Instale o pacote
# apt install nftables
Habilite e reinicie o serviço do NFTABLES.
# systemctl enable nftables.service && systemctl restart nftables.service
Comandos para validar a execução ou limpar
# nft list ruleset <- Lista as regras ativas
# nft list tables <- Lista todas tabelas
# nft flush ruleset <- Limpas as regras
Após a instalação do pacote nftables o arquivo base é criado
# vi /etc/nftables.conf
#!/usr/sbin/nft -f
flush ruleset
table inet filter { <- Nftables families (ip, ip6, inet, arp, bridge, netdev)
chain input {
type filter hook input priority 0;
}
chain forward {
type filter hook forward priority 0;
}
chain output {
type filter hook output priority 0;
}
}
Arquivo com tabela FILTER e NAT
table inet filter {
chain input {
type filter hook input priority filter; policy accept;
}
chain forward {
type filter hook forward priority filter; policy accept;
}
chain output {
type filter hook output priority filter; policy accept;
}
}
table ip nat {
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
}
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
}
}
# nft add rule ip filter input iifname {$IFINT,$IFEXT} ip saddr {$NETINT,$NETEXT} tcp dport {ssh} ct state {new,established} counter accept
Regras de pós roteamento:
# nft add table nat
# nft 'add chain nat postrouting { type nat hook postrouting priority 100 ; }'
# # nft add rule nat postrouting oifname eth0 ip saddr 10.0.0.0/24 counter masquerade
Liste as regras em execução:
# nft list ruleset
table ip nat {
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
masquerade
}
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
}
}
VALIDAR
#Esta regra se nao houver ip fixo
nft add rule ip nat postrouting oifname $IFEXT ip saddr $NETINT counter masquerade
#Esta regra e utilizada para ip fixo
nft add rule ip nat postrouting oifname $IFEXT ip saddr $NETINT counter snat to $IPEXT
# nft add rule nat postrouting oifname $IFEXT ip saddr $NETINT counter masquerade
# nft add table nat
# nft 'add chain nat prerouting { type nat hook prerouting priority -100; }'
# nft add table inet filter
# nft add chain inet filter input { }
# nft add rule inet filter input ct state invalid counter drop
# nft add rule inet filter input icmp type timestamp-request counter drop
# nft add rule inet filter input ct state established,related counter accept
# nft add rule inet filter input iifname "lo" counter accept
# nft add rule inet filter input iifname eth0 ip saddr 192.168.1.0/24 tcp dport 22 ct state new,established counter accept
# nft add chain inet filter input { type filter hook input priority 0\; policy accept\; \
ct state invalid counter drop }
iifname $IFEXT ip protocol icmp ip saddr $ANY counter accept
# nft delete chain inet filter input
# nft delete table inet filter
# nft -a list ruleset
# nft -a list table inet filter
# nft delete rule inet filter input handle 10
# nft replace rule ip filter INPUT handle 38 iifname "eth0" ip saddr 192.168.1.12 counter drop
* Realizando adaptação das configurações base do IPTABLES para o NFTABLES.
