Overblog Suivre ce blog
Administration Créer mon blog
12 avril 2014 6 12 /04 /avril /2014 10:52

How to setup NFtables to do external syslog logging.

 

The hability to do firewall logging is great, but a network admin needs to remote/consolidate its logs to an external syslog server. For this we'll be using Rsyslog, and the Ulogd2 spooler.


The OS used here is Ubuntu GNOME 14.04 (Trusty Tahr)  ( for nftables needs OS kernel 3.13 ).
Here is the network topology used :

 

NF8b

 
We'll be using the nflog:2 group for logging.

 

 

1. ULOGD2 and dependencies

Ulogd2 needs these dependencies : libnfnetlink, libnetfilter_log, libnetfilter_conntrack

we first need all the nftables / git / makefile dependencies :

sudo -s
apt-get update

apt-get install libmnl0                already installed
apt-get install libmnl-dev

apt-get install git
apt-get install autoconf
apt-get install libtool
apt-get install pkg-config
apt-get install flex
apt-get install bison
apt-get install libgmp3-dev
apt-get install libreadline6-dev
apt-get install autogen

( apt-get install docbook2x docbook-utils )

we install ulogd2 dependencies :

git clone git://git.netfilter.org/libnfnetlink
cd libnfnetlink
sh autogen.sh
./configure
make
make install

cd ..

git clone git://git.netfilter.org/libnetfilter_log
cd libnfnetfilter_log
sh autogen.sh                                                           ( works ok, but ' unexpected operator ' message during autogen !? )
./configure
make
make install

cd ..

git clone git://git.netfilter.org/libnetfilter_conntrack
cd libnetfilter_conntrack
sh autogen.sh
./configure
make
make install
cd ..

we finally install syslogd2 :

sudo apt-get install ulogd2

 

( NFtables should be already installed. If not, see notes )

 

 

 

2. Nftables logging setup

we have to check nflog protocol logging:

 

cat /proc/net/netfilter/nf_log

you might get this :


# cat /proc/net/netfilter/nf_log
 0 NONE (nfnetlink_log)
 1 NONE (nfnetlink_log)
 2 nfnetlink_log (nfnetlink_log)
 3 NONE (nfnetlink_log)
 4 NONE (nfnetlink_log)
 5 NONE (nfnetlink_log)
 6 NONE (nfnetlink_log)
 7 NONE (nfnetlink_log)
 8 NONE (nfnetlink_log)
 9 NONE (nfnetlink_log)
10 NONE (nfnetlink_log)
11 NONE (nfnetlink_log)
12 NONE (nfnetlink_log)
#

Let's see this. The line number is the protocol.

2=IPv4, 4=Novell IPX, 10=IPv6, ...

The syntax is Protocol Number / Active Module ( Available Modules ).

So here we have nfnetlink active for IPv4 only.

( line 10 is : '10 NONE (nfnetlink_log)' )

we need to enable IPv6 nfnetlink_log :

echo "nfnetlink_log" > /proc/sys/net/netfilter/nf_log/10

we should get this :

# cat /proc/net/netfilter/nf_log
 0 NONE (nfnetlink_log)
 1 NONE (nfnetlink_log)
 2 nfnetlink_log (nfnetlink_log)
 3 NONE (nfnetlink_log)
 4 NONE (nfnetlink_log)
 5 NONE (nfnetlink_log)
 6 NONE (nfnetlink_log)
 7 NONE (nfnetlink_log)
 8 NONE (nfnetlink_log)
 9 NONE (nfnetlink_log)
10 nfnetlink_log (nfnetlink_log)
11 NONE (nfnetlink_log)
12 NONE (nfnetlink_log)
#

( See part 7 for /proc/net/netfilter/nf_log persistence at reboot )

 

 

 

3. RSYSLOG setup

with a basic /etc/rsyslog.conf :


*.*    @192.168.0.12:514
*.*    @[2001:db8:0:0::12]:514

sudo service rsyslog restart

( do note that this will log two times, once to the IPv4 address and once to the IPv6 address.
do suppress the line you do not need )

we can monitor the syslog using wireshark too ( usefull for debugging ) using these filters :

 

ip.addr == 192.168.0.12
ipv6.addr == 2001:db8:0:0.12

 

 

4. ULOGD2 setup

sudo gedit /etc/ulogd.conf

we uncomment line 95 ( Syslog via NFlog ) :
# this is a stack for logging packets to syslog after a collect via NFLOG
stack=log3:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG

we launch ulogd :
sudo /usr/sbin/ulogd
( or sudo service ulogd2 restart )

do notice this part in ulogd.conf :

 

[log3]
# netlink multicast group (the same as the iptables --nflog-group param)
group=2 # Group has to be different from the one use in log1/log2
numeric_label=1 # you can label the log info based on the packet verdict

this is where the nflog:2 group is linked in.



5. NFtables Test

nft -f /home/lake/nftables/files/nftables/ipv4-filter
nft -f /home/lake/nftables/files/nftables/ipv6-filter

nft flush table filter
nft flush table ip6 filter

nft add rule filter output ip daddr 208.67.222.222 counter log group 2 prefix "IPv4_OpenDNS_"
nft add rule ip6 filter output ip6 daddr 2620:0:ccc::2 counter log group 2 prefix "IPv6_OpenDNS_"

nft list table filter
nft list table ip6 filter

ping -c 4 208.67.222.222
ping6 -c 4 2620:0:ccc::2
sudo tail /var/log/syslog

 

It should work, we should see syslog messages in Wireshark and on our Syslog Server..
We get them as DAEMON.NOTICE


Let's precise our rsyslog filter. We edit /etc/rsyslog.conf :


DAEMON.NOTICE    @192.168.0.12:514                                                                   ( Use Upper Cases )
DAEMON.NOTICE    @[2001:db8:0:0::12]:514

We get a better filter of what is sent through Syslog.

 

Do remember to use Upper Cases for facility / level definitions ( ie. use DAEMON.NOTICE, not daemon.notice )

 

 

 

6. ULOGD2 Custom Facility / Level

Let's finally customize our ULOGD2 facility/level so that we can filter what is sent to our external syslog server:

 

sudo gedit /etc/ulogd.conf

 

we add a [sys1] stance below the [emu1] stance :
--------------------------------------------------------------------------------------------------------
[emu1]
file="/var/log/ulog/syslogemu.log"
sync=1

[sys1]
file="/var/log/ulog/syslog.log"
facility=LOG_LOCAL2
level=LOG_NOTICE
---------------------------------------------------------------------------------------------------------

we relaunch ulogd :
sudo service ulogd2 restart

we get now LOCAL2.NOTICE syslogs.

we can finally set rsyslog.conf to only send LOCAL2.NOTICE to the external Syslog Server :

using in /etc/rsyslog.conf :
LOCAL2.NOTICE        @192.168.1.100:514                                                                                ( Use Upper Cases )
LOCAL2.NOTICE        @[2001:db8:0:0::12]:514

 

 

7. ulogd2 using two nflog groups


We may need to have ulogd2 gather and relay several nflog groups.
Let's use the previous Part 7 Internet Gateway with NFlog, that uses two groups.
We'll use nflog group 2 and nflog group 3 ( so to avoid collisions with group 1 which is already registered by ulogd2 for the log2 facility )

we'll just copy the log3 stack declaration, so to make a log 4 stack just below :

# this is a stack for logging packets to syslog after a collect via NFLOG
stack=log3:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG

# this is a stack for logging packets to syslog after a collect via NFLOG
stack=log4:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG


we'll too copy the [log3] declaration, so to make it a [log4]. Notice we make [log4] to use group 3 :

[log3]
group=2 # Group has to be different from the one use in log1/log2
numeric_label=1

[log4]
group=3 # Group has to be different from the one use in log1/log2
numeric_label=1

we just have to restart ulogd2 :
sudo service ulogd2 restart

 

 

8. Ulogd2 using two nflog groups with two syslog facilities

Furthermore, it may be handy to have our two groups use distinct syslog facilities, so to have an easier sorting on the syslog server.
We use two nflog stacks, that use distinct sys1 and sys3 output pipes :

# this is a stack for logging packets to syslog after a collect via NFLOG
stack=log3:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys1:SYSLOG

# this is a stack for logging packets to syslog after a collect via NFLOG
stack=log4:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,sys3:SYSLOG

we use two nflog descriptors :

[log3]
group=2 # Group has to be different from the one use in log1/log2
numeric_label=1

