPv6 DNS proxy

This post is mostly about Nftables, so DHCP and SLAAC issues will be very quickly treated here.

 

 

 

2. Routing part setup

We first setup static IPs for wan ( eth0 ) and lan ( eth1 ) interfaces.

We enable forwarding :

sudo gedit /etc/sysctl.conf

by uncommenting :

net.ipv4.ip_forward=1

net.ipv6.conf.all.forwarding=1

we reboot to apply changes



3. NAT and DNS proxy setup

We setup IPv4 NAT :

nft add table nat
nft add chain nat post { type nat hook postrouting priority 0 \; }
nft add chain nat pre { type nat hook prerouting priority 0 \; }        *mandatory ??!

( the presence of a prerouting chain seems mandatory for NAT to work )


Note that the selected type for this chain is nat.

nft add rule nat post ip saddr 192.168.1.0/24 oif eth0 snat 192.168.0.254

or

nft add rule nat post ip saddr 192.168.1.10 oif eth0 snat 192.168.0.254

where 192.168.0.254 is Linux OS Router Static IP, 192.168.1.10 is PC1 static IP

 

 

As Nftables defaults to ACCEPT in teh absence of any rules, PC1 should now be able to access the Internet.



We setup IPv4 DNS proxy :


nft add rule nat pre udp dport 53 ip saddr 192.168.1.0/24 dnat 208.67.222.222:53

ex. Any IPv4 DNS request, or using the gateway as DNS server, will be proxied to 208.67.222.222 ( OpenDNS IPv4 )

We setup IPv6 DNS proxy :

nft add table ip6 nat
nft add chain ip6 nat post { type nat hook postrouting priority 0 \; }
nft add chain ip6 nat pre { type nat hook prerouting priority 0 \; }
nft list -n table ip6 nat

nft add rule ip6 nat pre udp dport 53 ip6 saddr 2001:db8:0:1::0/64 dnat 2620:0:ccc::2:53

ex. Any IPv6 DNS request, or using the gateway as a DNS server, will be proxied to 2620:0:ccc::2 ( OpenDNS IPv6 )

PC1 connections should work OK ( including OS updates, Mail client, Web browsing ). There only seems to be a problem in this implementation with IPv6 web browsing using chrome, whereas IPv6 works ok using IE or Firefox. A particular chrome http implementation ?

 

 

5. Internet Gateway FIrewall Evaluation

We proceed the same way as in Part 5 : Nftables Linux Router.

 NF5c


We'll use this firewall testing methodology :

One PC launches a regular NMAP scan to the other PC,
the other PC is using Wireshark to track the packets that managed to pass the Router's firewall. We do the test for IPv4 and IPv6, FW on and off, and switching Lan and Wan sides ( thus a total of 8 tests ).

Everything works as expected :

all nmap packets get out of Lan without problem.
all nmap packets get dropped from Wan to Lan, except if firewall is pulled down.
the NFT list table filter command do show the dropped packets

 

Using the [frame.interface_id==x] Wireshark display filter, do show Linux Router received packets vs emmited packets.

The ICMPv6 requiremnts are respected ( ping6 through firewall ).


6. notes

IPv6 syntax issues :
nft add rule ip6 nat pre udp dport 53 ip6 saddr 2001:db8:0:3::0/64 dnat 2001:4860:4860:0:0:0:0:8888

do work ok

nft add rule ip6 nat pre udp dport 53 ip6 saddr 2001:db8:0:3::0/64 dnat [2001:4860:4860:0:0:0:0:8888]:53

do bring syntax error


Wireshark tap / log :

Wireshark does provide a way to tap the firewall using NFLOG, allowing some fine Firewall monitoring / evaluation. We'll see it in Part 7.


Usefull commands :

ip route add default via 2001:db8:0:2::1                                                                                   ( Linux default gateway )

nft flush table nat

nft delete chain nat postrouting

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE ( iptables masquerading command, for troubleshooting / comparaisons )

Chrome browser :

There seems to be a problem in this implementation with IPv6 web browsing using chrome,
whereas it works ok using IE or Firefox. Particular chrome http implementation ?

