如何在其他表nftables中创建第二个输入链?

问题描述 投票:0回答:3

有我的测试 nft 规则集 ,除了 table inet test 之外,所有功能都有效,但是表 f2b-table 绝对相似(除了 drop 与 Accept),并且工作正常:

table inet f2b-table {
    set addr-set-sshd {
        type ipv4_addr
        elements = { 0.0.0.0 }
    }

    chain input {
        type filter hook input priority filter - 1; policy accept;
        tcp dport { 222 } ip saddr @addr-set-sshd drop
    }
}
table inet default {
    set full_op_port {
        type inet_service
        elements = { 222 }
    }

    set allowed_ips {
        type ipv4_addr
        elements = { 0.0.0.0 }
    }

    chain INPUT {
        type filter hook input priority filter; policy drop;
        ct state invalid drop
        ct state { established, related } accept
        iif "lo" accept
        tcp dport @full_op_port accept
        ip saddr @allowed_ips accept
        ip protocol icmp accept
        counter packets 17 bytes 884
    }

    chain FORWARD {
        type filter hook forward priority filter; policy drop;
    }

    chain OUTPUT {
        type filter hook output priority filter; policy accept;
    }
}
table ip test {
    chain PREROUTING {
        type nat hook prerouting priority filter; policy accept;
    }

    chain POSTROUTING {
        type nat hook postrouting priority srcnat; policy accept;
    }

    chain FORWARD {
        type filter hook forward priority filter; policy drop;
    }
}
table inet test {
    set op_port {
        type inet_service
        elements = { 8888 }
    }

    chain INPUT {
        type filter hook input priority filter - 2; policy accept;
        tcp dport @op_port accept
    }
}

我在 tcpdump 中看到包,当我在表 table inet test 中创建 count 时看到包,但包不被接受。我做错了什么?

firewall nftables nft
3个回答
3
投票

我在这里添加另一个带有示例的答案,以澄清将策略与“同一系列、类型和钩子的多个基础链”混合使用所带来的意外后果。尽管这些优先级可以相同,但绝不应该如此。优先级数字越低意味着优先级越高,并且将首先运行。错误地应用丢弃策略可能会对您打算接受的流量造成意想不到的后果。 至于将混合系列inet与ip和ip6混合的效果,我什至不会开始武断,只是说这可能是一个坏主意。

警告:

这些示例严重破坏了 ipv4 流量,并且是在虚拟机上执行的 - 买家要小心! 不良丢弃政策的示例:

table inet filter { chain input1 { type filter hook input priority filter + 1; policy drop; tcp dport 80 log prefix "input1_" # SEEN } # input2 chain not evaluated as there is no traffic left after input1 chain input2 { type filter hook input priority filter + 2; policy accept; tcp dport 80 accept tcp dport 80 log prefix "input2_" } } 

ok drop 策略的示例:

table inet filter { chain input1 { type filter hook input priority filter + 1; policy accept; tcp dport 80 log prefix "input1_" # SEEN } chain input2 { type filter hook input priority filter + 2; policy drop; tcp dport 80 accept tcp dport 80 log prefix "input2_" # NOT SEEN due previous accept } } 

不良接受政策的示例:

table inet filter { chain input1 { type filter hook input priority filter + 1; policy accept; tcp dport 80 accept tcp dport 80 log prefix "input1_" # NOT SEEN due to previous accept } chain input2 { type filter hook input priority filter + 2; policy drop; tcp dport 80 log prefix "input2_" # SEEN - chain evaluates # all traffic dropped here by policy including accepted input1 traffic } } 

可接受政策的示例:

table inet filter { chain input1 { type filter hook input priority filter + 1; policy accept; tcp dport 80 log prefix "input1_" # SEEN } chain input2 { type filter hook input priority filter + 2; policy drop; tcp dport 80 accept tcp dport 80 log prefix "input2_" # NOT SEEN due to previous accept } } 

