Overblog Suivre ce blog
Editer l'article Administration Créer mon blog
11 avril 2014 5 11 /04 /avril /2014 10:12

How to use Nftables in a Linux Router ( A pure Router, without NAT. Linux Nftables Internet Gateway with NAT / DNS proxy is for Part 6 ).
We'll use Ubuntu 14.04.

 

Here is the network topology :

 NF5a


We won't see NAT and DNS proxy implementation here, that will left be for part 6. So we have to do with static routes.
PC1 have Linux OS as Default Gateway.
PC2 has a static route to PC1 ( no NAT here ) both for IPv4 and IPv6



1. What we need to build an Nftables Linux Router

 

We want the Linux OS to be firewalled from the exterior ( both Wan and Lan ), allowing only ssh access in, and any access out.

We want Lan > Wan traffic to be always allowed, and only reply traffic to be allowed in



2. Routing part setup

We first setup static IPs for wan ( eth0 ) and lan ( eth1 ) interfaces.

We enable forwarding :

sudo gedit /etc/sysctl.conf

by uncommenting :

net.ipv4.ip_forward=1

net.ipv6.conf.all.forwarding=1

we reboot to apply changes


Nftables has no default rules, it allows everything IN / OUT / FORWARD.

So the routing part should work OK now ( pings tests between the two PC )


3. NFTables Router Ruleset

Building from our previous Basic IPv4/IPv6 Nftables Host firewall, we just need to add the forwarding rules :

allow from Lan to Wan
allow (already ) established and related connections from Wan to Lan
drop other from Wan to Lan

allow icmpv6 echo request through the firewall in both directions.
 
this will add these rules to our ruleset :

for IPv4 :

add rule filter forward iif eth0 oif eth1 ct state established accept
add rule filter forward iif eth0 oif eth1 ct state related accept
add rule filter forward iif eth1 oif eth0 counter accept
add rule filter forward iif eth0 oif eth1 counter log drop

for IPv6 :

add rule ip6 filter forward iif eth0 oif eth1 ct state established accept
add rule ip6 filter forward iif eth0 oif eth1 ct state related accept
add rule ip6 filter forward iif eth0 oif eth1 icmpv6 type echo-request accept
add rule ip6 filter forward iif eth1 oif eth0 counter accept
add rule ip6 filter forward iif eth0 oif eth1 counter log drop


Here is the resulting complete ruleset :

----------------------------------------------------------------------------------------------------------------
flush table filter
flush table ip6 filter

add rule filter input ct state established accept
add rule filter input ct state related accept
add rule filter input iif lo accept
add rule filter input tcp dport ssh counter log accept
add rule filter input counter log drop

add rule filter output ct state established accept
add rule filter output ct state related accept
add rule filter output oif lo accept
add rule filter output ct state new counter accept

add rule filter forward iif eth0 oif eth1 ct state established accept
add rule filter forward iif eth0 oif eth1 ct state related accept
add rule filter forward iif eth1 oif eth0 counter accept
add rule filter forward iif eth0 oif eth1 counter log drop


add rule ip6 filter input ct state established accept
add rule ip6 filter input ct state related accept
add rule ip6 filter input iif lo accept
add rule ip6 filter input tcp dport ssh counter log accept

add rule ip6 filter input icmpv6 type nd-neighbor-solicit accept
add rule ip6 filter input icmpv6 type echo-request accept
add rule ip6 filter input icmpv6 type nd-router-advert accept
add rule ip6 filter input icmpv6 type nd-neighbor-advert accept

add rule ip6 filter input counter log drop

add rule ip6 filter output ct state established accept
add rule ip6 filter output ct state related accept
add rule ip6 filter output oif lo accept
add rule ip6 filter output ct state new counter accept


add rule ip6 filter forward iif eth0 oif eth1 ct state established accept
add rule ip6 filter forward iif eth0 oif eth1 ct state related accept
add rule ip6 filter forward iif eth0 oif eth1 icmpv6 type echo-request accept
add rule ip6 filter forward iif eth1 oif eth0 counter accept
add rule ip6 filter forward iif eth0 oif eth1 counter log drop

----------------------------------------------------------------------------------------------------------------------------------

 

4. Firewall Testing

NF5a 

 

 

We'll use this firewall testing methodology :

One PC launches a regular NMAP scan to the other PC,
the other PC is using Wireshark to track the packets that managed to pass through the Router's firewall. We do the test for IPv4 and IPv6, FW on and off, and switching Lan and Wan sides ( thus a total of 8 tests ).

Everything works as expected :

all nmap packets get out of Lan without problem.
all nmap packets get dropped from Wan to Lan, except if firewall is pulled down.
the NFT list table filter command do show the dropped packets


Using [frame.interface_id==x] Wireshark display filter, do show Linux Router received packets vs emmited packets.

The ICMPv6 requiremnts are respected ( ping6 through firewall ).


5. notes

Usefull commands :


ip route add default via 2001:db8:0:2::1                                                      to add a default GW to Linux using shell.

Partager cet article

Repost 0
Published by computer outlines - dans Nftables
commenter cet article

commentaires

gaurav sharma 09/03/2017 10:26

hello every one if you have any issue related to routers then contact us

gaurav sharma 09/03/2017 10:25

hello every one, i you want any problem related to routers you can contact us

Présentation

  • : Computer Outlines Blog
  • : Blog mainly focused over IPv6, Windows Server, and Networking in general.
  • Contact

Recherche

Liens