[log4]
group=3 # Group has to be different from the one use in log1/log2
numeric_label=1


we add a [sys3] descriptor below [sys1], with its distinct facility :

[sys1]
file="/var/log/ulog/syslog.log"
facility=LOG_LOCAL2
level=LOG_NOTICE

[sys3]
file="/var/log/ulog/syslog.log"
facility=LOG_LOCAL1
level=LOG_NOTICE


we just have to restart ulogd2 :

sudo service ulogd2 restart

( don't forget to update /etc/rsyslog.conf. exemple :

LOCAL2.NOTICE    @192.168.1.100:514
LOCAL1.NOTICE    @192.168.1.100:514                                                           )

 

 

 

 

9. Notes

 

Firewall logging ' auto-feedback ' effect :

 

special care must be taken to avoid a positive-feedback loop :

 

You don't want the firewall to log and syslog the outgoing syslog messages
( unless you want to test which software part of the chain Firewall --> Network hardware --> syslog server will surrender first under a flood of packets )

 

here is a typical output chain, that avoids the positive-feedback-loop effect,

by accepting output syslog messages ( port 514 ) BEFORE they may get syslogged :

add rule filter output ct state established accept
add rule filter output ct state related accept
add rule filter output oif lo accept
add rule filter output udp dport 514 accept
add rule filter output ct state new counter log prefix "IPv4_OUT" group 2 accept

Ulogd2 local HDD logging :

 

the log1 stack is enabled by default ( uncommented in /etc/ulogd.conf ).
. it uses group 0 ( may be set )
. logs in /var/log/ulog/syslogemu.log

see the [log1] descriptor.

 

nb2 : log2 seems a better fit

 

 

Ulogd2 custom plugin :

 

We may change sys1 to systc1 in these two stances, for better cleanness, so to avoid any stack entanglement.
But it doesn't seem really necessary :

 

# this is a stack for logging packets to syslog after a collect via NFLOG
stack=log3:NFLOG,base1:BASE,ifi1:IFINDEX,ip2str1:IP2STR,print1:PRINTPKT,systc1:SYSLOG

...
[systc1]
file="/var/log/ulog/syslog.log"
facility=LOG_LOCAL2
level=LOG_NOTICE

 

 

syslog prefix syntaxes :

 

WORD
WORD1_WORD2
"WORD1 WORD2"
Actually, 63 characters, spaces, upper and lower cases, numbers and special characters allowed.

 

 

iptables syntax :

 

sudo iptables -A OUTPUT -d 8.8.4.4 -j NFLOG --nflog-group 2 --nflog-prefix TESTG2


NFTABLES Specifics :

git clone git://git.netfilter.org/libnftnl
cd libnftnl
sh autogen.sh
./configure
make
make install
ldconfig

cd ..
git clone git://git.netfilter.org/nftables
cd nftables
sh autogen.sh
./configure
make
make install

--

 

Repost 0
Published by computer outlines - dans Nftables
commenter cet article
12 avril 2014 6 12 /04 /avril /2014 10:00

We'll see here the logging function of nftables : NFLOG.


NFLOG allows to place a log hook in the NFtables, allowing to set monitoring points in the chains : As an exemple, logging allowed IN packets vs dropped IN packets, etc ...
It allows for Firewall monitoring, as well as subtler troubleshooting.

 

We'll be using our Part 6 : NFtables Linux Internet Gateway here and see how to set monitoring points :
 
NF5d

To be noted is that NFLOG is also used by IPTables.

 

 

 

1. The Netfilter Logging Framework


Since Linux 2.6.14 it's possible to pass via userspace packets that have been logged by the kernel packet filter.

There are two tools :

QUEUE et NFQUEUE                 : used by external application for decisions ( SNORT IDS/IPS, NuFW, ulogd, ... )
LOG et NFLOG                             : used for external logging ( Wireshark, Syslog, ... )

NFlog is a new target for iptables and Nftables to log packet via a virtual device.
The NFLOG target copies packets and send them to a specified netlink socket.

 

 

 

2. NFlog


Nflog needs to be enabled on a protocol basis. To verify what is loaded :

 

cat /proc/net/netfilter/nf_log

 

you might get this :

# cat /proc/net/netfilter/nf_log
 0 NONE (nfnetlink_log)
 1 NONE (nfnetlink_log)
 2 nfnetlink_log (nfnetlink_log)
 3 NONE (nfnetlink_log)
 4 NONE (nfnetlink_log)
 5 NONE (nfnetlink_log)
 6 NONE (nfnetlink_log)
 7 NONE (nfnetlink_log)
 8 NONE (nfnetlink_log)
 9 NONE (nfnetlink_log)
10 NONE (nfnetlink_log)
11 NONE (nfnetlink_log)
12 NONE (nfnetlink_log)
#

Let's see this. The line number is the protocol.

2=IPv4, 4=Novell IPX, 10=IPv6, ...

The syntax is Protocol Number / Active Module ( Available Modules ).

So here we have nfnetlink active for IPv4 only.

( line 10 is : '10 NONE (nfnetlink_log)' )

we need to enable IPv6 nfnetlink_log :

echo "nfnetlink_log" > /proc/sys/net/netfilter/nf_log/10

we should get this :

# cat /proc/net/netfilter/nf_log
 0 NONE (nfnetlink_log)
 1 NONE (nfnetlink_log)
 2 nfnetlink_log (nfnetlink_log)
 3 NONE (nfnetlink_log)
 4 NONE (nfnetlink_log)
 5 NONE (nfnetlink_log)
 6 NONE (nfnetlink_log)
 7 NONE (nfnetlink_log)
 8 NONE (nfnetlink_log)
 9 NONE (nfnetlink_log)
10 nfnetlink_log (nfnetlink_log)
11 NONE (nfnetlink_log)
12 NONE (nfnetlink_log)
#


So line 2 is for IPv4, line 10 is for IPv6

 

To enable Nflog for IPv4 :
echo "nfnetlink_log" > /proc/sys/net/netfilter/nf_log/2

 

To enable Nflog for IPv6 :
echo "nfnetlink_log" > /proc/sys/net/netfilter/nf_log/10

Note : this is not persistent through a reboot. And oddly, even a boot bash gets overriden. As there isn't a way I did find yet  to use a /etc/systcl.conf or alike, I end up using a 1 minute cron job :

 

sudo crontab -e

 

add this :
* * * * * sh /etc/init.d/fwlog.sh

 

the cron job uses this bash file :

 

gedit fwlog.sh
-------------------------------------------------------------------------------------
#!/bin/bash
echo "nfnetlink_log" > /proc/sys/net/netfilter/nf_log/2
echo "nfnetlink_log" > /proc/sys/net/netfilter/nf_log/10
exit 0
---------------------------------------------------------------------------------------

 

sudo chmod +x /etc/init.d/fwlog.sh

 

 

 

3. Simple NFTABLES LOG

 

Let's see the most simple log syntax :
nft add rule filter output log


This will log all output packets to the default NFLOG socket ( ie NFLOG:0 ).  This is the NFLOG interface that do appear in Wireshark.


Another option is to use the command line to get the capture, and open later the capture using wireshark :

 

dumpcap -i nflog -w nflog.pcap                                                        ( nb : does not work as root )
wireshark -r nflog.pcap

 

 

 

4. NFTABLES LOG with Prefixes


A little more sophisticated syntax is to use prefixes, to tag different log points. Ex :
sudo nft add rule filter input counter log prefix "INPUT"
sudo nft add rule filter output ct state new counter log prefix "OUTPUT" accept

This will add a different 'tag' to the logged packets, still logging to the default NFLOG socket ( NFLOG:0 ).

The display can be filtered in Wireshark, using these filters :

 

nflog.prefix == "INPUT"
nflog.prefix == "OUTPUT"

NB : the prefix must use no space, ie use  : "ALLOWED_OUT"

Furthermore, a special Prefix collum can be created in Wireshark to display these prefixes Live :

 

NF7c

 

  To do so, do a NEW COLLUMN :

 

NF7e

 

    field type : custom
    field name : nflog.prefix
    tick 'displayed'
 


The capture can still be performed using the command line :


dumpcap -i nflog -w nflog.pcap
wireshark -r nflog.pcap

 

 

 

5. Nftables LOG using groups

A more sophisticated approach is to use 'GROUPS', ie different netlink sockets, for different log points or zones.


The netlink group is a netlink multicast group to which packets are sent. The default value is 0. Its value is 0-36 635 ( 2^16-1 ).