正如 nft 手册页中所述,按规则或策略删除的内容会立即删除,而无需进一步处理较低优先级的基础链。接受不。它会短路当前优先级的剩余规则,并将其移交给下一个较低优先级,但在这里,如果被规则显式删除,或者如果没有规则可以接受,则被策略隐式删除,它仍然会被删除。

也许最简单的方法是使用单个基础链并跳转/转到非基础链,这实际上是 iptables 的工作方式。

3
投票
答案

来自A.B,他说:

只是为了澄清一个数据包可以在同一个钩子中多次被接受(或不接受):

并从
nft

手册页发布

接受

终止规则集评估并接受数据包。数据包仍然可能被丢弃 稍后通过另一个钩子,例如前向钩子中的接受仍然允许删除 稍后在后路由钩子中的数据包,或具有更高的另一个前向基础链 优先级编号,然后在处理管道中进行评估。

您的默认表基链优先级 0 将在您的测试表基链优先级 -2 之后进行评估,并且因为它有丢弃策略并且数据包在那里不匹配,所以它将被丢弃。

手册页对此感到困惑。对于允许判决“终止规则集评估并接受数据包”,它实际上仅终止给定基础链优先级的规则集视图。由于优先级编号较高而具有较低优先级的相同类型、钩子和系列的其他基础链仍将在后面运行,并且可以通过规则或策略覆盖。这与丢弃判决不同,在丢弃判决中,所有内容都会停止,并且数据包会被立即丢弃。您可以使用日志记录来查看此操作:

nft flush ruleset nft create table ip table1 nft add chain ip table1 input1 { type filter hook input priority filter\; policy drop\; } nft add rule ip table1 input1 tcp dport != 8888 accept nft add rule ip table1 input1 tcp dport 8888 log prefix \"TABLE1_INPUT1 DROPPING \" level info nft create table ip table2 nft add chain ip table2 input2 { type filter hook input priority filter - 1\; policy accept\; } nft add rule ip table2 input2 tcp dport != 8888 accept nft add rule ip table2 input2 tcp dport 8888 log prefix \"TABLE2_INPUT2 BEFORE \" level info nft add rule ip table2 input2 tcp dport 8888 accept nft add rule ip table2 input2 tcp dport 8888 log prefix \"TABLE2_INPUT2 AFTER \" level info 




    

    
    
    

    

        

            

                

                    
0
投票

                    
                

            

        

        


让我们从现在开始关注 podman。
我将其添加到
/etc/containers/containers.conf
[network]
network_backend="netavark"
firewall_driver="nftables"



Podman 正确创建适当的表和规则以使容器正常工作。
但是,当我在单独的表中创建自己的规则并将它们挂接到优先级为 +10 和默认操作 
drop
 的过滤器挂钩时,我仍然会丢弃 Podman 的流量。
据我所知,除了复制规则或手动为 Podman 创建规则之外,没有其他方法可以接受 Podman 的流量。我在那里错过了什么吗?我很想使用原始 nftables,但这对我来说是一个主要问题。


这是我从文件恢复 nftables 后的规则


table inet myfilter {
    chain INPUT {
        type filter hook input priority filter + 10; policy drop;
        ct state invalid counter packets 1 bytes 36 drop comment "early drop of invalid packets"
        ct state { established, related } counter packets 181 bytes 15768 accept
        iif "lo" accept comment "accept loopback"
        iif != "lo" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 drop
        iif != "lo" ip6 daddr ::1 counter packets 0 bytes 0 drop 
        ip protocol icmp counter packets 2 bytes 104 accept
        meta l4proto ipv6-icmp counter packets 0 bytes 0 accept
        iifname { "ens5", "eno1.50", "bridge1" } ip saddr { 192.168.1.0/24, 192.168.5.0/24, 192.168.10.0/24, 192.168.50.0/24 } tcp dport 22 counter packets 0 bytes 0 accept comment "accept SSH"
        iifname { "ens5", "eno1.50", "bridge1" } ip saddr { 192.168.1.0/24, 192.168.5.0/24, 192.168.10.0/24, 192.168.50.0/24 } udp dport 546 counter packets 0 bytes 0 accept comment "accept dhcpv6-client"
    }