Open DNS IPs :


IPv4 :    208.67.222.222
              208.67.220.220

IPv6 :    2620:0:ccc::2
              2620:0:ccd::2


Repost 0
Published by computer outlines - dans Nftables
commenter cet article
11 avril 2014 5 11 /04 /avril /2014 10:12

How to use Nftables in a Linux Router ( A pure Router, without NAT. Linux Nftables Internet Gateway with NAT / DNS proxy is for Part 6 ).
We'll use Ubuntu 14.04.

 

Here is the network topology :

 NF5a


We won't see NAT and DNS proxy implementation here, that will left be for part 6. So we have to do with static routes.
PC1 have Linux OS as Default Gateway.
PC2 has a static route to PC1 ( no NAT here ) both for IPv4 and IPv6



1. What we need to build an Nftables Linux Router

 

We want the Linux OS to be firewalled from the exterior ( both Wan and Lan ), allowing only ssh access in, and any access out.

We want Lan > Wan traffic to be always allowed, and only reply traffic to be allowed in



2. Routing part setup

We first setup static IPs for wan ( eth0 ) and lan ( eth1 ) interfaces.

We enable forwarding :

sudo gedit /etc/sysctl.conf

by uncommenting :

net.ipv4.ip_forward=1

net.ipv6.conf.all.forwarding=1

we reboot to apply changes


Nftables has no default rules, it allows everything IN / OUT / FORWARD.

So the routing part should work OK now ( pings tests between the two PC )


3. NFTables Router Ruleset

Building from our previous Basic IPv4/IPv6 Nftables Host firewall, we just need to add the forwarding rules :

allow from Lan to Wan
allow (already ) established and related connections from Wan to Lan
drop other from Wan to Lan

allow icmpv6 echo request through the firewall in both directions.
 
this will add these rules to our ruleset :

for IPv4 :

add rule filter forward iif eth0 oif eth1 ct state established accept
add rule filter forward iif eth0 oif eth1 ct state related accept
add rule filter forward iif eth1 oif eth0 counter accept
add rule filter forward iif eth0 oif eth1 counter log drop

for IPv6 :

add rule ip6 filter forward iif eth0 oif eth1 ct state established accept
add rule ip6 filter forward iif eth0 oif eth1 ct state related accept
add rule ip6 filter forward iif eth0 oif eth1 icmpv6 type echo-request accept
add rule ip6 filter forward iif eth1 oif eth0 counter accept
add rule ip6 filter forward iif eth0 oif eth1 counter log drop


Here is the resulting complete ruleset :

----------------------------------------------------------------------------------------------------------------
flush table filter
flush table ip6 filter

add rule filter input ct state established accept
add rule filter input ct state related accept
add rule filter input iif lo accept
add rule filter input tcp dport ssh counter log accept
add rule filter input counter log drop

add rule filter output ct state established accept
add rule filter output ct state related accept
add rule filter output oif lo accept
add rule filter output ct state new counter accept

add rule filter forward iif eth0 oif eth1 ct state established accept
add rule filter forward iif eth0 oif eth1 ct state related accept
add rule filter forward iif eth1 oif eth0 counter accept
add rule filter forward iif eth0 oif eth1 counter log drop


add rule ip6 filter input ct state established accept
add rule ip6 filter input ct state related accept
add rule ip6 filter input iif lo accept
add rule ip6 filter input tcp dport ssh counter log accept

add rule ip6 filter input icmpv6 type nd-neighbor-solicit accept
add rule ip6 filter input icmpv6 type echo-request accept
add rule ip6 filter input icmpv6 type nd-router-advert accept
add rule ip6 filter input icmpv6 type nd-neighbor-advert accept

add rule ip6 filter input counter log drop

add rule ip6 filter output ct state established accept
add rule ip6 filter output ct state related accept
add rule ip6 filter output oif lo accept
add rule ip6 filter output ct state new counter accept


add rule ip6 filter forward iif eth0 oif eth1 ct state established accept
add rule ip6 filter forward iif eth0 oif eth1 ct state related accept
add rule ip6 filter forward iif eth0 oif eth1 icmpv6 type echo-request accept
add rule ip6 filter forward iif eth1 oif eth0 counter accept
add rule ip6 filter forward iif eth0 oif eth1 counter log drop

----------------------------------------------------------------------------------------------------------------------------------

 

4. Firewall Testing

NF5a 

 

 

We'll use this firewall testing methodology :

One PC launches a regular NMAP scan to the other PC,
the other PC is using Wireshark to track the packets that managed to pass through the Router's firewall. We do the test for IPv4 and IPv6, FW on and off, and switching Lan and Wan sides ( thus a total of 8 tests ).