# vi /etc/nftables.conf
#!/usr/sbin/nft -f
define NETINT = 10.0.0.0/24
#define NETEXT = 168.181.48.247/32
define DNS = 8.8.8.8, 1.1.1.1, 208.67.222.222
define ANY = 0.0.0.0/0
define IFINT= "eth0"
define IFEXT= "eth1"
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# REGRAS GERAIS
ct state invalid counter drop
icmp type timestamp-request counter drop
ct state {related,established} counter accept
iifname "lo" counter accept
# REGRAS ADICIONAIS
counter drop
}
chain forward {
type filter hook forward priority 0; policy drop;
# REGRAS GERAIS
ct state invalid counter drop
icmp type timestamp-request counter drop
ct state {related,established} counter accept
# REGRAS ADICIONAIS
counter drop
}
chain output {
type filter hook output priority 0; policy drop;
# REGRAS GERAIS
ct state invalid counter drop
icmp type timestamp-request counter drop
ct state {related,established} counter accept
oifname "lo" counter accept
# REGRAS ADICIONAIS
counter drop
}
}
*
* Regras de entrada
# ACCEPT ICMP
nft add rule ip filter input iifname $IFINT ip protocol icmp ip saddr $NETINT counter accept
nft add rule ip filter input iifname $IFEXT ip protocol icmp ip saddr $ANY counter accept
iifname $IFINT ip protocol icmp ip saddr $NETINT counter accept # PING INT
iifname $IFEXT ip protocol icmp ip saddr $ANY counter accept # PING EXT
# DROP TCP TIMESTAMPS
nft add rule ip filter input iifname $IFINT ip saddr $NETINT icmp type timestamp-request counter drop
nft add rule ip filter input iifname $IFEXT ip saddr $NETEXT icmp type timestamp-request counter drop
# ACCEPT SSH
nft add rule ip filter input iifname $IFINT ip saddr $NETINT tcp dport ssh ct state {new,established} counter accept
nft add rule ip filter input iifname $IFINT ip saddr $NETINT tcp dport 22 ct state {new,established} counter accept
nft add rule ip filter input iifname {$IFINT,$IFEXT} ip saddr {$NETINT,$NETEXT} tcp dport {ssh} ct state {new,established} counter accept
iifname $IFINT ip saddr $NETINT tcp dport {ssh} ct state {new,established} counter accept # SERVICOS INT
iifname $IFINT ip protocol icmp ip saddr $NETINTAG counter accept # PING INT
iifname $IFEXT ip protocol icmp ip saddr $ANY counter accept # PING EXT
iifname $IFINT ip saddr $NETINTAG tcp dport {ssh,http,https} ct state {new,established} counter accept # SERVICOS INTAG
Nota: Caso use $ANY para saddr ira sobrepor com 0.0.0.0/255.255.255.255
# accept BIND
nft add rule ip filter input iifname $IFINT tcp dport 53 counter accept
nft add rule ip filter input iifname $IFINT udp dport 53 counter accept
nft add rule ip filter input iifname $IFINT tcp dport 953 counter accept
# ACCEPT WEBSERVER
nft add rule ip filter input iifname $IFINT ip saddr $NETINT tcp dport 80 counter accept
nft add rule ip filter input iifname $IFEXT ip saddr $ANY tcp dport 80 counter accept
iifname $IFEXT ip saddr $ANY tcp dport {http} ct state {new,established} counter accept # SERVICOS EXT
# ACCEPT SAMBA
nft add rule ip filter input iifname $IFINT ip saddr $NETINT tcp dport 445 counter accept
# MULTIPORT
nft add rule ip filter input iifname $IFINT ip protocol tcp ip saddr $NETINT tcp dport {22,445,3052,8080} counter accept
nft add rule ip filter input iifname $IFINT ip protocol udp ip saddr $NETINT udp dport {53,123,3052-4000} counter accept
# REJECT TRACEROUTE
nft add rule ip filter input iifname $NETINT udp dport 33434-33523 ct state new counter reject
nft add rule ip filter input iifname $NETEXT udp dport 33434-33523 ct state new counter reject
# ACCEPT ALL TRAFIC
nft add rule ip filter input iifname $IFINT ip saddr $NETINT counter accept
nft add rule ip filter input iifname $IFEXT ip saddr $NETEXT counter accept
* Regras de saída
# Drop tcp timestamps
nft add rule ip filter output oifname $IFINT ip daddr $NETINT icmp type timestamp-reply counter drop
nft add rule ip filter output oifname $IFEXT ip daddr $ANY icmp type timestamp-reply counter drop
# ACCEPT BIND
nft add rule ip filter output oifname $IFINT ip daddr $NETINT tcp dport 53 counter accept
nft add rule ip filter output oifname $IFINT ip daddr $NETINT udp dport 53 counter accept
nft add rule ip filter output oifname $IFEXT ip daddr $ANY tcp dport 53 counter accept
nft add rule ip filter output oifname $IFEXT ip daddr $ANY udp dport 53 counter accept
# ACCEPT INTERNET + NTP - Rever configuração do resolv.conf
nft add rule ip filter output oifname $IFEXT udp dport {domain,ntp} counter accept <- {53,123}
nft add rule ip filter output oifname $IFEXT tcp dport {http,https} counter accept <- {80,443}
oifname $IFINT ip protocol icmp ip saddr $NETINTAG counter accept # PING INT
oifname $IFINT ip daddr $NETINTAG tcp dport {389,587,3306,3307,10050,12345,12346} ct state {new,established} counter accept # SERVICOS WEB
oifname $IFINT ip daddr $ANY tcp dport {http,https} counter accept # WEB
oifname $IFINT ip daddr $ANY udp dport {domain,ntp} counter accept # DNS E NTP
# ACCEPT NTP
nft add rule ip filter output oifname $IFEXT udp dport {ntp} counter accept
#Regra para liberar o SAMBA
nft add rule ip filter output oifname $IFINT ip daddr $NETINT tcp dport 445 counter accept
# ACCEPT MULTIPORT
nft add rule ip filter output oifname $IFEXT ip protocol tcp tcp dport {111,2049,4000-4005} counter accept
* Regras de redirecionamento:
* Regras de lvog.
