Ale2 nftables Firewall per DMZ —
A proposito di ZendTo mi sono dovuto riscrivere lo script di firewall per gestire la DMZ.
Già in passato avevo fatto un lavoro del genere per un CRM che non è mai decollato veramente, oggi l’ho riscritto per nftables, per dire la verità mi sono detto è inutile e stupido che vai a scoprire di nuovo l’acqua calda, ispirati a qualcosa che funziona scritto da qualcuno che sa cosa scrive, quindi senza tanti giri mi sono preso le idee di Carlo Contavalli che ne sa decisamente parecchio e le ho riscritte secondo la mia esigenza in nftables.
il risultato è questo :
#!/usr/sbin/nft -f
include “/usr/local/bin/vars”
include “/usr/local/bin/definitions”
flush ruleset
add table inet firewall
add table inet fw-nat
add table inet fail2ban
add table netdev noddos
add chain netdev noddos ingress { type filter hook ingress device eth0 priority -500; }
add chain inet firewall INPUT { type filter hook input priority 0; policy drop; }
add chain inet firewall FORWARD { type filter hook forward priority 0; policy drop; }
add chain inet firewall OUTPUT { type filter hook output priority 0; policy drop; }
add chain inet fw-nat PREROUTING { type nat hook prerouting priority -100; }
add chain inet fw-nat POSTROUTING { type nat hook postrouting priority 100; }
add chain inet fail2ban input { type filter hook input priority 100; }
add chain inet firewall IPS { type filter hook forward priority 10; }
add chain inet firewall LANDMZ
add chain inet firewall LANINET
add chain inet firewall DMZINET
add chain inet firewall DMZLAN
add chain inet firewall INETDMZ
add chain inet firewall INETLAN
add rule inet fw-nat PREROUTING iif $EXTIF ip daddr $WEBIP tcp dport 22 counter dnat to $GRECALE:22
add rule inet fw-nat PREROUTING iif $EXTIF ip daddr $WEBIP tcp dport 80 counter dnat to $GRECALE:80
add rule inet fw-nat PREROUTING iif $EXTIF ip daddr $WEBIP tcp dport 443 counter dnat to $GRECALE:443
add rule inet fw-nat PREROUTING iif $EXTIF ip daddr $WEBIP tcp dport 1922 counter dnat to $GRECALE:1922
###vedi addendum a fine pagina
add rule inet fw-nat PREROUTING ip saddr $LAN iif $INTIF ip daddr $WEBIP tcp dport 22 meta nftrace set 1 counter dnat to $GRECALE:22
add rule inet fw-nat PREROUTING ip saddr $LAN iif $INTIF ip daddr $WEBIP tcp dport 80 counter dnat to $GRECALE:80
add rule inet fw-nat PREROUTING ip saddr $LAN iif $INTIF ip daddr $WEBIP tcp dport 443 counter dnat to $GRECALE:443
add rule inet fw-nat PREROUTING ip saddr $LAN iif $INTIF ip daddr $WEBIP tcp dport 1922 counter dnat to $GRECALE:1922
###
add rule inet fw-nat PREROUTING iif $EXTIF ip daddr $VPNIP tcp dport 775 counter dnat to $CHIMERA:775
add rule inet fw-nat PREROUTING iif $EXTIF ip daddr $VPNIP tcp dport 1194 counter dnat to $CHIMERA:1194
add rule inet fw-nat PREROUTING tcp flags & (syn|ack) == syn|ack ct state new drop
add rule inet fw-nat PREROUTING tcp flags & (fin|syn) == fin|syn drop
add rule inet fw-nat PREROUTING tcp flags & (syn|rst) == fin|rst drop
add rule inet fw-nat PREROUTING tcp flags & (fin|rst) == fin|rst drop
add rule inet fw-nat PREROUTING tcp flags & (fin|ack) == fin drop
add rule inet fw-nat PREROUTING tcp flags & (psh|ack) == psh drop
add rule inet fw-nat PREROUTING tcp flags & (ack|urg) == urg counter drop
add rule inet firewall FORWARD ct state { established, related } counter accept
add rule inet firewall FORWARD ct state invalid counter drop
add rule inet firewall FORWARD iif $EXTIF oif $INTIF ip daddr $CHIMERA tcp dport { 775, 1194 } ct state new accept
add rule inet firewall FORWARD iif $INTIF oif $DMZIF counter jump LANDMZ
add rule inet firewall FORWARD iif $INTIF oif $EXTIF counter jump LANINET
add rule inet firewall FORWARD iif $DMZIF oif $EXTIF counter jump DMZINET
add rule inet firewall FORWARD iif $DMZIF oif $INTIF counter jump DMZLAN
add rule inet firewall FORWARD iif $EXTIF oif $DMZIF counter jump INETDMZ
add rule inet firewall FORWARD iif $EXTIF oif $INTIF counter jump INETLAN
add rule inet firewall LANDMZ ip saddr != $LAN counter drop
add rule inet firewall LANDMZ ip daddr $GRECALE tcp dport 80 counter accept
add rule inet firewall LANDMZ ip daddr $GRECALE tcp dport 443 counter accept
add rule inet firewall LANDMZ ip daddr $GRECALE tcp dport 22 counter accept
add rule inet firewall LANDMZ ip daddr $GRECALE tcp dport 1922 counter accept
add rule inet firewall LANDMZ ip daddr $GRECALE tcp dport 53 counter accept
add rule inet firewall LANDMZ ip daddr $GRECALE udp dport 53 counter accept
add rule inet firewall LANDMZ ct state { new,related,established } counter accept
add rule inet firewall LANDMZ ct state invalid counter drop
add rule inet firewall LANDMZ ip protocol tcp counter reject with tcp reset
add rule inet firewall DMZLAN ip saddr != $DMZ counter drop
add rule inet firewall DMZLAN ct state { related,established } counter accept
add rule inet firewall DMZLAN ct state invalid counter drop