Everything works as expected :

all nmap packets get out of Lan without problem.
all nmap packets get dropped from Wan to Lan, except if firewall is pulled down.
the NFT list table filter command do show the dropped packets


Using [frame.interface_id==x] Wireshark display filter, do show Linux Router received packets vs emmited packets.

The ICMPv6 requiremnts are respected ( ping6 through firewall ).


5. notes

Usefull commands :


ip route add default via 2001:db8:0:2::1                                                      to add a default GW to Linux using shell.

Repost 0
Published by computer outlines - dans Nftables
commenter cet article
9 avril 2014 3 09 /04 /avril /2014 10:13


How to setup our firewall bash file to cleanly execute at startup, along with a nice start/stop command.
using Ubuntu GNOME 14.04 (Trusty Tahr)

 

NF2a

 

Be aware that nft commands can only be launched as root ( either using sudo -s or sudo [command] ).
Trying to use the nft command without being root launches errors that can be misinterpreted as a software error / failure. thourough this post I assume every nft comman is done root ( sudo -s ).


1. Simple Nftables autoloading Firewall

 
We'll use a very basic firewall setting, that only blocks ICMPv4 and ICMPv6 echo-request ( ie IPv4 and IPv6 ping ).

1) first, we create a script : fwautorun.sh

touch fwautorun.sh

we edit it :

gedit fwautorun.sh

to fill the basic structure.
do note the 'sudo nft' syntax in the script. It is mandatory for the script to autoload.
------------------------------------------------------------------------------------------------------------------------------------
#!/bin/bash
### BEGIN INIT INFO
# Provides:          scriptname
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start daemon at boot time
# Description:       Enable service provided by daemon.
### END INIT INFO


case "$1" in
  start)

    sudo nft -f /usr/local/etc/nftables/ipv4-filter
    sudo nft -f /usr/local/etc/nftables/ipv6-filter
    sudo nft flush table filter
    sudo nft flush table ip6 filter   
       
    sudo nft add rule filter input ip protocol icmp counter drop
    sudo nft add rule ip6 filter input icmpv6 type echo-request counter drop


    echo "NFTABLES ICMP Ping Firewall is ON"
    ;;
  stop)
    sudo nft flush table filter
    sudo nft flush table ip6 filter   
    echo "NFTABLES ICMP Ping Firewall is OFF"
    ;;
  *)
        echo "Usage: /etc/init.d/fwautorun {start|stop}"
        exit 1
        ;;
esac

exit 0
-----------------------------------------------------------------------------------------------------------------------------

2) we copy that script into /etc/init.d
sudo cp fwautorun.sh /etc/init.d/fwautorun.sh

3) we add it to startup and render it executable :

sudo update-rc.d fwautorun.sh defaults
sudo chmod +x /etc/init.d/fwautorun.sh

nb : the update-rc.d command uses no absolute path, but refers to /etc/init.d/


4) the script can be started / stopped using :
/etc/init.d/fwautorun.sh start
/etc/init.d/fwautorun.sh stop


2. Basic Nftables autoloading IPv4/IPv6 Firewall

Of course, the start and stop parts of the script can be filled with any sequences. Let's see what it looks like using our Nftables 2 : Basic IPv4 / IPv6 ruleset :

touch fwautorun.sh
gedit fwautorun.sh

---------------------------------------------------------------------------------------------------------------------------------
#!/bin/bash
### BEGIN INIT INFO
# Provides:          scriptname
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start daemon at boot time
# Description:       Enable service provided by daemon.
### END INIT INFO


case "$1" in
  start)


    sudo nft -f /usr/local/etc/nftables/ipv4-filter
    sudo nft -f /usr/local/etc/nftables/ipv6-filter

    sudo nft flush table filter
    sudo nft flush table ip6 filter

    sudo nft add rule filter input ct state established accept
    sudo nft add rule filter input ct state related accept
    sudo nft add rule filter input iif lo accept
    sudo nft add rule filter input tcp dport ssh accept
    sudo nft add rule filter input counter log drop

