Overblog Suivre ce blog
Editer l'article Administration Créer mon blog
9 avril 2014 3 09 /04 /avril /2014 10:13


How to setup our firewall bash file to cleanly execute at startup, along with a nice start/stop command.
using Ubuntu GNOME 14.04 (Trusty Tahr)

 

NF2a

 

Be aware that nft commands can only be launched as root ( either using sudo -s or sudo [command] ).
Trying to use the nft command without being root launches errors that can be misinterpreted as a software error / failure. thourough this post I assume every nft comman is done root ( sudo -s ).


1. Simple Nftables autoloading Firewall

 
We'll use a very basic firewall setting, that only blocks ICMPv4 and ICMPv6 echo-request ( ie IPv4 and IPv6 ping ).

1) first, we create a script : fwautorun.sh

touch fwautorun.sh

we edit it :

gedit fwautorun.sh

to fill the basic structure.
do note the 'sudo nft' syntax in the script. It is mandatory for the script to autoload.
------------------------------------------------------------------------------------------------------------------------------------
#!/bin/bash
### BEGIN INIT INFO
# Provides:          scriptname
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start daemon at boot time
# Description:       Enable service provided by daemon.
### END INIT INFO


case "$1" in
  start)

    sudo nft -f /usr/local/etc/nftables/ipv4-filter
    sudo nft -f /usr/local/etc/nftables/ipv6-filter
    sudo nft flush table filter
    sudo nft flush table ip6 filter   
       
    sudo nft add rule filter input ip protocol icmp counter drop
    sudo nft add rule ip6 filter input icmpv6 type echo-request counter drop


    echo "NFTABLES ICMP Ping Firewall is ON"
    ;;
  stop)
    sudo nft flush table filter
    sudo nft flush table ip6 filter   
    echo "NFTABLES ICMP Ping Firewall is OFF"
    ;;
  *)
        echo "Usage: /etc/init.d/fwautorun {start|stop}"
        exit 1
        ;;
esac

exit 0
-----------------------------------------------------------------------------------------------------------------------------

2) we copy that script into /etc/init.d
sudo cp fwautorun.sh /etc/init.d/fwautorun.sh

3) we add it to startup and render it executable :

sudo update-rc.d fwautorun.sh defaults
sudo chmod +x /etc/init.d/fwautorun.sh

nb : the update-rc.d command uses no absolute path, but refers to /etc/init.d/


4) the script can be started / stopped using :
/etc/init.d/fwautorun.sh start
/etc/init.d/fwautorun.sh stop


2. Basic Nftables autoloading IPv4/IPv6 Firewall

Of course, the start and stop parts of the script can be filled with any sequences. Let's see what it looks like using our Nftables 2 : Basic IPv4 / IPv6 ruleset :

touch fwautorun.sh
gedit fwautorun.sh

---------------------------------------------------------------------------------------------------------------------------------
#!/bin/bash
### BEGIN INIT INFO
# Provides:          scriptname
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start daemon at boot time
# Description:       Enable service provided by daemon.
### END INIT INFO


case "$1" in
  start)


    sudo nft -f /usr/local/etc/nftables/ipv4-filter
    sudo nft -f /usr/local/etc/nftables/ipv6-filter

    sudo nft flush table filter
    sudo nft flush table ip6 filter

    sudo nft add rule filter input ct state established accept
    sudo nft add rule filter input ct state related accept
    sudo nft add rule filter input iif lo accept
    sudo nft add rule filter input tcp dport ssh accept
    sudo nft add rule filter input counter log drop

    sudo nft add rule filter output ct state established accept
    sudo nft add rule filter output ct state related accept
    sudo nft add rule filter output oif lo accept
    sudo nft add rule filter output ct state new counter accept

    sudo nft add rule ip6 filter input ct state established accept
    sudo nft add rule ip6 filter input ct state related accept
    sudo nft add rule ip6 filter input iif lo accept
    sudo nft add rule ip6 filter input tcp dport ssh accept

    sudo nft add rule ip6 filter input icmpv6 type nd-neighbor-solicit accept
    sudo nft add rule ip6 filter input icmpv6 type echo-request accept
    sudo nft add rule ip6 filter input icmpv6 type nd-router-advert accept
    sudo nft add rule ip6 filter input icmpv6 type nd-neighbor-advert accept

    sudo nft add rule ip6 filter input counter log drop

    sudo nft add rule ip6 filter output ct state established accept
    sudo nft add rule ip6 filter output ct state related accept
    sudo nft add rule ip6 filter output oif lo accept
    sudo nft add rule ip6 filter output ct state new counter accept

    echo "NFTABLES Firewall is ON"
    ;;
  stop)
   
    sudo nft -f /usr/local/etc/nftables/ipv4-filter
    sudo nft -f /usr/local/etc/nftables/ipv6-filter

    sudo nft flush table filter
    sudo nft flush table ip6 filter

    echo "NFTABLES Firewall is OFF"
    ;;
  *)
        echo "Usage: /etc/init.d/fwautorun {start|stop}"
        exit 1
        ;;
esac

exit 0
--------------------------------------------------------------------------------------------------------------------------

sudo cp fwautorun.sh /etc/init.d/fwautorun.sh

sudo update-rc.d fwautorun.sh defaults
sudo chmod +x /etc/init.d/fwautorun.sh

nb : the update-rc.d command uses no absolute path, but refers to /etc/init.d/

The script can be started / stopped using :

/etc/init.d/fwautorun.sh start
/etc/init.d/fwautorun.sh stop

 


3. Ruleset bootime loading using a nft -f command

A little more sophisticated way is to have our boottime script to use the nft -f command to load a ruleset file. This way, the ruleset can be easily modified/backuped/etc ... without changing the startup script itself.