add rule inet firewall DMZLAN ip protocol tcp counter reject with tcp reset
add rule inet firewall LANINET ip saddr != $LAN counter drop
add rule inet firewall LANINET tcp dport 21 counter accept
add rule inet firewall LANINET ct state { new,related,established } counter accept
add rule inet firewall LANINET ct state invalid counter drop
add rule inet firewall LANINET ip protocol tcp counter reject with tcp reset
add rule inet firewall INETLAN ip saddr $LAN counter drop
add rule inet firewall INETLAN ip saddr $DMZ counter drop
add rule inet firewall INETLAN ct state { related,established } counter accept
add rule inet firewall INETLAN ct state invalid counter drop
add rule inet firewall INETLAN ip protocol tcp counter reject with tcp reset
add rule inet firewall INETDMZ ip saddr $LAN counter drop
add rule inet firewall INETDMZ ip saddr $DMZ counter drop
add rule inet firewall INETDMZ ip daddr $GRECALE tcp dport 80 counter accept
add rule inet firewall INETDMZ ip daddr $GRECALE tcp dport 22 counter accept
add rule inet firewall INETDMZ ip daddr $GRECALE tcp dport 53 counter accept
add rule inet firewall INETDMZ ip daddr $GRECALE udp dport 53 counter accept
add rule inet firewall INETDMZ ip daddr $GRECALE tcp dport 1922 counter accept
add rule inet firewall INETDMZ ip daddr $GRECALE tcp dport 443 counter accept
add rule inet firewall INETDMZ ct state { new,related,established } counter accept
add rule inet firewall INETDMZ ct state invalid counter drop
add rule inet firewall INETDMZ ip protocol tcp counter reject with tcp reset
add rule inet firewall DMZINET ip saddr != $DMZ counter drop
add rule inet firewall DMZINET ip saddr $GRECALE tcp dport 80 counter accept
add rule inet firewall DMZINET ip saddr $GRECALE tcp dport 443 counter accept
add rule inet firewall DMZINET ip saddr $GRECALE tcp dport 53 counter accept
add rule inet firewall DMZINET ip saddr $GRECALE udp dport 53 counter accept
add rule inet firewall DMZINET ct state { new,related,established } counter accept
add rule inet firewall DMZINET ct state invalid counter drop
add rule inet firewall DMZINET ip protocol tcp counter reject with tcp reset
add rule inet firewall INPUT tcp dport 1922 counter accept
add rule inet firewall INPUT iif $INTIF ip saddr $PERSEO udp dport 694 ct state { new,related,established } counter accept
add rule inet firewall INPUT ct state { related,established } counter accept
add rule inet firewall INPUT ct state invalid counter drop
add rule inet firewall INPUT ip protocol tcp counter reject with tcp reset
add rule inet firewall OUTPUT ct state { new,related,established } counter accept
add rule inet firewall OUTPUT ct state invalid counter drop
add rule inet firewall FORWARD ip frag-off != 0 ip protocol icmp counter drop
add rule netdev noddos ingress iif $EXTIF ip saddr {$GOOD_BOYS} counter accept
add rule netdev noddos ingress iif $EXTIF ip saddr {$RESERVED_NET} counter drop
add rule netdev noddos ingress ip frag-off & 0x1fff != 0 counter drop
add rule netdev noddos ingress tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg counter drop
add rule netdev noddos ingress tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop
add rule netdev noddos ingress tcp flags syn tcp option maxseg size 1-536 counter drop
#add rule inet fw-nat POSTROUTING oif $EXTIF ip saddr $LAN counter snat to $EXTIP
#add rule inet fw-nat POSTROUTING oif $EXTIF ip saddr $DMZ counter snat to $WEBIP
add rule inet fw-nat POSTROUTING masquerade
Come al solito lo SNAT non funziona, o meglio funziona dalla ditta ma se cerco di collegarmi via VPN non c’è verso, nel momento in cui cambio da SNAT a masquerade la vpn parte come un razzo, questa cosa mi da il mal di testa e prima o poi ne verrò fuori.
Addendum:
Murphy come al solito ci si mette e ti rovina le cose.
il nostro GW aziendale lato lan è il .241 finale, che ovviamente risiede sulla macchina dove gira il firewall, molto bene uscendo da quel GW invece che da quello di test non funziona piu’ niente.
Dopo averci sbattuto parecchio la testa, ho provato a chiedere consiglio su un gruppo di informatici su Facebook, e uno di questi mi ha parlato di un problema simile che ha risolto in un certo modo, quindi ragiona ragiona ragiona ho aggiunto questi rules e tutto ha cominciato a funzionare a dovere
add rule inet fw-nat PREROUTING ip saddr $LAN iif $INTIF ip daddr $WEBIP tcp dport 22 meta nftrace set 1 counter dnat to $GRECALE:22
add rule inet fw-nat PREROUTING ip saddr $LAN iif $INTIF ip daddr $WEBIP tcp dport 80 counter dnat to $GRECALE:80
add rule inet fw-nat PREROUTING ip saddr $LAN iif $INTIF ip daddr $WEBIP tcp dport 443 counter dnat to $GRECALE:443
add rule inet fw-nat PREROUTING ip saddr $LAN iif $INTIF ip daddr $WEBIP tcp dport 1922 counter dnat to $GRECALE:1922
Il nftrace mi e’ servito per fare la prova del nove e dato che tutto sommato non disturba lo lascio.
Categorised as: firewall | Linux | Networking | Work
Comments are disabled on this post