    sudo nft add rule filter output ct state established accept
    sudo nft add rule filter output ct state related accept
    sudo nft add rule filter output oif lo accept
    sudo nft add rule filter output ct state new counter accept

    sudo nft add rule ip6 filter input ct state established accept
    sudo nft add rule ip6 filter input ct state related accept
    sudo nft add rule ip6 filter input iif lo accept
    sudo nft add rule ip6 filter input tcp dport ssh accept

    sudo nft add rule ip6 filter input icmpv6 type nd-neighbor-solicit accept
    sudo nft add rule ip6 filter input icmpv6 type echo-request accept
    sudo nft add rule ip6 filter input icmpv6 type nd-router-advert accept
    sudo nft add rule ip6 filter input icmpv6 type nd-neighbor-advert accept

    sudo nft add rule ip6 filter input counter log drop

    sudo nft add rule ip6 filter output ct state established accept
    sudo nft add rule ip6 filter output ct state related accept
    sudo nft add rule ip6 filter output oif lo accept
    sudo nft add rule ip6 filter output ct state new counter accept

    echo "NFTABLES Firewall is ON"
    ;;
  stop)
   
    sudo nft -f /usr/local/etc/nftables/ipv4-filter
    sudo nft -f /usr/local/etc/nftables/ipv6-filter

    sudo nft flush table filter
    sudo nft flush table ip6 filter

    echo "NFTABLES Firewall is OFF"
    ;;
  *)
        echo "Usage: /etc/init.d/fwautorun {start|stop}"
        exit 1
        ;;
esac

exit 0
--------------------------------------------------------------------------------------------------------------------------

sudo cp fwautorun.sh /etc/init.d/fwautorun.sh

sudo update-rc.d fwautorun.sh defaults
sudo chmod +x /etc/init.d/fwautorun.sh

nb : the update-rc.d command uses no absolute path, but refers to /etc/init.d/

The script can be started / stopped using :

/etc/init.d/fwautorun.sh start
/etc/init.d/fwautorun.sh stop

 


3. Ruleset bootime loading using a nft -f command

A little more sophisticated way is to have our boottime script to use the nft -f command to load a ruleset file. This way, the ruleset can be easily modified/backuped/etc ... without changing the startup script itself.

We'll use a very basic firewall setting, that only blocks ICMP Echo-requests ( ie ping ).

1) First, we create our nft ruleset file fw.ruleset ( see previous posts )
gedit /etc/fw.ruleset
-----------------------------------------------------------------------------------------------------------------------------
-f /usr/local/etc/nftables/ipv4-filter
-f /usr/local/etc/nftables/ipv6-filter
flush table filter
flush table ip6 filter   
       
add rule filter input ip protocol icmp counter drop

add rule ip6 filter input icmpv6 type echo-request counter drop
-------------------------------------------------------------------------------------------------------------------------------


2) then, we create a script : fwautorun.sh

touch fwautorun.sh

we edit it and fill the basic structure :
gedit fwautorun.sh
do note the 'sudo nft' syntax in the script. It is mandatory for the script to autoload.
--------------------------------------------------------------------------------------------------------------------------------
#!/bin/bash
### BEGIN INIT INFO
# Provides:          scriptname
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start daemon at boot time
# Description:       Enable service provided by daemon.
### END INIT INFO


case "$1" in
  start)
   
    sudo nft -f /usr/local/etc/nftables/ipv4-filter
    sudo nft -f /usr/local/etc/nftables/ipv6-filter

    sudo nft flush table filter
    sudo nft flush table ip6 filter
    sudo nft -f /etc/fw.ruleset
   
    echo "NFTABLES Firewall is ON"
    ;;
  stop)

    sudo nft -f /usr/local/etc/nftables/ipv4-filter
    sudo nft -f /usr/local/etc/nftables/ipv6-filter

    sudo nft flush table filter   
    sudo nft flush table ip6 filter
    echo "NFTABLES Firewall is OFF"
    ;;
  *)
        echo "Usage: /etc/init.d/fwautorun {start|stop}"
        exit 1
        ;;
esac

exit 0
-------------------------------------------------------

2) we copy that script into /etc/init.d
sudo cp fwautorun.sh /etc/init.d/fwautorun.sh

3) we add it to startup and render it executable :

sudo update-rc.d fwautorun.sh defaults
sudo chmod +x /etc/init.d/fwautorun.sh


4) the script can be started / stopped using :
/etc/init.d/fwautorun.sh start
/etc/init.d/fwautorun.sh stop


some notes :

. a fw_off.ruleset may be created, for cleaner ' firewall off mode ':
It would be a simple, empty template, like the default ipv4-filter and ipv6-filter.

