{"id":1923,"date":"2021-05-28T09:28:40","date_gmt":"2021-05-28T07:28:40","guid":{"rendered":"http:\/\/clark.tipistrani.it\/?p=1923"},"modified":"2023-06-22T15:44:36","modified_gmt":"2023-06-22T13:44:36","slug":"ale2-nftables-firewall-per-dmz","status":"publish","type":"post","link":"http:\/\/clark.tipistrani.it\/?p=1923","title":{"rendered":"Ale2 nftables Firewall per DMZ"},"content":{"rendered":"

A proposito di ZendTo<\/a> mi sono dovuto riscrivere lo script di firewall per gestire la DMZ.
\nGi\u00e0 in passato avevo fatto un lavoro del genere per un CRM che non \u00e8 mai decollato veramente, oggi l’ho riscritto per nftables, per dire la verit\u00e0 mi sono detto \u00e8 inutile e stupido che vai a scoprire di nuovo l’acqua calda, ispirati a qualcosa che funziona scritto da qualcuno che sa cosa scrive, quindi senza tanti giri mi sono preso le idee di Carlo Contavalli<\/a> che ne sa decisamente parecchio e le ho riscritte secondo la mia esigenza in nftables.<\/p>\n

il risultato \u00e8 questo :<\/p>\n

#!\/usr\/sbin\/nft -f
\ninclude “\/usr\/local\/bin\/vars<\/a>”
\ninclude “\/usr\/local\/bin\/definitions<\/a>”
\nflush ruleset
\nadd table inet firewall
\nadd table inet fw-nat
\nadd table inet fail2ban
\nadd table netdev noddos<\/p>\n

add chain netdev noddos ingress { type filter hook ingress device eth0 priority -500; }
\nadd chain inet firewall INPUT { type filter hook input priority 0; policy drop; }
\nadd chain inet firewall FORWARD { type filter hook forward priority 0; policy drop; }
\nadd chain inet firewall OUTPUT { type filter hook output priority 0; policy drop; }
\nadd chain inet fw-nat PREROUTING { type nat hook prerouting priority -100; }
\nadd chain inet fw-nat POSTROUTING { type nat hook postrouting priority 100; }
\nadd chain inet fail2ban input { type filter hook input priority 100; }
\nadd chain inet firewall IPS { type filter hook forward priority 10; }
\nadd chain inet firewall LANDMZ
\nadd chain inet firewall LANINET
\nadd chain inet firewall DMZINET
\nadd chain inet firewall DMZLAN
\nadd chain inet firewall INETDMZ
\nadd chain inet firewall INETLAN<\/p>\n

add rule inet fw-nat PREROUTING iif $EXTIF ip daddr $WEBIP tcp dport 22 counter dnat to $GRECALE:22
\nadd rule inet fw-nat PREROUTING iif $EXTIF ip daddr $WEBIP tcp dport 80 counter dnat to $GRECALE:80
\nadd rule inet fw-nat PREROUTING iif $EXTIF ip daddr $WEBIP tcp dport 443 counter dnat to $GRECALE:443
\nadd rule inet fw-nat PREROUTING iif $EXTIF ip daddr $WEBIP tcp dport 1922 counter dnat to $GRECALE:1922<\/p>\n

###vedi addendum a fine pagina<\/h3>\n

add rule inet fw-nat PREROUTING ip saddr $LAN iif $INTIF ip daddr $WEBIP tcp dport 22 meta nftrace set 1 counter dnat to $GRECALE:22
\nadd rule inet fw-nat PREROUTING ip saddr $LAN iif $INTIF ip daddr $WEBIP tcp dport 80 counter dnat to $GRECALE:80
\nadd rule inet fw-nat PREROUTING ip saddr $LAN iif $INTIF ip daddr $WEBIP tcp dport 443 counter dnat to $GRECALE:443
\nadd rule inet fw-nat PREROUTING ip saddr $LAN iif $INTIF ip daddr $WEBIP tcp dport 1922 counter dnat to $GRECALE:1922
\n###<\/p>\n

add rule inet fw-nat PREROUTING iif $EXTIF ip daddr $VPNIP tcp dport 775 counter dnat to $CHIMERA:775
\nadd rule inet fw-nat PREROUTING iif $EXTIF ip daddr $VPNIP tcp dport 1194 counter dnat to $CHIMERA:1194
\nadd rule inet fw-nat PREROUTING tcp flags & (syn|ack) == syn|ack ct state new drop
\nadd rule inet fw-nat PREROUTING tcp flags & (fin|syn) == fin|syn drop
\nadd rule inet fw-nat PREROUTING tcp flags & (syn|rst) == fin|rst drop
\nadd rule inet fw-nat PREROUTING tcp flags & (fin|rst) == fin|rst drop
\nadd rule inet fw-nat PREROUTING tcp flags & (fin|ack) == fin drop
\nadd rule inet fw-nat PREROUTING tcp flags & (psh|ack) == psh drop
\nadd rule inet fw-nat PREROUTING tcp flags & (ack|urg) == urg counter drop<\/p>\n