    chain FORWARD {
        type filter hook forward priority filter + 10; policy drop;
    }

    chain OUTPUT {
        type filter hook output priority filter + 10; policy accept;
    }

    chain media {
        iifname "bridge3" ip saddr 192.168.3.0/24 tcp dport { 8096, 8920 } counter packets 0 bytes 0 accept comment "allow jellyfin"
        iifname "bridge3" ip saddr 192.168.3.0/24 tcp dport { 1900, 7359 } counter packets 0 bytes 0 accept comment "allow jellyfin"
    }
}



这是重启 Podman 后的规则集


table inet myfilter {
    chain INPUT {
        type filter hook input priority filter + 10; policy drop;
        ct state invalid counter packets 2 bytes 72 drop comment "early drop of invalid packets"
        ct state { established, related } counter packets 1694 bytes 147442 accept comment "accept all connections related to connections made by us"
        iif "lo" accept comment "accept loopback"
        iif != "lo" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 drop comment "drop connections to loopback not coming from loopback"
        iif != "lo" ip6 daddr ::1 counter packets 0 bytes 0 drop comment "drop connections to loopback not coming from loopback"
        ip protocol icmp counter packets 135 bytes 7020 accept comment "accept all ICMP types"
        meta l4proto ipv6-icmp counter packets 0 bytes 0 accept comment "accept all ICMP types"
        iifname { "ens5", "eno1.50", "bridge1" } ip saddr { 192.168.1.0/24, 192.168.5.0/24, 192.168.10.0/24, 192.168.50.0/24 } tcp dport 22 counter packets 0 bytes 0 accept comment "accept SSH"
        iifname { "ens5", "eno1.50", "bridge1" } ip saddr { 192.168.1.0/24, 192.168.5.0/24, 192.168.10.0/24, 192.168.50.0/24 } tcp dport 9090 counter packets 0 bytes 0 accept comment "accept cockpit"
        iifname { "ens5", "eno1.50", "bridge1" } ip saddr { 192.168.1.0/24, 192.168.5.0/24, 192.168.10.0/24, 192.168.50.0/24 } tcp dport 22000 counter packets 0 bytes 0 accept comment "accept syncthing"
        iifname { "ens5", "eno1.50", "bridge1" } ip saddr { 192.168.1.0/24, 192.168.5.0/24, 192.168.10.0/24, 192.168.50.0/24 } udp dport { 21027, 22000 } counter packets 18 bytes 7182 accept comment "accept syncthing"
        iifname { "ens5", "eno1.50", "bridge1" } ip saddr { 192.168.1.0/24, 192.168.5.0/24, 192.168.10.0/24, 192.168.50.0/24 } udp dport 138 counter packets 0 bytes 0 accept comment "accept samba"
        iifname { "ens5", "eno1.50", "bridge1" } ip saddr { 192.168.1.0/24, 192.168.5.0/24, 192.168.10.0/24, 192.168.50.0/24 } tcp dport { 139, 445 } counter packets 0 bytes 0 accept comment "accept samba"
        iifname { "ens5", "eno1.50", "bridge1" } ip saddr { 192.168.1.0/24, 192.168.5.0/24, 192.168.10.0/24, 192.168.50.0/24 } tcp dport { 8096, 8920 } counter packets 0 bytes 0 accept comment "allow jellyfin"
        iifname { "ens5", "eno1.50", "bridge1" } ip saddr { 192.168.1.0/24, 192.168.5.0/24, 192.168.10.0/24, 192.168.50.0/24 } tcp dport { 1900, 7359 } counter packets 0 bytes 0 accept comment "allow jellyfin"
        iifname { "ens5", "eno1.50", "bridge1" } ip saddr { 192.168.1.0/24, 192.168.5.0/24, 192.168.10.0/24, 192.168.50.0/24 } tcp dport 8334 counter packets 0 bytes 0 accept comment "allow filestash"
        iifname { "ens5", "eno1.50", "bridge1" } ip saddr { 192.168.1.0/24, 192.168.5.0/24, 192.168.10.0/24, 192.168.50.0/24 } tcp dport 3389 counter packets 0 bytes 0 accept comment "allow filestash"
        iifname { "ens5", "eno1.50", "bridge1" } ip saddr { 192.168.1.0/24, 192.168.5.0/24, 192.168.10.0/24, 192.168.50.0/24 } tcp dport 8384 counter packets 0 bytes 0 accept comment "allow filestash"
        iifname { "ens5", "eno1.50", "bridge1" } ip saddr { 192.168.1.0/24, 192.168.5.0/24, 192.168.10.0/24, 192.168.50.0/24 } udp dport 546 counter packets 0 bytes 0 accept comment "accept dhcpv6-client"
    }