 

As an example, all dropped incomming packets ( INPUT and FORWARDING IN ) could be set to a group, and all outgoing packets ( OUTPUT and FORWARDING OUT ) to another,  or groups could be used to part different destinations IPs... Here is an exemple :

 

nft add rule filter forward ip daddr 192.168.2.10 log group 10
nft add rule filter forward ip daddr 192.168.2.34 log group 34

 

This will log to the NFLOG sockets NFLOG:10 and NFLOG:34

 

Wireshark doesn't seem to have a GUI way to select these sockets. The only way I know to display these sockets is to launch Wireshark using the command line :

 

wireshark -i nflog:34 -i nflog:10 -k

we can try pinging 192.168.2.10 and 192.168.2.34 from the 192.168.1.0/24 network, and see the live nflog messages in wireshark :

 

NF7d 

The GROUP is named ' Ressource ID ' in wireshark. Here are the wireshark display filters :

 

nflog.res_id == 34
nflog.res_id == 10

More, a custom GROUP collumn can be created for live capture display :

 

NF7a

 

NEW COLLUMN :

 

NF7f

 

    field type : custom
    field name : nflog.res_id

    tick 'displayed'
 

The command line capture syntax is :

 

dumpcap -i nflog:10 -i nflog:34 -w nflog.pcap
wireshark -r nflog.pcap

quote " The resource ID is in network byte order (big-endian). On one netlink socket it's possible to listen to several nflog groups; the resource ID is the nflog group for the packet "
source : http://www.tcpdump.org/linktypes/LINKTYPE_NFLOG.html

 

 

 

6. Basic FW example using Prefixes and Groups

 

Here is our Internet Gateway ruleset, with NFlog logging :

 

NF5d

 

The main ideas are :

 

. enable comprehensive NFlog prefixes
. use group 1 for Linux Host firewal itself ( INPUT and OUTPUT chains )
. use group 2 for network forwarding ( FORWARD chains )
. the ICMP policies tries to be RFC compliant

-------------------------------------------------------------------------------------------------------------------------------------------------------------------
flush table filter
flush table ip6 filter

add rule filter input ct state established accept
add rule filter input ct state related accept
add rule filter input iif lo accept
add rule filter input icmp type echo-request counter log prefix "IPv4_PING_IN" group 1 accept
add rule filter input tcp dport ssh counter log prefix "IPv4_SSH_IN" group 1 accept
add rule filter input iif eth0 udp dport 67 counter log prefix "IPv4_DHCP_LAN_IN" group 1 accept
add rule filter input counter log prefix "IPv4_IN_DROPPED" group 1 drop

add rule filter output ct state established accept
add rule filter output ct state related accept
add rule filter output oif lo accept
add rule filter output ct state new counter log prefix "IPv4_OUT" group 1 accept

add rule filter forward iif eth1 oif eth0 ct state established accept
add rule filter forward iif eth1 oif eth0 ct state related accept
add rule filter forward iif eth1 oif eth0 icmp type echo-request counter log prefix "IPv4_PING_FORWARD_IN_DROPPED" group 2 drop

add rule filter forward iif eth0 oif eth1 ct state established accept
add rule filter forward iif eth0 oif eth1 ct state related accept

add rule filter forward iif eth0 oif eth1 ct state new counter log prefix "IPv4_FORWARD_OUT" group 2 accept
add rule filter forward iif eth1 oif eth0 counter log prefix "IPv4_FORWARD_IN_DROPPED" group 2 drop

add rule ip6 filter input ct state established accept
add rule ip6 filter input ct state related accept
add rule ip6 filter input iif lo accept
add rule ip6 filter input tcp dport ssh counter log prefix "IPv6_SSH_IN" group 1 accept
add rule ip6 filter input iif eth0 udp dport 547 counter log prefix "IPv6_DHCP_LAN_IN" group 1 accept

add rule ip6 filter input icmpv6 type nd-neighbor-solicit accept
add rule ip6 filter input icmpv6 type echo-request counter log prefix "IPv6_PING_IN" group 1 accept
add rule ip6 filter input icmpv6 type nd-router-advert accept
add rule ip6 filter input icmpv6 type nd-neighbor-advert accept

add rule ip6 filter input counter log prefix "IPv6_IN_DROPPED" group 1 drop

add rule ip6 filter output ct state established accept
add rule ip6 filter output ct state related accept
add rule ip6 filter output oif lo accept
add rule ip6 filter output ct state new counter log prefix "IPv6_OUT" group 1 accept

add rule ip6 filter forward iif eth1 oif eth0 ct state established accept
add rule ip6 filter forward iif eth1 oif eth0 ct state related accept
add rule ip6 filter forward iif eth1 oif eth0 icmpv6 type echo-request counter log prefix "IPv6_PING_FORWARD_IN_ACCEPTED" group 2 accept

add rule ip6 filter forward iif eth0 oif eth1 ct state established accept
add rule ip6 filter forward iif eth0 oif eth1 ct state related accept

add rule ip6 filter forward iif eth0 oif eth1 ct state new counter log prefix "IPv6_FORWARD_OUT" group 2 accept
add rule ip6 filter forward iif eth1 oif eth0 counter log prefix "IPv6_FORWARD_IN_DROPPED" group 2 drop

add table nat
flush table nat
add chain nat post { type nat hook postrouting priority 0 ; }
add chain nat pre { type nat hook prerouting priority 0 ; }

add rule nat post ip saddr 192.168.2.100 oif eth1 snat 192.168.1.220
add rule nat pre udp dport 53 ip saddr 192.168.2.0/24 dnat 8.8.8.8:53

add table ip6 nat
add chain ip6 nat postrouting { type nat hook postrouting priority 0 ; }
add chain ip6 nat pre { type nat hook prerouting priority 0 ; }

add rule ip6 nat pre udp dport 53 ip6 saddr 2001:470:c82c:2::/64 dnat 2001:4860:4860:0:0:0:0:8888:53
----------------------------------------------------------------------------------------------------------------------------------------------------------------


we can monitor the firewall using wireshark with this command line :
wireshark -i nflog:1 -i nflog:2 -k
 
NF7b



7. Notes

 

IPTABLES syntaxes :

 

As Nflog is used by IPTables too, here are the IPTables syntaxes, which are handy for quick debugging :

 

iptables -A OUTPUT -j NFLOG

iptables -A INPUT -j NFLOG --nflog-group 10

iptables -A OUTPUT -j NFLOG --nflog-prefix  TEST1


Repost 0
Published by computer outlines - dans Nftables
commenter cet article
11 avril 2014 5 11 /04 /avril /2014 10:37

We'll see here how to use Nftables to implement an Internet Gateway, ie a Nftables Router with IPv4 NAT and IPv4/IPv6 DNS proxy.
This harticles relies on Part 5 : A Nftables Linux Router. See this part for complete explainations on how to forward using Nftables.

Here is the network topology :

 NF5d


1. What we need to build an Nftables Linux Internet Gateway

We want the Linux OS to be firewalled from the exterior ( both Wan and Lan ), allowing only ssh access in, and any access out

We want Lan > Wan traffic to be always allowed, and only reply traffic to be allowed in

We want IPv4 NAT and IPv4 / IPv6 DNS proxy

This post is mostly about Nftables, so DHCP and SLAAC issues will be very quickly treated here.

 

 

 

2. Routing part setup

We first setup static IPs for wan ( eth0 ) and lan ( eth1 ) interfaces.

We enable forwarding :

sudo gedit /etc/sysctl.conf

by uncommenting :

net.ipv4.ip_forward=1

net.ipv6.conf.all.forwarding=1

we reboot to apply changes



3. NAT and DNS proxy setup

We setup IPv4 NAT :

nft add table nat
nft add chain nat post { type nat hook postrouting priority 0 \; }
nft add chain nat pre { type nat hook prerouting priority 0 \; }        *mandatory ??!

( the presence of a prerouting chain seems mandatory for NAT to work )


Note that the selected type for this chain is nat.

nft add rule nat post ip saddr 192.168.1.0/24 oif eth0 snat 192.168.0.254

or

nft add rule nat post ip saddr 192.168.1.10 oif eth0 snat 192.168.0.254

where 192.168.0.254 is Linux OS Router Static IP, 192.168.1.10 is PC1 static IP

 

 

As Nftables defaults to ACCEPT in teh absence of any rules, PC1 should now be able to access the Internet.