add rule inet firewall FORWARD ct state { established, related } counter accept
\nadd rule inet firewall FORWARD ct state invalid counter drop
\nadd rule inet firewall FORWARD iif $EXTIF oif $INTIF ip daddr $CHIMERA tcp dport { 775, 1194 } ct state new accept
\nadd rule inet firewall FORWARD iif $INTIF oif $DMZIF counter jump LANDMZ
\nadd rule inet firewall FORWARD iif $INTIF oif $EXTIF counter jump LANINET
\nadd rule inet firewall FORWARD iif $DMZIF oif $EXTIF counter jump DMZINET
\nadd rule inet firewall FORWARD iif $DMZIF oif $INTIF counter jump DMZLAN
\nadd rule inet firewall FORWARD iif $EXTIF oif $DMZIF counter jump INETDMZ
\nadd rule inet firewall FORWARD iif $EXTIF oif $INTIF counter jump INETLAN
\nadd rule inet firewall LANDMZ ip saddr != $LAN counter drop
\nadd rule inet firewall LANDMZ ip daddr $GRECALE tcp dport 80 counter accept
\nadd rule inet firewall LANDMZ ip daddr $GRECALE tcp dport 443 counter accept
\nadd rule inet firewall LANDMZ ip daddr $GRECALE tcp dport 22 counter accept
\nadd rule inet firewall LANDMZ ip daddr $GRECALE tcp dport 1922 counter accept
\nadd rule inet firewall LANDMZ ip daddr $GRECALE tcp dport 53 counter accept
\nadd rule inet firewall LANDMZ ip daddr $GRECALE udp dport 53 counter accept
\nadd rule inet firewall LANDMZ ct state { new,related,established } counter accept
\nadd rule inet firewall LANDMZ ct state invalid counter drop
\nadd rule inet firewall LANDMZ ip protocol tcp counter reject with tcp reset
\nadd rule inet firewall DMZLAN ip saddr != $DMZ counter drop
\nadd rule inet firewall DMZLAN ct state { related,established } counter accept
\nadd rule inet firewall DMZLAN ct state invalid counter drop
\nadd rule inet firewall DMZLAN ip protocol tcp counter reject with tcp reset
\nadd rule inet firewall LANINET ip saddr != $LAN counter drop
\nadd rule inet firewall LANINET tcp dport 21 counter accept
\nadd rule inet firewall LANINET ct state { new,related,established } counter accept
\nadd rule inet firewall LANINET ct state invalid counter drop
\nadd rule inet firewall LANINET ip protocol tcp counter reject with tcp reset
\nadd rule inet firewall INETLAN ip saddr $LAN counter drop
\nadd rule inet firewall INETLAN ip saddr $DMZ counter drop
\nadd rule inet firewall INETLAN ct state { related,established } counter accept
\nadd rule inet firewall INETLAN ct state invalid counter drop
\nadd rule inet firewall INETLAN ip protocol tcp counter reject with tcp reset
\nadd rule inet firewall INETDMZ ip saddr $LAN counter drop
\nadd rule inet firewall INETDMZ ip saddr $DMZ counter drop
\nadd rule inet firewall INETDMZ ip daddr $GRECALE tcp dport 80 counter accept
\nadd rule inet firewall INETDMZ ip daddr $GRECALE tcp dport 22 counter accept
\nadd rule inet firewall INETDMZ ip daddr $GRECALE tcp dport 53 counter accept
\nadd rule inet firewall INETDMZ ip daddr $GRECALE udp dport 53 counter accept
\nadd rule inet firewall INETDMZ ip daddr $GRECALE tcp dport 1922 counter accept
\nadd rule inet firewall INETDMZ ip daddr $GRECALE tcp dport 443 counter accept
\nadd rule inet firewall INETDMZ ct state { new,related,established } counter accept
\nadd rule inet firewall INETDMZ ct state invalid counter drop
\nadd rule inet firewall INETDMZ ip protocol tcp counter reject with tcp reset
\nadd rule inet firewall DMZINET ip saddr != $DMZ counter drop
\nadd rule inet firewall DMZINET ip saddr $GRECALE tcp dport 80 counter accept
\nadd rule inet firewall DMZINET ip saddr $GRECALE tcp dport 443 counter accept
\nadd rule inet firewall DMZINET ip saddr $GRECALE tcp dport 53 counter accept
\nadd rule inet firewall DMZINET ip saddr $GRECALE udp dport 53 counter accept
\nadd rule inet firewall DMZINET ct state { new,related,established } counter accept
\nadd rule inet firewall DMZINET ct state invalid counter drop
\nadd rule inet firewall DMZINET ip protocol tcp counter reject with tcp reset
\nadd rule inet firewall INPUT tcp dport 1922 counter accept
\nadd rule inet firewall INPUT iif $INTIF ip saddr $PERSEO udp dport 694 ct state { new,related,established } counter accept
\nadd rule inet firewall INPUT ct state { related,established } counter accept
\nadd rule inet firewall INPUT ct state invalid counter drop
\nadd rule inet firewall INPUT ip protocol tcp counter reject with tcp reset
\nadd rule inet firewall OUTPUT ct state { new,related,established } counter accept
\nadd rule inet firewall OUTPUT ct state invalid counter drop
\nadd rule inet firewall FORWARD ip frag-off != 0 ip protocol icmp counter drop
\nadd rule netdev noddos ingress iif $EXTIF ip saddr {$GOOD_BOYS} counter accept
\nadd rule netdev noddos ingress iif $EXTIF ip saddr {$RESERVED_NET} counter drop
\nadd rule netdev noddos ingress ip frag-off & 0x1fff != 0 counter drop
\nadd rule netdev noddos ingress tcp flags & (fin|syn|rst|psh|ack|urg) == fin|syn|rst|psh|ack|urg counter drop
\nadd rule netdev noddos ingress tcp flags & (fin|syn|rst|psh|ack|urg) == 0x0 counter drop
\nadd rule netdev noddos ingress tcp flags syn tcp option maxseg size 1-536 counter drop
\n#add rule inet fw-nat POSTROUTING oif $EXTIF ip saddr $LAN counter snat to $EXTIP
\n#add rule inet fw-nat POSTROUTING oif $EXTIF ip saddr $DMZ counter snat to $WEBIP
\nadd rule inet fw-nat POSTROUTING masquerade
\nCome al solito lo SNAT non funziona, o meglio funziona dalla ditta ma se cerco di collegarmi via VPN non c’\u00e8 verso, nel momento in cui cambio da SNAT a masquerade la vpn parte come un razzo, questa cosa mi da il mal di testa e prima o poi ne verr\u00f2 fuori.<\/p>\n