nft add rule filter input tcp dport 22 ct state new log prefix \"SSH for ever\" group 2 accept
* Regras de pré roteamento
#Esta regra faz o roteamento dos pacotes tcp da porta 80 para 3128 (SQUID)
nft add rule ip nat prerouting iifname $IFINT ip saddr $NETINT tcp dport 80 counter redirect to :3128
#nft add rule ip nat prerouting iifname $IFINT tcp dport 80 counter redirect to :3128
#Redirecionar porta de entrada para outra interna
nft add rule ip nat prerouting iifname $IFINT tcp dport 80 counter redirect to :8080 comment \"HTTP\"
nft add rule ip nat prerouting iifname $IFINT tcp dport 443 counter redirect to :8443 comment \"HTTPS\"
ip saddr $ntp_servers counter
Para a regra de INPUT adicionar as linhas abixo:
FLOOD protect tcp
nft add chain ip filter syn-flood
nft add rule ip filter input tcp flags & (fin|syn|rst|ack) == syn counter jump syn-flood
nft add rule ip filter syn-flood limit rate 30/second burst 60 packets counter return
nft add rule ip filter syn-flood counter log prefix \"SYN-flood attempt: \"
nft add rule ip filter syn-flood counter drop
FLOOD protect ping
nft add chain ip filter ping-flood
nft add rule ip filter ping-flood icmp type echo-request limit rate 1/second burst 5 packets counter accept
nft add rule ip filter ping-flood counter drop
* Para a regra de OUTPUT adicionar as linhas abaixo:
FLOOD protect udp
nft add chain ip filter udp-flood
nft add rule ip filter output ip protocol udp counter jump udp-flood
nft add rule ip filter udp-flood ip protocol udp limit rate 50/second burst 100 packets counter return
nft add rule ip filter udp-flood counter log prefix \"UDP-flood attempt: \"
nft add rule ip filter udp-flood counter drop
https://wiki.debian.org/nftables
https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables
https://home.regit.org/netfilter-en/nftables-quick-howto/
https://wiki.archlinux.org/index.php/Nftables
https://www.youtube.com/watch?v=7riJkp5q1-M
https://www.youtube.com/watch?v=ImBGJBArjOE
* NFTables para servidor com haproxy
#!/usr/sbin/nft -f
define NETINTAG = 10.0.0.0/24
define NETINTAV = 10.0.2.0/24
define NETINTBV = 10.0.4.0/24
define NETINTEG = 10.0.5.0/24
#define NETEXT = 187.72.136.127/25
define DNS = 8.8.8.8, 1.1.1.1, 208.67.222.222
define ANY = 0.0.0.0/0
define IFINT= "eth0"
define IFEXT= "eth1"
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# REGRAS GERAIS
ct state invalid counter drop
icmp type timestamp-request counter drop
ct state {related,established} counter accept
iifname "lo" counter accept
# REGRAS ADICIONAIS
iifname $IFINT ip protocol icmp ip saddr $NETINTAG counter accept # PING INT
#iifname $IFEXT ip protocol icmp ip saddr $ANY counter accept # PING EXT
iifname $IFINT ip saddr $NETINTAG tcp dport {ssh,http,https,8080,1936,10050,10051} ct state {new,established} counter accept # SERVICOS INTAG
iifname $IFINT ip saddr {$NETINTAV,$NETINTBV,$NETINTEG} tcp dport {http,https,8080} ct state {new,established} counter accept # SERVICOS INTAV
iifname $IFEXT ip saddr $ANY tcp dport {http,https} ct state {new,established} counter accept # SERVICOS EXT
counter drop
}
chain forward {
type filter hook forward priority 0; policy drop;
# REGRAS GERAIS
ct state invalid counter drop
icmp type timestamp-request counter drop
ct state {related,established} counter accept
# REGRAS ADICIONAIS
counter drop
}
chain output {
type filter hook output priority 0; policy drop;
# REGRAS GERAIS
ct state invalid counter drop
icmp type timestamp-request counter drop
ct state {related,established} counter accept
oifname "lo" counter accept
# REGRAS ADICIONAIS
oifname $IFEXT ip daddr $ANY udp dport {domain,http,ntp,https} counter accept # DNS E NTP
