Overblog Suivre ce blog
Editer l'article Administration Créer mon blog
8 avril 2014 2 08 /04 /avril /2014 15:18


We'll see here how to design a basic functionnal Nftables firewall ruleset, and how to use it with an easy bash file.


NF2a
 

Be aware that nft commands can only be launched as root ( either using sudo -s or sudo [command] ).
Trying to use the nft command without being root launches errors that can be misinterpreted as a software error / failure. thourough this post I assume every nft comman is root ( sudo -s ).


1. IPv4 part

 

We load the ipv4 table :

nft -f /home/[user]/nftables/files/nftables/ipv4-filter
nft list table filter

We basically want to allow in established and related connections :
nft add rule filter input ct state established accept
nft add rule filter input ct state related accept

We allow in on loopback interface :

nft add rule filter input iif lo accept

We count, log, and allow in ssh connections :

nft add rule filter input tcp dport ssh counter log accept

And we count, log and drop any other packet :

nft add rule filter input counter log drop



We allow out established and related connections :

nft add rule filter output ct state established accept
nft add rule filter output ct state related accept

We allow out on loopback interface :

nft add rule filter output oif lo accept

And we allow out and count any new connection :

nft add rule filter output ct state new counter accept

This sums it all up for IPv4 :


nft add rule filter input ct state established accept
nft add rule filter input ct state related accept
nft add rule filter input iif lo accept
nft add rule filter input tcp dport ssh counter log accept
nft add rule filter input counter log drop

nft add rule filter output ct state established accept
nft add rule filter output ct state related accept
nft add rule filter output oif lo accept
nft add rule filter output ct state new counter accept

 

 

2. IPv6 Part

 

We load the ipv6 table :
nft -f /home/[user]/nftables/files/nftables/ipv6-filter
nft list table ip6 filter

We basically want to allow in established and related connections :

nft add rule ip6 filter input ct state established accept
nft add rule ip6 filter input ct state related accept

We allow in on loopback interface :

nft add rule ip6 filter input iif lo accept

We count, log, and allow in ssh connections :

nft add rule ip6 filter input tcp dport ssh counter log accept

We allow in neighbor solicit, neighbor advertisement, router advertisement and echo request :

nft add rule ip6 filter input icmpv6 type nd-neighbor-solicit accept
nft add rule ip6 filter input icmpv6 type echo-request accept
nft add rule ip6 filter input icmpv6 type nd-router-advert accept
nft add rule ip6 filter input icmpv6 type nd-neighbor-advert accept

And we count, log and drop any other packet :

nft add rule ip6 filter input counter log drop



We allow out established and related connections :

nft add rule ip6 filter output ct state established accept
nft add rule ip6 filter output ct state related accept

We allow out on loopback interface :

nft add rule ip6 filter output oif lo accept

And we allow out and count any new connection :

nft add rule ip6 filter output ct state new counter accept


This sums it all up for IPv6 :
nft add rule ip6 filter input ct state established accept
nft add rule ip6 filter input ct state related accept
nft add rule ip6 filter input iif lo accept
nft add rule ip6 filter input tcp dport ssh counter log accept
nft add rule ip6 filter input icmpv6 type nd-neighbor-solicit accept
nft add rule ip6 filter input icmpv6 type echo-request accept
nft add rule ip6 filter input icmpv6 type nd-router-advert accept
nft add rule ip6 filter input icmpv6 type nd-neighbor-advert accept
nft add rule ip6 filter input counter log drop

nft add rule ip6 filter output ct state established accept
nft add rule ip6 filter output ct state related accept
nft add rule ip6 filter output oif lo accept
nft add rule ip6 filter output ct state new counter accept



3. Putting it all in a shell script

To put it all in an easy shell script, we first creat a fw.sh file :

touch /home/[user]/fw.sh

and edit it :

gedit /home/[user]/fw.sh

We start it with the usual header :

#!/bin/bash

We load the ipv4/ipv6 templates :

 

nft -f /home/[user]/nftables/files/nftables/ipv4-filter
nft -f /home/[user]/nftables/files/nftables/ipv6-filter

 

 

We flush any tables :

nft flush table filter
nft flush table ip6 filter

We append our filter list :

line 1 ...
line 2 ...
line 3 ...