. instead of using ' template loading ' :
    sudo nft -f /usr/local/etc/nftables/ipv4-filter
    sudo nft -f /usr/local/etc/nftables/ipv6-filter


we may use table creation :

nft add table filter
nft add table ip6 filter

nft add chain filter input { type filter hook input priority 0 \; }
nft add chain filter forward { type filter hook forward priority 0 \; }
nft add chain filter output { type filter hook output priority 0 \; }

nft add chain ip6 filter input { type filter hook input priority 0 \; }
nft add chain ip6 filter forward { type filter hook forward priority 0 \; }
nft add chain ip6 filter output { type filter hook output priority 0 \; }


But there's no real benefit to this approach, as template use seems a better and cleaner way to empty all tables.


4. Basic Firewall Ruleset

As a reminder of the previous NFtables parts, here is a basic IPv4/IPv6 firewall ruleset ( for a Host, not for a Router ) :

------------------------------------------------------------------------------------------------------------
flush table filter
flush table ip6 filter

add rule filter input ct state established accept
add rule filter input ct state related accept
add rule filter input iif lo accept
add rule filter input tcp dport ssh counter log accept
add rule filter input counter log drop

add rule filter output ct state established accept
add rule filter output ct state related accept
add rule filter output oif lo accept
add rule filter output ct state new counter accept

add rule ip6 filter input ct state established accept
add rule ip6 filter input ct state related accept
add rule ip6 filter input iif lo accept
add rule ip6 filter input tcp dport ssh counter log accept

add rule ip6 filter input icmpv6 type nd-neighbor-solicit accept
add rule ip6 filter input icmpv6 type echo-request accept
add rule ip6 filter input icmpv6 type nd-router-advert accept
add rule ip6 filter input icmpv6 type nd-neighbor-advert accept

add rule ip6 filter input counter log drop

add rule ip6 filter output ct state established accept
add rule ip6 filter output ct state related accept
add rule ip6 filter output oif lo accept
add rule ip6 filter output ct state new counter accept

-------------------------------------------------------------------------------------------------------------------------




5. notes

to remove a startup record :

sudo update-rc.d -f fwautorun.sh remove


a nftables boottime / autoload alternative  :
nftables-systemd
( https://github.com/devkid/nftables-systemd )

not tested here

 

 

a few checks :

    FW is active, and packets are recorded, even if no user is logged in
    FW is active, and packets are recorded, when a user is logged in

    the file fwautorun.sh doesn't need to be root:root, it can be [user]:[user]
    the file fwautorun.sh doesn't need to be to end in .sh, it can simply be fwautorun



   


Repost 0
Published by computer outlines - dans Nftables
commenter cet article
9 avril 2014 3 09 /04 /avril /2014 09:46


We'll see here the different possible ways to load or save our Nftables ruleset.
Using Ubuntu GNOME 14.04 (Trusty Tahr).
 

NF2a

 

Be aware that nft commands can only be launched as root ( either using sudo -s or sudo [command] ).
Trying to use the nft command without being root launches errors that can be misinterpreted as a software error / failure. Throughout this post I assume every nft comman is done root ( sudo -s ).


1.  Ruleset Loading using a shell script

The easiest way to load / save rulesets is to use a shell script.

To put it all in an easy shell script, we first creat a fw.sh file :

touch /home/[user]/fw.sh

and edit it :

gedit /home/[user]/fw.sh

We start it with the usual header :

#!/bin/bash

We load the IPv4 and IPv6 templates :

 

nft -f /usr/local/etc/nftables/ipv4-filter
nft -f /usr/local/etc/nftables/ipv6-filter

 

 

We flush any tables :

nft flush table filter
nft flush table ip6 filter

We append our filter list :

line 1 ...
line 2 ...
line 3 ...