oifname $IFINT ip daddr $NETINTAG tcp dport {80,81,443,8002,8004,8005,8008,8009,8010,8011,8012,8013,8014,8015,8016,8017,8018,8019,8021,8022,8026,8031,8033,8034,8035,8036,8037,8080,8081,8083} ct state {new,established} counter accept # SERVICOS WEB
counter drop
}
chain prerouting {
type filter hook prerouting priority 0; policy accept;
}
chain postrouting {
type filter hook postrouting priority 0; policy accept;
}
}
Comandos
ip6tables
ebtables
arptables
# nft add table ip filter
# nft add chain ip filter input { tupe filter hook input priority 0\; }
# nft add rule ip filter input counter
// SETS ##################
# nftp add set ip filter test { type ipv4_addr\; }
# nft describe ip saddr
# nft add element ip filter test { 127.0.0.1 }
# nft add rule ip filter input ip saddr @test counter
// MAPS ################
# nft add map ip filter test2 { type ipv4_addr : mark\; }
# nft add element ip filter test2 { 127.0.0.1 : 0xa, 127.0.0.2 : 0xb }
# nft add rule ip filter input meta mark set ip saddr map @test2 <- meta pode ser substituido por ct
// CONCATENATINAS ##############
# nft add rule ip filter input ct mark set saddr map { 127.0.0.1 :0xa, 127.0.0.2 : 0xb } <- ct=contrack
# nft add rule ip filter input meta iifname . ip saddr { "eth0" . 192.168.0.1, "lo" . 127.0.0.1, "eth1" . 192.168.1.1 } counter <- iif e iifname sao diferentes
// CONCAT + MAPS #################
# nft add rule ip filter input meta iif . ip saddr . tcp dport { "eth0" . 192.168.1.1.22, "lo" . 127.0.0.1.8080 }
# nftp add rule ip filter input ct mark set meta iif . ip saddr . tcp dport map { "eht0" . 127.0.0.1.22, "lo" . 127.0.0.1.8080 }
// RULE DELETE ###############
# nft list ruleset -a
# nft delete rule ip filter input handle 123 <- 123 e o numero listado do comando acima
# nft replace rule ip filter paritian 123
# nft -i
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iifname lo accept
tcp dport 22 ct state new accept # change to your own ssh port
ct state established,related accept
# no ping floods:
ip protocol icmp icmp type echo-request limit rate over 10/second burst 4 packets drop
ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 4 packets drop
# ICMP & IGMP
ip6 nexthdr icmpv6 icmpv6 type { echo-request, destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, nd-neighbor-solicit, nd-neighbor-advert, mld-listener-report } accept
ip protocol icmp icmp type { echo-request, destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept
ip protocol igmp accept
# avoid brute force on ssh, and your ssh port here
tcp dport 22 ct state new limit rate 15/minute accept # change to your own ssh port
# http server
tcp dport { http, https} ct state established,new accept
udp dport { http, https} ct state established,new accept
# some ports you like
#tcp dport { xxx, yyy} ct state established,new accept
#udp dport { xxx, yyy} ct state established,new accept
ct state invalid drop
# uncomment to enable log, choose one
#log flags all counter drop
#log prefix "[nftables] Input Denied: " flags all counter drop
}
chain forward {
type filter hook forward priority 0; policy drop;
tcp dport { http, https } ct state { established,new } accept
udp dport { http, https } ct state { established,new } accept
# for dockers
# dockers have plenty of networks, so it may be required to change accordingly
iifname eth0 oifname docker0 ct state { established,new,related } accept
oifname eth0 ct state { established,new,related } accept
# uncomment to enable log
#log prefix "[nftables] Forward Denied: " flags all counter drop
}
chain output {
type filter hook output priority 0; policy accept;
}
}
# aa-status