Addendum:
\nMurphy<\/a> come al solito ci si mette e ti rovina le cose.<\/p>\n

il nostro GW aziendale lato lan \u00e8 il .241 finale, che ovviamente risiede sulla macchina dove gira il firewall, molto bene uscendo da quel GW invece che da quello di test non funziona piu’ niente.
\nDopo averci sbattuto parecchio la testa, ho provato a chiedere consiglio su un gruppo di informatici su Facebook, e uno di questi mi ha parlato di un problema simile che ha risolto in un certo modo, quindi ragiona ragiona ragiona ho aggiunto questi rules e tutto ha cominciato a funzionare a dovere<\/p>\n

add rule inet fw-nat PREROUTING ip saddr $LAN iif $INTIF ip daddr $WEBIP tcp dport 22 meta nftrace set 1 counter dnat to $GRECALE:22
\nadd rule inet fw-nat PREROUTING ip saddr $LAN iif $INTIF ip daddr $WEBIP tcp dport 80 counter dnat to $GRECALE:80
\nadd rule inet fw-nat PREROUTING ip saddr $LAN iif $INTIF ip daddr $WEBIP tcp dport 443 counter dnat to $GRECALE:443
\nadd rule inet fw-nat PREROUTING ip saddr $LAN iif $INTIF ip daddr $WEBIP tcp dport 1922 counter dnat to $GRECALE:1922<\/p>\n

Il nftrace mi e’ servito per fare la prova del nove e dato che tutto sommato non disturba lo lascio.<\/p>\n","protected":false},"excerpt":{"rendered":"

A proposito di ZendTo mi sono dovuto riscrivere lo script di firewall per gestire la DMZ. Gi\u00e0 in passato avevo fatto un lavoro del genere per un CRM che non \u00e8 mai decollato veramente, oggi l’ho riscritto per nftables, per dire la verit\u00e0 mi sono detto \u00e8 inutile e stupido che vai a scoprire di […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[109,8,14,6],"tags":[207,180,25],"class_list":["post-1923","post","type-post","status-publish","format-standard","hentry","category-firewall","category-linux","category-networking","category-work","tag-dmz","tag-nftables","tag-script-2"],"_links":{"self":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/1923","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1923"}],"version-history":[{"count":11,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/1923\/revisions"}],"predecessor-version":[{"id":2430,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/1923\/revisions\/2430"}],"wp:attachment":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1923"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1923"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1923"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}