We setup IPv4 DNS proxy :


nft add rule nat pre udp dport 53 ip saddr 192.168.1.0/24 dnat 208.67.222.222:53

ex. Any IPv4 DNS request, or using the gateway as DNS server, will be proxied to 208.67.222.222 ( OpenDNS IPv4 )

We setup IPv6 DNS proxy :

nft add table ip6 nat
nft add chain ip6 nat post { type nat hook postrouting priority 0 \; }
nft add chain ip6 nat pre { type nat hook prerouting priority 0 \; }
nft list -n table ip6 nat

nft add rule ip6 nat pre udp dport 53 ip6 saddr 2001:db8:0:1::0/64 dnat 2620:0:ccc::2:53

ex. Any IPv6 DNS request, or using the gateway as a DNS server, will be proxied to 2620:0:ccc::2 ( OpenDNS IPv6 )

PC1 connections should work OK ( including OS updates, Mail client, Web browsing ). There only seems to be a problem in this implementation with IPv6 web browsing using chrome, whereas IPv6 works ok using IE or Firefox. A particular chrome http implementation ?

 

 

5. Internet Gateway FIrewall Evaluation

We proceed the same way as in Part 5 : Nftables Linux Router.

 NF5c


We'll use this firewall testing methodology :

One PC launches a regular NMAP scan to the other PC,
the other PC is using Wireshark to track the packets that managed to pass the Router's firewall. We do the test for IPv4 and IPv6, FW on and off, and switching Lan and Wan sides ( thus a total of 8 tests ).

Everything works as expected :

all nmap packets get out of Lan without problem.
all nmap packets get dropped from Wan to Lan, except if firewall is pulled down.
the NFT list table filter command do show the dropped packets

 

Using the [frame.interface_id==x] Wireshark display filter, do show Linux Router received packets vs emmited packets.

The ICMPv6 requiremnts are respected ( ping6 through firewall ).


6. notes

IPv6 syntax issues :
nft add rule ip6 nat pre udp dport 53 ip6 saddr 2001:db8:0:3::0/64 dnat 2001:4860:4860:0:0:0:0:8888

do work ok

nft add rule ip6 nat pre udp dport 53 ip6 saddr 2001:db8:0:3::0/64 dnat [2001:4860:4860:0:0:0:0:8888]:53

do bring syntax error


Wireshark tap / log :

Wireshark does provide a way to tap the firewall using NFLOG, allowing some fine Firewall monitoring / evaluation. We'll see it in Part 7.


Usefull commands :

ip route add default via 2001:db8:0:2::1                                                                                   ( Linux default gateway )

nft flush table nat

nft delete chain nat postrouting

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE ( iptables masquerading command, for troubleshooting / comparaisons )

Chrome browser :

There seems to be a problem in this implementation with IPv6 web browsing using chrome,
whereas it works ok using IE or Firefox. Particular chrome http implementation ?

Open DNS IPs :


IPv4 :    208.67.222.222
              208.67.220.220

IPv6 :    2620:0:ccc::2
              2620:0:ccd::2


Repost 0
Published by computer outlines - dans Nftables
commenter cet article
11 avril 2014 5 11 /04 /avril /2014 10:12

How to use Nftables in a Linux Router ( A pure Router, without NAT. Linux Nftables Internet Gateway with NAT / DNS proxy is for Part 6 ).
We'll use Ubuntu 14.04.

 

Here is the network topology :

 NF5a


We won't see NAT and DNS proxy implementation here, that will left be for part 6. So we have to do with static routes.
PC1 have Linux OS as Default Gateway.
PC2 has a static route to PC1 ( no NAT here ) both for IPv4 and IPv6



1. What we need to build an Nftables Linux Router

 

We want the Linux OS to be firewalled from the exterior ( both Wan and Lan ), allowing only ssh access in, and any access out.

We want Lan > Wan traffic to be always allowed, and only reply traffic to be allowed in



2. Routing part setup

We first setup static IPs for wan ( eth0 ) and lan ( eth1 ) interfaces.

We enable forwarding :

sudo gedit /etc/sysctl.conf

by uncommenting :

net.ipv4.ip_forward=1

net.ipv6.conf.all.forwarding=1

we reboot to apply changes


Nftables has no default rules, it allows everything IN / OUT / FORWARD.

So the routing part should work OK now ( pings tests between the two PC )


3. NFTables Router Ruleset

Building from our previous Basic IPv4/IPv6 Nftables Host firewall, we just need to add the forwarding rules :

allow from Lan to Wan
allow (already ) established and related connections from Wan to Lan
drop other from Wan to Lan

allow icmpv6 echo request through the firewall in both directions.
 
this will add these rules to our ruleset :

for IPv4 :

add rule filter forward iif eth0 oif eth1 ct state established accept
add rule filter forward iif eth0 oif eth1 ct state related accept
add rule filter forward iif eth1 oif eth0 counter accept
add rule filter forward iif eth0 oif eth1 counter log drop

for IPv6 :

add rule ip6 filter forward iif eth0 oif eth1 ct state established accept
add rule ip6 filter forward iif eth0 oif eth1 ct state related accept
add rule ip6 filter forward iif eth0 oif eth1 icmpv6 type echo-request accept
add rule ip6 filter forward iif eth1 oif eth0 counter accept
add rule ip6 filter forward iif eth0 oif eth1 counter log drop


Here is the resulting complete ruleset :

----------------------------------------------------------------------------------------------------------------
flush table filter
flush table ip6 filter

add rule filter input ct state established accept
add rule filter input ct state related accept
add rule filter input iif lo accept
add rule filter input tcp dport ssh counter log accept
add rule filter input counter log drop

add rule filter output ct state established accept
add rule filter output ct state related accept
add rule filter output oif lo accept
add rule filter output ct state new counter accept

add rule filter forward iif eth0 oif eth1 ct state established accept
add rule filter forward iif eth0 oif eth1 ct state related accept
add rule filter forward iif eth1 oif eth0 counter accept
add rule filter forward iif eth0 oif eth1 counter log drop


add rule ip6 filter input ct state established accept
add rule ip6 filter input ct state related accept
add rule ip6 filter input iif lo accept
add rule ip6 filter input tcp dport ssh counter log accept

add rule ip6 filter input icmpv6 type nd-neighbor-solicit accept
add rule ip6 filter input icmpv6 type echo-request accept
add rule ip6 filter input icmpv6 type nd-router-advert accept
add rule ip6 filter input icmpv6 type nd-neighbor-advert accept

add rule ip6 filter input counter log drop

add rule ip6 filter output ct state established accept
add rule ip6 filter output ct state related accept
add rule ip6 filter output oif lo accept
add rule ip6 filter output ct state new counter accept


add rule ip6 filter forward iif eth0 oif eth1 ct state established accept
add rule ip6 filter forward iif eth0 oif eth1 ct state related accept
add rule ip6 filter forward iif eth0 oif eth1 icmpv6 type echo-request accept
add rule ip6 filter forward iif eth1 oif eth0 counter accept
add rule ip6 filter forward iif eth0 oif eth1 counter log drop

----------------------------------------------------------------------------------------------------------------------------------

 

4. Firewall Testing

NF5a 

 

 

We'll use this firewall testing methodology :

One PC launches a regular NMAP scan to the other PC,
the other PC is using Wireshark to track the packets that managed to pass through the Router's firewall. We do the test for IPv4 and IPv6, FW on and off, and switching Lan and Wan sides ( thus a total of 8 tests ).

Everything works as expected :

all nmap packets get out of Lan without problem.
all nmap packets get dropped from Wan to Lan, except if firewall is pulled down.
the NFT list table filter command do show the dropped packets


Using [frame.interface_id==x] Wireshark display filter, do show Linux Router received packets vs emmited packets.

The ICMPv6 requiremnts are respected ( ping6 through firewall ).


5. notes

Usefull commands :


ip route add default via 2001:db8:0:2::1                                                      to add a default GW to Linux using shell.

Repost 0
Published by computer outlines - dans Nftables
commenter cet article
9 avril 2014 3 09 /04 /avril /2014 10:13


How to setup our firewall bash file to cleanly execute at startup, along with a nice start/stop command.
using Ubuntu GNOME 14.04 (Trusty Tahr)

 

NF2a

 

Be aware that nft commands can only be launched as root ( either using sudo -s or sudo [command] ).
Trying to use the nft command without being root launches errors that can be misinterpreted as a software error / failure. thourough this post I assume every nft comman is done root ( sudo -s ).


1. Simple Nftables autoloading Firewall

 
We'll use a very basic firewall setting, that only blocks ICMPv4 and ICMPv6 echo-request ( ie IPv4 and IPv6 ping ).