We'll use a very basic firewall setting, that only blocks ICMP Echo-requests ( ie ping ).

1) First, we create our nft ruleset file fw.ruleset ( see previous posts )
gedit /etc/fw.ruleset
-----------------------------------------------------------------------------------------------------------------------------
-f /usr/local/etc/nftables/ipv4-filter
-f /usr/local/etc/nftables/ipv6-filter
flush table filter
flush table ip6 filter   
       
add rule filter input ip protocol icmp counter drop

add rule ip6 filter input icmpv6 type echo-request counter drop
-------------------------------------------------------------------------------------------------------------------------------


2) then, we create a script : fwautorun.sh

touch fwautorun.sh

we edit it and fill the basic structure :
gedit fwautorun.sh
do note the 'sudo nft' syntax in the script. It is mandatory for the script to autoload.
--------------------------------------------------------------------------------------------------------------------------------
#!/bin/bash
### BEGIN INIT INFO
# Provides:          scriptname
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start daemon at boot time
# Description:       Enable service provided by daemon.
### END INIT INFO


case "$1" in
  start)
   
    sudo nft -f /usr/local/etc/nftables/ipv4-filter
    sudo nft -f /usr/local/etc/nftables/ipv6-filter

    sudo nft flush table filter
    sudo nft flush table ip6 filter
    sudo nft -f /etc/fw.ruleset
   
    echo "NFTABLES Firewall is ON"
    ;;
  stop)

    sudo nft -f /usr/local/etc/nftables/ipv4-filter
    sudo nft -f /usr/local/etc/nftables/ipv6-filter

    sudo nft flush table filter   
    sudo nft flush table ip6 filter
    echo "NFTABLES Firewall is OFF"
    ;;
  *)
        echo "Usage: /etc/init.d/fwautorun {start|stop}"
        exit 1
        ;;
esac

exit 0
-------------------------------------------------------

2) we copy that script into /etc/init.d
sudo cp fwautorun.sh /etc/init.d/fwautorun.sh

3) we add it to startup and render it executable :

sudo update-rc.d fwautorun.sh defaults
sudo chmod +x /etc/init.d/fwautorun.sh


4) the script can be started / stopped using :
/etc/init.d/fwautorun.sh start
/etc/init.d/fwautorun.sh stop


some notes :

. a fw_off.ruleset may be created, for cleaner ' firewall off mode ':
It would be a simple, empty template, like the default ipv4-filter and ipv6-filter.

. instead of using ' template loading ' :
    sudo nft -f /usr/local/etc/nftables/ipv4-filter
    sudo nft -f /usr/local/etc/nftables/ipv6-filter


we may use table creation :

nft add table filter
nft add table ip6 filter

nft add chain filter input { type filter hook input priority 0 \; }
nft add chain filter forward { type filter hook forward priority 0 \; }
nft add chain filter output { type filter hook output priority 0 \; }

nft add chain ip6 filter input { type filter hook input priority 0 \; }
nft add chain ip6 filter forward { type filter hook forward priority 0 \; }
nft add chain ip6 filter output { type filter hook output priority 0 \; }


But there's no real benefit to this approach, as template use seems a better and cleaner way to empty all tables.


4. Basic Firewall Ruleset

As a reminder of the previous NFtables parts, here is a basic IPv4/IPv6 firewall ruleset ( for a Host, not for a Router ) :

------------------------------------------------------------------------------------------------------------
flush table filter
flush table ip6 filter

add rule filter input ct state established accept
add rule filter input ct state related accept
add rule filter input iif lo accept
add rule filter input tcp dport ssh counter log accept
add rule filter input counter log drop

add rule filter output ct state established accept
add rule filter output ct state related accept
add rule filter output oif lo accept
add rule filter output ct state new counter accept

add rule ip6 filter input ct state established accept
add rule ip6 filter input ct state related accept
add rule ip6 filter input iif lo accept
add rule ip6 filter input tcp dport ssh counter log accept

add rule ip6 filter input icmpv6 type nd-neighbor-solicit accept
add rule ip6 filter input icmpv6 type echo-request accept
add rule ip6 filter input icmpv6 type nd-router-advert accept
add rule ip6 filter input icmpv6 type nd-neighbor-advert accept

add rule ip6 filter input counter log drop

add rule ip6 filter output ct state established accept
add rule ip6 filter output ct state related accept
add rule ip6 filter output oif lo accept
add rule ip6 filter output ct state new counter accept

-------------------------------------------------------------------------------------------------------------------------




5. notes

to remove a startup record :

sudo update-rc.d -f fwautorun.sh remove


a nftables boottime / autoload alternative  :
nftables-systemd
( https://github.com/devkid/nftables-systemd )

not tested here

 

 

a few checks :

    FW is active, and packets are recorded, even if no user is logged in
    FW is active, and packets are recorded, when a user is logged in

    the file fwautorun.sh doesn't need to be root:root, it can be [user]:[user]
    the file fwautorun.sh doesn't need to be to end in .sh, it can simply be fwautorun



   


Partager cet article

Repost 0
Published by computer outlines - dans Nftables
commenter cet article

commentaires

Présentation

  • : Computer Outlines Blog
  • : Blog mainly focused over IPv6, Windows Server, and Networking in general.
  • Contact

Recherche

Liens