We finish with a nice exit code :
exit 0

Here is what it looks like, with our basic IPv4/IPv6 firewall :
-------------------------------------------------------------------------------
#!/bin/bash

nft -f /usr/local/etc/nftables/ipv4-filter
nft -f /usr/local/etc/nftables/ipv6-filter

nft flush table filter
nft flush table ip6 filter

nft add rule filter input ct state established accept
nft add rule filter input ct state related accept
nft add rule filter input iif lo accept
nft add rule filter input tcp dport ssh counter log accept
nft add rule filter input counter log drop

nft add rule filter output ct state established accept
nft add rule filter output ct state related accept
nft add rule filter output oif lo accept
nft add rule filter output ct state new counter accept

nft add rule ip6 filter input ct state established accept
nft add rule ip6 filter input ct state related accept
nft add rule ip6 filter input iif lo accept
nft add rule ip6 filter input tcp dport ssh counter log accept

nft add rule ip6 filter input icmpv6 type nd-neighbor-solicit accept
nft add rule ip6 filter input icmpv6 type echo-request accept
nft add rule ip6 filter input icmpv6 type nd-router-advert accept
nft add rule ip6 filter input icmpv6 type nd-neighbor-advert accept

nft add rule ip6 filter input counter log drop

nft add rule ip6 filter output ct state established accept
nft add rule ip6 filter output ct state related accept
nft add rule ip6 filter output oif lo accept
nft add rule ip6 filter output ct state new counter accept

echo "Nftables Firewall is now ON"

exit 0

-------------------------------------------------------------------------------------------------------------------------

we make it executable :

chmod +x /home/[user]/fw.sh

we can now run it easily :

sudo sh /home/[user]/fw.sh



we can easily make a fw_off.sh script too :

----------------------------------------------------------------------------------------------------------------------------
#!/bin/bash

nft -f /usr/local/etc/nftables/ipv4-filter
nft -f /usr/local/etc/nftables/ipv6-filter

nft flush table filter
nft flush table ip6 filter

echo "Nftables Firewall is now OFF"

exit 0
--------------------------------------------------------------------------------------------------------------------------------


nb: instead of loading blueprints, we can create the tables and chains. These lines :

nft -f /usr/local/etc/nftables/ipv4-filter
nft -f /usr/local/etc/nftables/ipv6-filter

would then become :

nft add table filter
nft add table ip6 filter

nft add chain filter input { type filter hook input priority 0 \; }
nft add chain filter forward { type filter hook forward priority 0 \; }
nft add chain filter output { type filter hook output priority 0 \; }

nft add chain ip6 filter input { type filter hook input priority 0 \; }
nft add chain ip6 filter forward { type filter hook forward priority 0 \; }
nft add chain ip6 filter output { type filter hook output priority 0 \; }






2. Ruleset loading using the NFT -f command

Another way to save / load rulesets is to use the nft -f command.
Keeping the same firewall example as preceeding, we create a fw.ruleset file ( it can be any name / any extension ) containing our command list. Do note that we need to have created the tables, or load the templates :

-f /usr/local/etc/nftables/ipv4-filter
-f /usr/local/etc/nftables/ipv6-filter

here is how we create our ruleset :

touch /home/[user]/fw.ruleset

we edit it :

gedit /home/[user]/fw.ruleset

--------------------------------------------------------------------------------------------------
-f /usr/local/etc/nftables/ipv4-filter
-f /usr/local/etc/nftables/ipv6-filter

flush table filter
flush table ip6 filter

add rule filter input ct state established accept
add rule filter input ct state related accept
add rule filter input iif lo accept
add rule filter input tcp dport ssh counter log accept
add rule filter input counter log drop

add rule filter output ct state established accept
add rule filter output ct state related accept
add rule filter output oif lo accept
add rule filter output ct state new counter accept

add rule ip6 filter input ct state established accept
add rule ip6 filter input ct state related accept
add rule ip6 filter input iif lo accept
add rule ip6 filter input tcp dport ssh counter log accept

add rule ip6 filter input icmpv6 type nd-neighbor-solicit accept
add rule ip6 filter input icmpv6 type echo-request accept
add rule ip6 filter input icmpv6 type nd-router-advert accept
add rule ip6 filter input icmpv6 type nd-neighbor-advert accept

add rule ip6 filter input counter log drop

add rule ip6 filter output ct state established accept
add rule ip6 filter output ct state related accept
add rule ip6 filter output oif lo accept
add rule ip6 filter output ct state new counter accept