1) first, we create a script : fwautorun.sh

touch fwautorun.sh

we edit it :

gedit fwautorun.sh

to fill the basic structure.
do note the 'sudo nft' syntax in the script. It is mandatory for the script to autoload.
------------------------------------------------------------------------------------------------------------------------------------
#!/bin/bash
### BEGIN INIT INFO
# Provides:          scriptname
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start daemon at boot time
# Description:       Enable service provided by daemon.
### END INIT INFO


case "$1" in
  start)

    sudo nft -f /usr/local/etc/nftables/ipv4-filter
    sudo nft -f /usr/local/etc/nftables/ipv6-filter
    sudo nft flush table filter
    sudo nft flush table ip6 filter   
       
    sudo nft add rule filter input ip protocol icmp counter drop
    sudo nft add rule ip6 filter input icmpv6 type echo-request counter drop


    echo "NFTABLES ICMP Ping Firewall is ON"
    ;;
  stop)
    sudo nft flush table filter
    sudo nft flush table ip6 filter   
    echo "NFTABLES ICMP Ping Firewall is OFF"
    ;;
  *)
        echo "Usage: /etc/init.d/fwautorun {start|stop}"
        exit 1
        ;;
esac

exit 0
-----------------------------------------------------------------------------------------------------------------------------

2) we copy that script into /etc/init.d
sudo cp fwautorun.sh /etc/init.d/fwautorun.sh

3) we add it to startup and render it executable :

sudo update-rc.d fwautorun.sh defaults
sudo chmod +x /etc/init.d/fwautorun.sh

nb : the update-rc.d command uses no absolute path, but refers to /etc/init.d/


4) the script can be started / stopped using :
/etc/init.d/fwautorun.sh start
/etc/init.d/fwautorun.sh stop


2. Basic Nftables autoloading IPv4/IPv6 Firewall

Of course, the start and stop parts of the script can be filled with any sequences. Let's see what it looks like using our Nftables 2 : Basic IPv4 / IPv6 ruleset :

touch fwautorun.sh
gedit fwautorun.sh

---------------------------------------------------------------------------------------------------------------------------------
#!/bin/bash
### BEGIN INIT INFO
# Provides:          scriptname
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start daemon at boot time
# Description:       Enable service provided by daemon.
### END INIT INFO


case "$1" in
  start)


    sudo nft -f /usr/local/etc/nftables/ipv4-filter
    sudo nft -f /usr/local/etc/nftables/ipv6-filter

    sudo nft flush table filter
    sudo nft flush table ip6 filter

    sudo nft add rule filter input ct state established accept
    sudo nft add rule filter input ct state related accept
    sudo nft add rule filter input iif lo accept
    sudo nft add rule filter input tcp dport ssh accept
    sudo nft add rule filter input counter log drop

    sudo nft add rule filter output ct state established accept
    sudo nft add rule filter output ct state related accept
    sudo nft add rule filter output oif lo accept
    sudo nft add rule filter output ct state new counter accept

    sudo nft add rule ip6 filter input ct state established accept
    sudo nft add rule ip6 filter input ct state related accept
    sudo nft add rule ip6 filter input iif lo accept
    sudo nft add rule ip6 filter input tcp dport ssh accept

    sudo nft add rule ip6 filter input icmpv6 type nd-neighbor-solicit accept
    sudo nft add rule ip6 filter input icmpv6 type echo-request accept
    sudo nft add rule ip6 filter input icmpv6 type nd-router-advert accept
    sudo nft add rule ip6 filter input icmpv6 type nd-neighbor-advert accept

    sudo nft add rule ip6 filter input counter log drop

    sudo nft add rule ip6 filter output ct state established accept
    sudo nft add rule ip6 filter output ct state related accept
    sudo nft add rule ip6 filter output oif lo accept
    sudo nft add rule ip6 filter output ct state new counter accept

    echo "NFTABLES Firewall is ON"
    ;;
  stop)
   
    sudo nft -f /usr/local/etc/nftables/ipv4-filter
    sudo nft -f /usr/local/etc/nftables/ipv6-filter

    sudo nft flush table filter
    sudo nft flush table ip6 filter

    echo "NFTABLES Firewall is OFF"
    ;;
  *)
        echo "Usage: /etc/init.d/fwautorun {start|stop}"
        exit 1
        ;;
esac

exit 0
--------------------------------------------------------------------------------------------------------------------------

sudo cp fwautorun.sh /etc/init.d/fwautorun.sh

sudo update-rc.d fwautorun.sh defaults
sudo chmod +x /etc/init.d/fwautorun.sh

nb : the update-rc.d command uses no absolute path, but refers to /etc/init.d/

The script can be started / stopped using :

/etc/init.d/fwautorun.sh start
/etc/init.d/fwautorun.sh stop

 


3. Ruleset bootime loading using a nft -f command

A little more sophisticated way is to have our boottime script to use the nft -f command to load a ruleset file. This way, the ruleset can be easily modified/backuped/etc ... without changing the startup script itself.

We'll use a very basic firewall setting, that only blocks ICMP Echo-requests ( ie ping ).

1) First, we create our nft ruleset file fw.ruleset ( see previous posts )
gedit /etc/fw.ruleset
-----------------------------------------------------------------------------------------------------------------------------
-f /usr/local/etc/nftables/ipv4-filter
-f /usr/local/etc/nftables/ipv6-filter
flush table filter
flush table ip6 filter   
       
add rule filter input ip protocol icmp counter drop

add rule ip6 filter input icmpv6 type echo-request counter drop
-------------------------------------------------------------------------------------------------------------------------------


2) then, we create a script : fwautorun.sh

touch fwautorun.sh

we edit it and fill the basic structure :
gedit fwautorun.sh
do note the 'sudo nft' syntax in the script. It is mandatory for the script to autoload.
--------------------------------------------------------------------------------------------------------------------------------
#!/bin/bash
### BEGIN INIT INFO
# Provides:          scriptname
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start daemon at boot time
# Description:       Enable service provided by daemon.
### END INIT INFO


case "$1" in
  start)
   
    sudo nft -f /usr/local/etc/nftables/ipv4-filter
    sudo nft -f /usr/local/etc/nftables/ipv6-filter

    sudo nft flush table filter
    sudo nft flush table ip6 filter
    sudo nft -f /etc/fw.ruleset
   
    echo "NFTABLES Firewall is ON"
    ;;
  stop)

    sudo nft -f /usr/local/etc/nftables/ipv4-filter
    sudo nft -f /usr/local/etc/nftables/ipv6-filter

    sudo nft flush table filter   
    sudo nft flush table ip6 filter
    echo "NFTABLES Firewall is OFF"
    ;;
  *)
        echo "Usage: /etc/init.d/fwautorun {start|stop}"
        exit 1
        ;;
esac

exit 0
-------------------------------------------------------

2) we copy that script into /etc/init.d
sudo cp fwautorun.sh /etc/init.d/fwautorun.sh

3) we add it to startup and render it executable :

sudo update-rc.d fwautorun.sh defaults
sudo chmod +x /etc/init.d/fwautorun.sh


4) the script can be started / stopped using :
/etc/init.d/fwautorun.sh start
/etc/init.d/fwautorun.sh stop


some notes :

. a fw_off.ruleset may be created, for cleaner ' firewall off mode ':
It would be a simple, empty template, like the default ipv4-filter and ipv6-filter.

. instead of using ' template loading ' :
    sudo nft -f /usr/local/etc/nftables/ipv4-filter
    sudo nft -f /usr/local/etc/nftables/ipv6-filter


we may use table creation :

nft add table filter
nft add table ip6 filter

nft add chain filter input { type filter hook input priority 0 \; }
nft add chain filter forward { type filter hook forward priority 0 \; }
nft add chain filter output { type filter hook output priority 0 \; }

nft add chain ip6 filter input { type filter hook input priority 0 \; }
nft add chain ip6 filter forward { type filter hook forward priority 0 \; }
nft add chain ip6 filter output { type filter hook output priority 0 \; }


But there's no real benefit to this approach, as template use seems a better and cleaner way to empty all tables.