    chain FORWARD {
        type filter hook forward priority filter + 10; policy drop;
    }

    chain OUTPUT {
        type filter hook output priority filter + 10; policy accept;
    }

    chain media {
        iifname "bridge3" ip saddr 192.168.3.0/24 tcp dport { 8096, 8920 } counter packets 0 bytes 0 accept comment "allow jellyfin"
        iifname "bridge3" ip saddr 192.168.3.0/24 tcp dport { 1900, 7359 } counter packets 0 bytes 0 accept comment "allow jellyfin"
    }
}
table inet netavark {
    chain INPUT {
        type filter hook input priority filter; policy accept;
        ip saddr 10.88.0.0/16 udp dport 53 accept
    }

    chain FORWARD {
        type filter hook forward priority filter; policy accept;
        ct state invalid drop
        jump NETAVARK-ISOLATION-1
        ip daddr 10.88.0.0/16 ct state established,related accept
        ip saddr 10.88.0.0/16 accept
    }

    chain POSTROUTING {
        type nat hook postrouting priority srcnat; policy accept;
        meta mark & 0x00002000 == 0x00002000 masquerade
        ip saddr 10.88.0.0/16 jump nv_2f259bab_10_88_0_0_nm16
    }

    chain PREROUTING {
        type nat hook prerouting priority dstnat; policy accept;
        fib daddr type local jump NETAVARK-HOSTPORT-DNAT
    }

    chain OUTPUT {
        type nat hook output priority dstnat; policy accept;
        fib daddr type local jump NETAVARK-HOSTPORT-DNAT
    }

    chain NETAVARK-HOSTPORT-DNAT {
        tcp dport 8334 jump nv_2f259bab_10_88_0_0_nm16_dnat
    }

    chain NETAVARK-HOSTPORT-SETMARK {
        meta mark set meta mark | 0x00002000
    }

    chain NETAVARK-ISOLATION-1 {
    }

    chain NETAVARK-ISOLATION-2 {
    }

    chain NETAVARK-ISOLATION-3 {
        oifname "podman0" drop
        jump NETAVARK-ISOLATION-2
    }

    chain nv_2f259bab_10_88_0_0_nm16 {
        ip daddr 10.88.0.0/16 accept
        ip daddr != 224.0.0.0/4 masquerade
    }

    chain nv_2f259bab_10_88_0_0_nm16_dnat {
        ip saddr 10.88.0.0/16 tcp dport 8334 jump NETAVARK-HOSTPORT-SETMARK
        ip saddr 127.0.0.1 tcp dport 8334 jump NETAVARK-HOSTPORT-SETMARK
        tcp dport 8334 dnat ip to 10.88.0.2:8334
    }
}


    

    

    


  

  

    
最新问题


  





  

    © www.soinside.com 2019 - 2024. All rights reserved.