gpt4 book ai didi

firewall - 如何在其他表 nftables 中创建第二个输入链?

转载 作者:行者123 更新时间:2023-12-01 23:42:33 25 4
gpt4 key购买 nike

有我的测试 nft 规则集 ,除了 table inet test 之外的所有工作,但表 f2b-table 绝对相似(除了 drop vs接受)并且它工作正常:

table inet f2b-table {
set addr-set-sshd {
type ipv4_addr
elements = { 0.0.0.0 }
}

chain input {
type filter hook input priority filter - 1; policy accept;
tcp dport { 222 } ip saddr @addr-set-sshd drop
}
}
table inet default {
set full_op_port {
type inet_service
elements = { 222 }
}

set allowed_ips {
type ipv4_addr
elements = { 0.0.0.0 }
}

chain INPUT {
type filter hook input priority filter; policy drop;
ct state invalid drop
ct state { established, related } accept
iif "lo" accept
tcp dport @full_op_port accept
ip saddr @allowed_ips accept
ip protocol icmp accept
counter packets 17 bytes 884
}

chain FORWARD {
type filter hook forward priority filter; policy drop;
}

chain OUTPUT {
type filter hook output priority filter; policy accept;
}
}
table ip test {
chain PREROUTING {
type nat hook prerouting priority filter; policy accept;
}

chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
}

chain FORWARD {
type filter hook forward priority filter; policy drop;
}
}
table inet test {
set op_port {
type inet_service
elements = { 8888 }
}

chain INPUT {
type filter hook input priority filter - 2; policy accept;
tcp dport @op_port accept
}
}

我在 tcpdump 中看到包,当我在表 表 inet 测试 中进行 计数 时我看到包,但包不被接受。我做错了什么?

最佳答案

我在这里添加了另一个带有示例的答案,以阐明将策略与相同系列、类型和 Hook 的多个基础链混合使用的意外后果。尽管可以使这些优先级相同,但永远不应该。较低的优先级数字意味着较高的优先级,将首先运行。错误地应用丢弃策略可能会对您打算接受的流量造成意想不到的后果。

关于将混合系列 inet 与 ip 和 ip6 混合使用的效果,我什至不会开始自以为是,只能说这可能是个坏主意。

警告:这些示例可怕地破坏了 ipv4 流量并且是在 VM 上执行的 - 买家当心!

错误丢弃策略的示例:

table inet filter {
chain input1 {
type filter hook input priority filter + 1; policy drop;
tcp dport 80 log prefix "input1_" # SEEN
}

# input2 chain not evaluated as there is no traffic left after input1
chain input2 {
type filter hook input priority filter + 2; policy accept;
tcp dport 80 accept
tcp dport 80 log prefix "input2_"
}
}

一个 ok drop 策略的例子:

table inet filter {
chain input1 {
type filter hook input priority filter + 1; policy accept;
tcp dport 80 log prefix "input1_" # SEEN
}
chain input2 {
type filter hook input priority filter + 2; policy drop;
tcp dport 80 accept
tcp dport 80 log prefix "input2_" # NOT SEEN due previous accept
}
}

错误接受策略的示例:

table inet filter {
chain input1 {
type filter hook input priority filter + 1; policy accept;
tcp dport 80 accept
tcp dport 80 log prefix "input1_" # NOT SEEN due to previous accept
}
chain input2 {
type filter hook input priority filter + 2; policy drop;
tcp dport 80 log prefix "input2_" # SEEN - chain evaluates
# all traffic dropped here by policy including accepted input1 traffic
}
}

一个好的接受策略的例子:

table inet filter {
chain input1 {
type filter hook input priority filter + 1; policy accept;
tcp dport 80 log prefix "input1_" # SEEN
}
chain input2 {
type filter hook input priority filter + 2; policy drop;
tcp dport 80 accept
tcp dport 80 log prefix "input2_" # NOT SEEN due to previous accept
}
}

如 nft 的手册页所述,按规则或策略进行的丢弃会立即丢弃,而无需进一步处理优先级较低的基础链。接受不。它会将当前优先级的剩余规则短路并移交给下一个优先级较低的规则,但如果没有规则可以接受,它仍然会被规则显式丢弃或被策略隐式丢弃。

也许实现它的最简单方法是使用单个基础链并跳转/转到非基础链,这与 iptables 的工作方式非常有效。

关于firewall - 如何在其他表 nftables 中创建第二个输入链?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/64801304/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com