4. Basic Firewall Ruleset

As a reminder of the previous NFtables parts, here is a basic IPv4/IPv6 firewall ruleset ( for a Host, not for a Router ) :

------------------------------------------------------------------------------------------------------------
flush table filter
flush table ip6 filter

add rule filter input ct state established accept
add rule filter input ct state related accept
add rule filter input iif lo accept
add rule filter input tcp dport ssh counter log accept
add rule filter input counter log drop

add rule filter output ct state established accept
add rule filter output ct state related accept
add rule filter output oif lo accept
add rule filter output ct state new counter accept

add rule ip6 filter input ct state established accept
add rule ip6 filter input ct state related accept
add rule ip6 filter input iif lo accept
add rule ip6 filter input tcp dport ssh counter log accept

add rule ip6 filter input icmpv6 type nd-neighbor-solicit accept
add rule ip6 filter input icmpv6 type echo-request accept
add rule ip6 filter input icmpv6 type nd-router-advert accept
add rule ip6 filter input icmpv6 type nd-neighbor-advert accept

add rule ip6 filter input counter log drop

add rule ip6 filter output ct state established accept
add rule ip6 filter output ct state related accept
add rule ip6 filter output oif lo accept
add rule ip6 filter output ct state new counter accept

-------------------------------------------------------------------------------------------------------------------------




5. notes

to remove a startup record :

sudo update-rc.d -f fwautorun.sh remove


a nftables boottime / autoload alternative  :
nftables-systemd
( https://github.com/devkid/nftables-systemd )

not tested here

 

 

a few checks :

    FW is active, and packets are recorded, even if no user is logged in
    FW is active, and packets are recorded, when a user is logged in

    the file fwautorun.sh doesn't need to be root:root, it can be [user]:[user]
    the file fwautorun.sh doesn't need to be to end in .sh, it can simply be fwautorun



   


Repost 0
Published by computer outlines - dans Nftables
commenter cet article
9 avril 2014 3 09 /04 /avril /2014 09:46


We'll see here the different possible ways to load or save our Nftables ruleset.
Using Ubuntu GNOME 14.04 (Trusty Tahr).
 

NF2a

 

Be aware that nft commands can only be launched as root ( either using sudo -s or sudo [command] ).
Trying to use the nft command without being root launches errors that can be misinterpreted as a software error / failure. Throughout this post I assume every nft comman is done root ( sudo -s ).


1.  Ruleset Loading using a shell script

The easiest way to load / save rulesets is to use a shell script.

To put it all in an easy shell script, we first creat a fw.sh file :

touch /home/[user]/fw.sh

and edit it :

gedit /home/[user]/fw.sh

We start it with the usual header :

#!/bin/bash

We load the IPv4 and IPv6 templates :

 

nft -f /usr/local/etc/nftables/ipv4-filter
nft -f /usr/local/etc/nftables/ipv6-filter

 

 

We flush any tables :

nft flush table filter
nft flush table ip6 filter

We append our filter list :

line 1 ...
line 2 ...
line 3 ...

We finish with a nice exit code :
exit 0

Here is what it looks like, with our basic IPv4/IPv6 firewall :
-------------------------------------------------------------------------------
#!/bin/bash

nft -f /usr/local/etc/nftables/ipv4-filter
nft -f /usr/local/etc/nftables/ipv6-filter

nft flush table filter
nft flush table ip6 filter

nft add rule filter input ct state established accept
nft add rule filter input ct state related accept
nft add rule filter input iif lo accept
nft add rule filter input tcp dport ssh counter log accept
nft add rule filter input counter log drop

nft add rule filter output ct state established accept
nft add rule filter output ct state related accept
nft add rule filter output oif lo accept
nft add rule filter output ct state new counter accept

nft add rule ip6 filter input ct state established accept
nft add rule ip6 filter input ct state related accept
nft add rule ip6 filter input iif lo accept
nft add rule ip6 filter input tcp dport ssh counter log accept

nft add rule ip6 filter input icmpv6 type nd-neighbor-solicit accept
nft add rule ip6 filter input icmpv6 type echo-request accept
nft add rule ip6 filter input icmpv6 type nd-router-advert accept
nft add rule ip6 filter input icmpv6 type nd-neighbor-advert accept

nft add rule ip6 filter input counter log drop

nft add rule ip6 filter output ct state established accept
nft add rule ip6 filter output ct state related accept
nft add rule ip6 filter output oif lo accept
nft add rule ip6 filter output ct state new counter accept

echo "Nftables Firewall is now ON"

exit 0

-------------------------------------------------------------------------------------------------------------------------

we make it executable :

chmod +x /home/[user]/fw.sh

we can now run it easily :

sudo sh /home/[user]/fw.sh



we can easily make a fw_off.sh script too :

----------------------------------------------------------------------------------------------------------------------------
#!/bin/bash

nft -f /usr/local/etc/nftables/ipv4-filter
nft -f /usr/local/etc/nftables/ipv6-filter

nft flush table filter
nft flush table ip6 filter

echo "Nftables Firewall is now OFF"

exit 0
--------------------------------------------------------------------------------------------------------------------------------


nb: instead of loading blueprints, we can create the tables and chains. These lines :

nft -f /usr/local/etc/nftables/ipv4-filter
nft -f /usr/local/etc/nftables/ipv6-filter

would then become :

nft add table filter
nft add table ip6 filter

nft add chain filter input { type filter hook input priority 0 \; }
nft add chain filter forward { type filter hook forward priority 0 \; }
nft add chain filter output { type filter hook output priority 0 \; }

nft add chain ip6 filter input { type filter hook input priority 0 \; }
nft add chain ip6 filter forward { type filter hook forward priority 0 \; }
nft add chain ip6 filter output { type filter hook output priority 0 \; }






2. Ruleset loading using the NFT -f command

Another way to save / load rulesets is to use the nft -f command.
Keeping the same firewall example as preceeding, we create a fw.ruleset file ( it can be any name / any extension ) containing our command list. Do note that we need to have created the tables, or load the templates :

-f /usr/local/etc/nftables/ipv4-filter
-f /usr/local/etc/nftables/ipv6-filter

here is how we create our ruleset :

touch /home/[user]/fw.ruleset

we edit it :

gedit /home/[user]/fw.ruleset

--------------------------------------------------------------------------------------------------
-f /usr/local/etc/nftables/ipv4-filter
-f /usr/local/etc/nftables/ipv6-filter

flush table filter
flush table ip6 filter

add rule filter input ct state established accept
add rule filter input ct state related accept
add rule filter input iif lo accept
add rule filter input tcp dport ssh counter log accept
add rule filter input counter log drop

add rule filter output ct state established accept
add rule filter output ct state related accept
add rule filter output oif lo accept
add rule filter output ct state new counter accept

add rule ip6 filter input ct state established accept
add rule ip6 filter input ct state related accept
add rule ip6 filter input iif lo accept
add rule ip6 filter input tcp dport ssh counter log accept

add rule ip6 filter input icmpv6 type nd-neighbor-solicit accept
add rule ip6 filter input icmpv6 type echo-request accept
add rule ip6 filter input icmpv6 type nd-router-advert accept
add rule ip6 filter input icmpv6 type nd-neighbor-advert accept

add rule ip6 filter input counter log drop

add rule ip6 filter output ct state established accept
add rule ip6 filter output ct state related accept
add rule ip6 filter output oif lo accept
add rule ip6 filter output ct state new counter accept

-----------------------------------------------------------------------------------------------------------------

we can lauch it using this command :

sudo nft -f fw.ruleset


we can easily make a fw_off.ruleset script :

-----------------------------------------------------------------------------
nft -f /usr/local/etc/nftables/ipv4-filter
nft -f /usr/local/etc/nftables/ipv6-filter

nft flush table filter
nft flush table ip6 filter

-------------------------------------------------------------------------------

We can incorporate the blueprint creation, so they don't need to have been loaded previously :
add table filter
add table ip6 filter

add chain filter input { type filter hook input priority 0 ; }
add chain filter forward { type filter hook forward priority 0 ; }
add chain filter output { type filter hook output priority 0 ; }

add chain ip6 filter input { type filter hook input priority 0 ; }
add chain ip6 filter forward { type filter hook forward priority 0 ; }
add chain ip6 filter output { type filter hook output priority 0 ; }



flush table filter
flush table ip6 filter

add rule filter input ct state established accept
add rule filter input ct state related accept
add rule filter input iif lo accept
add rule filter input tcp dport ssh counter log accept
add rule filter input counter log drop

add rule filter output ct state established accept
add rule filter output ct state related accept
add rule filter output oif lo accept
add rule filter output ct state new counter accept

add rule ip6 filter input ct state established accept
add rule ip6 filter input ct state related accept
add rule ip6 filter input iif lo accept
add rule ip6 filter input tcp dport ssh counter log accept

add rule ip6 filter input icmpv6 type nd-neighbor-solicit accept
add rule ip6 filter input icmpv6 type echo-request accept
add rule ip6 filter input icmpv6 type nd-router-advert accept
add rule ip6 filter input icmpv6 type nd-neighbor-advert accept

add rule ip6 filter input counter log drop

add rule ip6 filter output ct state established accept
add rule ip6 filter output ct state related accept
add rule ip6 filter output oif lo accept
add rule ip6 filter output ct state new counter accept


3. Ruleset loading using a NFTables ' dump '

Another, usefull way to save / load a ruleset is to use a ' dumping ' command :

 

a : we setup our firewall

 

b : we dump the configuration into a fw.rule file ( any name / extension is possible ) :
nft list table filter > fw4.rule
nft list table ip6 filter > fw6.rule

 

we can now load our firewall using these commands :
nft -f fw4.rule
nft -f fw6.rule

Interesting to note is that the counters states are preserved. This might prove interesting for reboot status preserve.

