Clark's Home page

Tecnicismi vari di un Sysadmin Linux ma anche qualcosa della sua vita

Ale.nft —

 

Questo è lo script vero e proprio che contiene tutte le regole del firewall e che viene invocato da ale401.sh

N.B.

NON ci sono a capo ogni riga è unica gli a capo qui sono dati dalla formattazione del testo.

N.M.B.
per poter usare la famiglia inet su nat è obbligatorio, mandatorio, necessario e continuate sino allo sfinimento usare un kernel >= di 5.2

#!/usr/sbin/nft -f

### in teoria lo shebang di nftables non servirebbe visto che viene invocato dallo script ###bash pero’ ho preferito metterlo comunque se mai dovessi usare un altro metodo per ###lanciarlo in futuro.

include “/usr/local/bin/vars”
include “/usr/local/bin/definitions”
flush ruleset

table inet firewall {
chain INPUT {
type filter hook input priority 0; policy drop;
# related established
ct state established, related counter accept
# invalid
ct state invalid counter drop
# loopback
iifname lo accept
# ssh
tcp dport 3222 ct state new counter accept
# tcp dport 22 ct state new counter accept

udp dport 694 ct state new counter accept  ### prime modifiche accetta heartbeat se vuoi che ti funzioni il cambio di rotta in caso di fault
log prefix “[nftables] Input Denied: ” flags all counter drop
}
chain FORWARD {
type filter hook forward priority 0; policy drop;
ct state established, related counter accept
ct state invalid counter drop
}
chain OUTPUT {
type filter hook output priority 0; policy drop;
ct state new, established, related counter accept
ct state invalid counter drop
}
chain IPS {
type filter hook forward priority 10;
}
#chain SYN-FLOOD {
#type filter hook input priority 0;
#}

#### syn flood a questa maniera è troppo penalizzante ci devo studiare meglio
}

table inet fw-nat {
chain PREROUTING {
type nat hook prerouting priority -100;
}
chain POSTROUTING {
type nat hook postrouting priority 100;
}
}

table netdev noddos {
chain ingress {
type filter hook ingress device eth0 priority -500;

#qui devo fare un breve cenno, con  hook ingress non si può usare $EXTIF  bisogna per forza usare il nome dell’interfaccia.
}
}

table inet fail2ban {
chain fail2ban {
type filter hook input priority 100;
}
}
### noddos rules are to try mitigate ddos attack netdev is more performant that prerouting
add rule netdev noddos ingress iif $EXTIF ip saddr {$GOOD_BOYS} counter accept
add rule netdev noddos ingress iif $EXTIF ip saddr {$RESERVED_NET} counter drop
add rule netdev noddos ingress ip frag-off & 0x1fff != 0 counter drop
add rule netdev noddos ingress tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg counter drop
add rule netdev noddos ingress tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop
add rule netdev noddos ingress tcp flags syn tcp option maxseg size 1-536 counter drop
### no garbage in prerouting
add rule inet fw-nat PREROUTING tcp flags & (syn|ack) == syn|ack ct state new drop
add rule inet fw-nat PREROUTING tcp flags & (fin|syn) == fin|syn drop
add rule inet fw-nat PREROUTING tcp flags & (syn|rst) == fin|rst drop
add rule inet fw-nat PREROUTING tcp flags & (fin|rst) == fin|rst drop
add rule inet fw-nat PREROUTING tcp flags & (fin|ack) == fin drop
add rule inet fw-nat PREROUTING tcp flags & (psh|ack) == psh drop
add rule inet fw-nat PREROUTING tcp flags & (ack|urg) == urg counter drop
#add rule inet firewall SYN-FLOOD limit rate 10/second burst 50 packets return
#add rule inet firewall SYN-FLOOD drop

### syn flood da rivedere.
add rule inet firewall FORWARD ip frag-off != 0 ip protocol icmp drop
### FTP dnat to grecale
add rule inet fw-nat PREROUTING iif $EXTIF ip daddr $EXTIP tcp dport 21 counter dnat ip to $GRECALE:21
add rule inet fw-nat PREROUTING iif $EXTIF ip daddr $EXTIP tcp dport 49152-65534 dnat to $GRECALE:49152-65534
add rule inet firewall FORWARD iif $EXTIF oif $INTIF ip daddr $GRECALE tcp dport { 21, 49152-65534 } ct state new accept
### VPN
add rule inet fw-nat PREROUTING iif $EXTIF ip daddr $VPNIP tcp dport 775 counter dnat to $CHIMERA:775
add rule inet fw-nat PREROUTING iif $EXTIF ip daddr $VPNIP tcp dport 1194 counter dnat to $CHIMERA:1194
add rule inet firewall FORWARD iif $EXTIF oif $INTIF ip daddr $CHIMERA tcp dport { 775, 1194 } ct state new accept
### forward traffic
add rule inet firewall FORWARD iif $EXTIF oif $INTIF ip daddr $CHIMERA tcp dport { 775, 1194 } ct state new accept
add rule inet firewall FORWARD iif $INTIF oif $EXTIF accept
add rule inet firewall FORWARD iif $EXTIF oif $INTIF counter drop
### suricata
add rule inet firewall IPS queue
#add rule inet firewall IPS iif $EXTIF oif $EXTIF queue bypass
#add rule inet firewall IPS iif $INTIF oif $EXTIF queue bypass
risultati migliori facendo forward di tutto
### input rules
add rule inet firewall INPUT udp dport 53 accept
add rule inet firewall INPUT tcp dport 53 accept
### output rules
add rule inet firewall OUTPUT iif $LO accept
add rule inet firewall OUTPUT udp dport 53 accept
add rule inet firewall OUTPUT tcp dport 53
### postrouting
add rule inet fw-nat POSTROUTING masquerade

Qui devo fare un breve cenno ancora, per quanto ci abbia provato in tutte le maniere, se uso lo snat che’ dovrebbe essere più “pulito” e indicato per IP statici non c’e verso di fare dnat in prerouting, o meglio io non ci sono riuscito, la cosa mi rode in modo vergognoso, ma col masquerade funziona e quindi va bene così (almeno per ora)
### log and drop
add rule inet firewall INPUT log prefix “[nftables] Input Denied: ” flags all counter drop
add rule inet firewall INPUT tcp dport 0-65535 drop
add rule inet firewall INPUT udp dport 0-65535 drop
add rule inet firewall INPUT counter drop


Categorised as: firewall | Linux | Networking | Work

Comments are disabled on this post


Comments are closed.