We finish with a nice exit code :
exit 0

Here is what it looks like, with our basic IPv4/IPv6 firewall :
--------------------------------------------------------------------------------
#!/bin/bash

nft -f /home/[user]/nftables/files/nftables/ipv4-filter
nft -f /home/[user]/nftables/files/nftables/ipv6-filter

nft flush table filter
nft flush table ip6 filter

nft add rule filter input ct state established accept
nft add rule filter input ct state related accept
nft add rule filter input iif lo accept
nft add rule filter input tcp dport ssh counter log accept
nft add rule filter input counter log drop

nft add rule filter output ct state established accept
nft add rule filter output ct state related accept
nft add rule filter output oif lo accept
nft add rule filter output ct state new counter accept

nft add rule ip6 filter input ct state established accept
nft add rule ip6 filter input ct state related accept
nft add rule ip6 filter input iif lo accept
nft add rule ip6 filter input tcp dport ssh counter log accept

nft add rule ip6 filter input icmpv6 type nd-neighbor-solicit accept
nft add rule ip6 filter input icmpv6 type echo-request accept
nft add rule ip6 filter input icmpv6 type nd-router-advert accept
nft add rule ip6 filter input icmpv6 type nd-neighbor-advert accept

nft add rule ip6 filter input counter log drop

nft add rule ip6 filter output ct state established accept
nft add rule ip6 filter output ct state related accept
nft add rule ip6 filter output oif lo accept
nft add rule ip6 filter output ct state new counter accept

echo "Nftables Firewall is now ON"

exit 0

---------------------------------------------------------------------------------------------------------------

we make it executable :

chmod +x /home/[user]/fw.sh

we can now run it easily :

sudo sh /home/[user]/fw.sh



we too can easily make a fw_off.sh script :

---------------------------------------------------------
#!/bin/bash

nft -f /home/[user]/nftables/files/nftables/ipv4-filter
nft -f /home/[user]/nftables/files/nftables/ipv6-filter

nft flush table filter
nft flush table ip6 filter

echo "Nftables Firewall is now OFF"

exit 0
----------------------------------------------------------


nb: instead of loading blueprints, we can create the tables and chains. These lines :

nft -f /home/[user]/nftables/files/nftables/ipv4-filter
nft -f /home/[user]/nftables/files/nftables/ipv6-filter

would then become :

nft add table filter
nft add table ip6 filter

nft add chain filter input { type filter hook input priority 0 \; }
nft add chain filter forward { type filter hook forward priority 0 \; }
nft add chain filter output { type filter hook output priority 0 \; }

nft add chain ip6 filter input { type filter hook input priority 0 \; }
nft add chain ip6 filter forward { type filter hook forward priority 0 \; }
nft add chain ip6 filter output { type filter hook output priority 0 \; }


4. Firewall Testing
We'll do a quick test of our firewall :

 

NF2b

 
It's not easy to test a host firewall, as packets sniffers ( ie wireshark ) usually plug-in between the NIC driver and the firewall. Thus dropped incoming packets do still appear in wireshark. We'll see in the next parts how to use elaborate firewall monitoring / logging functions.


One basic test can be to install two services, and try firewalling on/off them.
For this, we comment out the 2 lines that allows ssh in our firewall config.

 

We do an instant web server and ssh server setup :
sudo apt-get install apache2
sudo apt-get install openssh-server

we do a (no ping) nmap from PC2 :
nmap -Pn 192.168.0.10
nmap -Pn -6 2001:db8:0:0::10

The nmap should show :
Firewall off :    open ports : 2 ( port 22, port 80 )
                          closed ports : 998

Firewall on :    filtered ports : 1000


5. Notes


(1) to load the blueprints tables :

 

nft -f /home/ubuntu-gnome/nftables/files/nftables/ipv4-filter
nft -f /home/ubuntu-gnome/nftables/files/nftables/ipv6-filter
nft -f /usr/local/etc/nftables/ipv4-filter
nft -f /usr/local/etc/nftables/ipv6-filter

(2) be aware that nft commands can only be launched as root ( either using sudo -s or sudo [command] ).
trying to use the nft command without being root launches errors that can be misinterpreted as a software error / failure.

(3) to delete rules by chains :

nft delete rule filter input
nft delete rule filter output
nft delete rule filter forward

nft delete rule ip6 filter input
nft delete rule ip6 filter output
nft delete rule ip6 filter forward

(4)
beware of Windows / Linux text format problems.
use cat on terminal, then copy and paste in a fresh new file

Partager cet article

Repost 0
Published by computer outlines - dans Nftables
commenter cet article

commentaires

Best essay writing service 24/10/2016 12:22

This is highly informatics, crisp and clear. I think that everything has been described in systematic manner so that reader could get maximum information and learn many things.

Présentation

  • : Computer Outlines Blog
  • : Blog mainly focused over IPv6, Windows Server, and Networking in general.
  • Contact

Recherche

Liens