-----------------------------------------------------------------------------------------------------------------

we can lauch it using this command :

sudo nft -f fw.ruleset


we can easily make a fw_off.ruleset script :

-----------------------------------------------------------------------------
nft -f /usr/local/etc/nftables/ipv4-filter
nft -f /usr/local/etc/nftables/ipv6-filter

nft flush table filter
nft flush table ip6 filter

-------------------------------------------------------------------------------

We can incorporate the blueprint creation, so they don't need to have been loaded previously :
add table filter
add table ip6 filter

add chain filter input { type filter hook input priority 0 ; }
add chain filter forward { type filter hook forward priority 0 ; }
add chain filter output { type filter hook output priority 0 ; }

add chain ip6 filter input { type filter hook input priority 0 ; }
add chain ip6 filter forward { type filter hook forward priority 0 ; }
add chain ip6 filter output { type filter hook output priority 0 ; }



flush table filter
flush table ip6 filter

add rule filter input ct state established accept
add rule filter input ct state related accept
add rule filter input iif lo accept
add rule filter input tcp dport ssh counter log accept
add rule filter input counter log drop

add rule filter output ct state established accept
add rule filter output ct state related accept
add rule filter output oif lo accept
add rule filter output ct state new counter accept

add rule ip6 filter input ct state established accept
add rule ip6 filter input ct state related accept
add rule ip6 filter input iif lo accept
add rule ip6 filter input tcp dport ssh counter log accept

add rule ip6 filter input icmpv6 type nd-neighbor-solicit accept
add rule ip6 filter input icmpv6 type echo-request accept
add rule ip6 filter input icmpv6 type nd-router-advert accept
add rule ip6 filter input icmpv6 type nd-neighbor-advert accept

add rule ip6 filter input counter log drop

add rule ip6 filter output ct state established accept
add rule ip6 filter output ct state related accept
add rule ip6 filter output oif lo accept
add rule ip6 filter output ct state new counter accept


3. Ruleset loading using a NFTables ' dump '

Another, usefull way to save / load a ruleset is to use a ' dumping ' command :

 

a : we setup our firewall

 

b : we dump the configuration into a fw.rule file ( any name / extension is possible ) :
nft list table filter > fw4.rule
nft list table ip6 filter > fw6.rule

 

we can now load our firewall using these commands :
nft -f fw4.rule
nft -f fw6.rule

Interesting to note is that the counters states are preserved. This might prove interesting for reboot status preserve.

It is possible to append the dumps :

 

save :
    nft list table filter > fw.rule
    nft list table ip6 filter >> fw.rule

 

restore :
nft -f fw.rule


4. Notes


(1) to be able to load the tables :
use full path to template file :
nft -f /home/[user]/nftables/files/nftables/ipv6-filter
nft -f /usr/local/etc/nftables/ipv6-filter

(2) nft commands only work as root

be aware that nft commands can only be launched as root ( either using sudo -s or sudo [command] ).
trying to use the nft command without being root launches errors that can be misinterpreted as a software error / failure.


(3) to delete rules by chains :

nft delete rule filter input
nft delete rule filter output
nft delete rule filter forward

nft delete rule ip6 filter input
nft delete rule ip6 filter output
nft delete rule ip6 filter forward


(4) use of bash files :

gedit rule1.sh

chmod +x rule1.sh
sh rule1.sh

(5) Windows / Linux text format issue

nb : beware of Windows / Linux text format problems when moving confilg files through OS.
Use cat on a Linux terminal, then copy and paste in a fresh new file if needed.

 

Repost 0
Published by computer outlines - dans Nftables
commenter cet article

Présentation

  • : Computer Outlines Blog
  • : Blog mainly focused over IPv6, Windows Server, and Networking in general.
  • Contact

Recherche

Liens