It is possible to append the dumps :

 

save :
    nft list table filter > fw.rule
    nft list table ip6 filter >> fw.rule

 

restore :
nft -f fw.rule


4. Notes


(1) to be able to load the tables :
use full path to template file :
nft -f /home/[user]/nftables/files/nftables/ipv6-filter
nft -f /usr/local/etc/nftables/ipv6-filter

(2) nft commands only work as root

be aware that nft commands can only be launched as root ( either using sudo -s or sudo [command] ).
trying to use the nft command without being root launches errors that can be misinterpreted as a software error / failure.


(3) to delete rules by chains :

nft delete rule filter input
nft delete rule filter output
nft delete rule filter forward

nft delete rule ip6 filter input
nft delete rule ip6 filter output
nft delete rule ip6 filter forward


(4) use of bash files :

gedit rule1.sh

chmod +x rule1.sh
sh rule1.sh

(5) Windows / Linux text format issue

nb : beware of Windows / Linux text format problems when moving confilg files through OS.
Use cat on a Linux terminal, then copy and paste in a fresh new file if needed.

 

Repost 0
Published by computer outlines - dans Nftables
commenter cet article
8 avril 2014 2 08 /04 /avril /2014 15:18


We'll see here how to design a basic functionnal Nftables firewall ruleset, and how to use it with an easy bash file.


NF2a
 

Be aware that nft commands can only be launched as root ( either using sudo -s or sudo [command] ).
Trying to use the nft command without being root launches errors that can be misinterpreted as a software error / failure. thourough this post I assume every nft comman is root ( sudo -s ).


1. IPv4 part

 

We load the ipv4 table :

nft -f /home/[user]/nftables/files/nftables/ipv4-filter
nft list table filter

We basically want to allow in established and related connections :
nft add rule filter input ct state established accept
nft add rule filter input ct state related accept

We allow in on loopback interface :

nft add rule filter input iif lo accept

We count, log, and allow in ssh connections :

nft add rule filter input tcp dport ssh counter log accept

And we count, log and drop any other packet :

nft add rule filter input counter log drop



We allow out established and related connections :

nft add rule filter output ct state established accept
nft add rule filter output ct state related accept

We allow out on loopback interface :

nft add rule filter output oif lo accept

And we allow out and count any new connection :

nft add rule filter output ct state new counter accept

This sums it all up for IPv4 :


nft add rule filter input ct state established accept
nft add rule filter input ct state related accept
nft add rule filter input iif lo accept
nft add rule filter input tcp dport ssh counter log accept
nft add rule filter input counter log drop

nft add rule filter output ct state established accept
nft add rule filter output ct state related accept
nft add rule filter output oif lo accept
nft add rule filter output ct state new counter accept

 

 

2. IPv6 Part

 

We load the ipv6 table :
nft -f /home/[user]/nftables/files/nftables/ipv6-filter
nft list table ip6 filter

We basically want to allow in established and related connections :

nft add rule ip6 filter input ct state established accept
nft add rule ip6 filter input ct state related accept

We allow in on loopback interface :

nft add rule ip6 filter input iif lo accept

We count, log, and allow in ssh connections :

nft add rule ip6 filter input tcp dport ssh counter log accept

We allow in neighbor solicit, neighbor advertisement, router advertisement and echo request :

nft add rule ip6 filter input icmpv6 type nd-neighbor-solicit accept
nft add rule ip6 filter input icmpv6 type echo-request accept
nft add rule ip6 filter input icmpv6 type nd-router-advert accept
nft add rule ip6 filter input icmpv6 type nd-neighbor-advert accept

And we count, log and drop any other packet :

nft add rule ip6 filter input counter log drop



We allow out established and related connections :

nft add rule ip6 filter output ct state established accept
nft add rule ip6 filter output ct state related accept

We allow out on loopback interface :

nft add rule ip6 filter output oif lo accept

And we allow out and count any new connection :

nft add rule ip6 filter output ct state new counter accept


This sums it all up for IPv6 :
nft add rule ip6 filter input ct state established accept
nft add rule ip6 filter input ct state related accept
nft add rule ip6 filter input iif lo accept
nft add rule ip6 filter input tcp dport ssh counter log accept
nft add rule ip6 filter input icmpv6 type nd-neighbor-solicit accept
nft add rule ip6 filter input icmpv6 type echo-request accept
nft add rule ip6 filter input icmpv6 type nd-router-advert accept
nft add rule ip6 filter input icmpv6 type nd-neighbor-advert accept
nft add rule ip6 filter input counter log drop

nft add rule ip6 filter output ct state established accept
nft add rule ip6 filter output ct state related accept
nft add rule ip6 filter output oif lo accept
nft add rule ip6 filter output ct state new counter accept



3. Putting it all in a shell script

To put it all in an easy shell script, we first creat a fw.sh file :

touch /home/[user]/fw.sh

and edit it :

gedit /home/[user]/fw.sh

We start it with the usual header :

#!/bin/bash

We load the ipv4/ipv6 templates :

 

nft -f /home/[user]/nftables/files/nftables/ipv4-filter
nft -f /home/[user]/nftables/files/nftables/ipv6-filter

 

 

We flush any tables :

nft flush table filter
nft flush table ip6 filter

We append our filter list :

line 1 ...
line 2 ...
line 3 ...

We finish with a nice exit code :
exit 0

Here is what it looks like, with our basic IPv4/IPv6 firewall :
--------------------------------------------------------------------------------
#!/bin/bash

nft -f /home/[user]/nftables/files/nftables/ipv4-filter
nft -f /home/[user]/nftables/files/nftables/ipv6-filter

nft flush table filter
nft flush table ip6 filter

nft add rule filter input ct state established accept
nft add rule filter input ct state related accept
nft add rule filter input iif lo accept
nft add rule filter input tcp dport ssh counter log accept
nft add rule filter input counter log drop

nft add rule filter output ct state established accept
nft add rule filter output ct state related accept
nft add rule filter output oif lo accept
nft add rule filter output ct state new counter accept

nft add rule ip6 filter input ct state established accept
nft add rule ip6 filter input ct state related accept
nft add rule ip6 filter input iif lo accept
nft add rule ip6 filter input tcp dport ssh counter log accept

nft add rule ip6 filter input icmpv6 type nd-neighbor-solicit accept
nft add rule ip6 filter input icmpv6 type echo-request accept
nft add rule ip6 filter input icmpv6 type nd-router-advert accept
nft add rule ip6 filter input icmpv6 type nd-neighbor-advert accept

nft add rule ip6 filter input counter log drop

nft add rule ip6 filter output ct state established accept
nft add rule ip6 filter output ct state related accept
nft add rule ip6 filter output oif lo accept
nft add rule ip6 filter output ct state new counter accept

echo "Nftables Firewall is now ON"

exit 0

---------------------------------------------------------------------------------------------------------------

we make it executable :

chmod +x /home/[user]/fw.sh

we can now run it easily :

sudo sh /home/[user]/fw.sh



we too can easily make a fw_off.sh script :

---------------------------------------------------------
#!/bin/bash

nft -f /home/[user]/nftables/files/nftables/ipv4-filter
nft -f /home/[user]/nftables/files/nftables/ipv6-filter

nft flush table filter
nft flush table ip6 filter

echo "Nftables Firewall is now OFF"

exit 0
----------------------------------------------------------


nb: instead of loading blueprints, we can create the tables and chains. These lines :

nft -f /home/[user]/nftables/files/nftables/ipv4-filter
nft -f /home/[user]/nftables/files/nftables/ipv6-filter

would then become :

nft add table filter
nft add table ip6 filter

nft add chain filter input { type filter hook input priority 0 \; }
nft add chain filter forward { type filter hook forward priority 0 \; }
nft add chain filter output { type filter hook output priority 0 \; }

nft add chain ip6 filter input { type filter hook input priority 0 \; }
nft add chain ip6 filter forward { type filter hook forward priority 0 \; }
nft add chain ip6 filter output { type filter hook output priority 0 \; }


4. Firewall Testing
We'll do a quick test of our firewall :

 

NF2b

 
It's not easy to test a host firewall, as packets sniffers ( ie wireshark ) usually plug-in between the NIC driver and the firewall. Thus dropped incoming packets do still appear in wireshark. We'll see in the next parts how to use elaborate firewall monitoring / logging functions.


One basic test can be to install two services, and try firewalling on/off them.
For this, we comment out the 2 lines that allows ssh in our firewall config.

 

We do an instant web server and ssh server setup :
sudo apt-get install apache2
sudo apt-get install openssh-server

we do a (no ping) nmap from PC2 :
nmap -Pn 192.168.0.10
nmap -Pn -6 2001:db8:0:0::10

The nmap should show :
Firewall off :    open ports : 2 ( port 22, port 80 )
                          closed ports : 998

Firewall on :    filtered ports : 1000


5. Notes


(1) to load the blueprints tables :

 

nft -f /home/ubuntu-gnome/nftables/files/nftables/ipv4-filter
nft -f /home/ubuntu-gnome/nftables/files/nftables/ipv6-filter
nft -f /usr/local/etc/nftables/ipv4-filter
nft -f /usr/local/etc/nftables/ipv6-filter

(2) be aware that nft commands can only be launched as root ( either using sudo -s or sudo [command] ).
trying to use the nft command without being root launches errors that can be misinterpreted as a software error / failure.

(3) to delete rules by chains :

nft delete rule filter input
nft delete rule filter output
nft delete rule filter forward

nft delete rule ip6 filter input
nft delete rule ip6 filter output
nft delete rule ip6 filter forward

(4)
beware of Windows / Linux text format problems.
use cat on terminal, then copy and paste in a fresh new file

Repost 0
Published by computer outlines - dans Nftables
commenter cet article
8 avril 2014 2 08 /04 /avril /2014 14:26

 

We'll see here how to setup nftables.
We'll be using Ubuntu GNOME 14.04 (Trusty Tahr) ( Beta / Daily Build : March 17 2014 here ) because of the need for a 3.13 Linux kernel to support NFtables.

Do note that using a beta software is not fit for a production environment.

 

All nft commands need to be root to function, so either use sudo or sudo -s. Through this post I'll assume we are root.

 

NF1e

 

 

1. Ubuntu-Gnome 14.04 environment quick-help :

 

To setup keyboard :

 

activities >
search > keyboard layout settings > language > add [ your language ]
select [ your language ] on the right taskbar

 

To launch a terminal :

 

search > terminal
    or
bottom left side : show applications > utilities > Terminal

    or

CTRL+ALT+T

 

 

2. Check of OS Kernel version ( 3.13 needed )

uname -r
uname -a

 

3. Check of Modules presence


sudo -s
modprobe nf_tables                          ( should list no error message )
lsmod | grep nf_tables                      ( should list nf_tables module )
dmesg                                                  ( should list nf_tables near the end )

modprobe nf_tables_ipv4                 ( sshould list no error message )
modprobe nf_tables_ipv6                 ( should list no error message )
lsmod | grep nf_tables                       ( should list nf_tables_ipv4 and nf_tables_ipv6 modules )

 

4. nftables installation

we have to install the user-level softwares.

nftables requires libmnl and libnftnl

 

 

sudo -s
apt-get update

apt-get install libmnl0                ( normally already installed )
apt-get install libmnl-dev

 

 

we install the compiling tools :

 

apt-get install git
apt-get install autoconf
apt-get install libtool
apt-get install pkg-config
apt-get install flex
apt-get install bison
apt-get install libgmp3-dev
apt-get install libreadline6-dev
apt-get install autogen

apt-get install docbook2x docbook-utils
( optional, will generate a .pdf file /home/[user]/nftables/doc/nftables.pdf )

 

we can finally install libnftnl and nftables :

 

git clone git://git.netfilter.org/libnftnl
cd libnftnl
sh autogen.sh
./configure
make
make install
ldconfig

cd ..
git clone git://git.netfilter.org/nftables
cd nftables
sh autogen.sh
./configure
make
make install

 

5. Functionning tests
 

NF1e

 

 

we load the template ipv4 table :
nft -f /home/[user]/nftables/files/nftables/ipv4-filter

 

we should get no error.

 

we list the table :
nft list table filter

 

we should get an output like this :
 
NF1a

 

6. Nft Basic commands and first rule

 

 

here are the basic nft commands :

 

nft -h                                                                                                displays help
nft -f /home/[user]/nftables/files/nftables/ipv4-filter                loads the ipv4 template table
nft -f /home/[user]/nftables/files/nftables/ipv6-filter                loads the ipv6 template table
nft list table filter                                                                            lists the ipv4 table 'named  filters '
nft list table ip6 filter                                                                     lists the ipv6 table named ' filters '

we add a rule that counts ipv4 outputs to IP 192.168.0.1 :
nft add rule filter output ip daddr 192.168.0.1 counter       

we add a rule that counts tcp outputs to port 22 ( ssh ) :
nft add rule filter output tcp dport ssh counter

 

nft list table filter

 

It should shows the added rules :
 
NF1b

do note these alternatives syntaxes to rule listing :
nft list table filter -n                                   ( lists ipv4 table filters without DNS resolution )
nft list table filter -nn                                 ( lists ipv4 table filters without DNS resolution or port resolution )

we test these two rules :


ping -c 4 192.168.0.1
telnet 192.168.0.1 22

 

nft -nn list table filter

the packets should have been recorded :
 

NF1d

 

NFTables is here  working OK.

let's finally see how to flush the filter tables :
nft flush table filter
nft flush table ip6 filter

Do note that the tables configuration is volatile, it anyway won't survive a reboot.


7. Nftables IPv6 Functionning Test

we create the same two test rules for ipv6 :

 

nft add rule ip6 filter output ip6 daddr 2001:db8:0:0::1 counter
nft add rule ip6 filter output tcp dport ssh counter
nft list table ip6 filter

we test these two rules :
ping6 -c 4 2001:db8:0:0::1
telnet 2001:db8:0:0::1 22
nft -nn list table filter

the packets should have been recorded :

 

NF1f 

IPv6 NFTables is here working OK.


8. Notes

(1) to load a table config file :


Use full path to a config file. Some IPv4 and IPv6 table templates are located here :

/home/[user]/nftables/files/nftables/ipv4-filter
/home/[user]/nftables/files/nftables/ipv6-filter
/usr/local/etc/nftables/ipv4-filter
/usr/local/etc/nftables/ipv6-filter

commands :
nft -f /home/[user]/nftables/files/nftables/ipv4-filter
nft -f /usr/local/etc/nftables/ipv4-filter

nft -f /home/[user]/nftables/files/nftables/ipv6-filter
nft -f /usr/local/etc/nftables/ipv6-filter

as neither of these files are launched at boottime by NFtables, we can modify them at will, or used any config file placed in any other location.


(2) to delete rules by chains :

nft delete rule filter input
nft delete rule filter output
nft delete rule filter forward

nft delete rule ip6 filter input
nft delete rule ip6 filter output
nft delete rule ip6 filter forward


(3) to use a bash files to load a ruleset :

gedit ruleset1.sh :
---------------------------------------------------------
#!/bin/bash

nft flush table filter
nft flush table ip6 filter
nft add rule filter output ip daddr 192.168.0.1 counter   
nft add rule filter output tcp dport ssh counter
nft add rule ip6 filter output ip6 daddr 2001:db8:0:0::1 counter
nft add rule ip6 filter output tcp dport ssh counter

exit 0
------------------------------------------------------------
chmod +x ruleset1.sh

we can now easily load our ruleset doing :
sudo sh ruleset1.sh

nb : There are other ways to load / save rulesets. Also there are special issues related to boottime ruleset loading. We'll see them in the following parts.

nb : beware of Windows / Linux text format problems when importing text files/config files from a Windows OS.
use cat on terminal, then copy and paste in a fresh new file

 

Repost 0
Published by computer outlines - dans Nftables
commenter cet article

Présentation

  • : Computer Outlines Blog
  • : Blog mainly focused over IPv6, Windows Server, and Networking in general.
  • Contact

Recherche

Liens