Jump to content
Nytro

NFTables IPTables-Replacement Queued For Linux 3.13

By Nytro, in Stiri securitate

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

[h=1]NFTables IPTables-Replacement Queued For Linux 3.13[/h]

Posted by Michael Larabel in Linux Kernel on 19 October 2013 03:42 PM EDT

NFTables is a new firewall subsystem / packet filtering engine for the Linux kernel that is poised to replace iptables. NFTables has been in development for several years by the upstream author of Netfilter. This new nftables system is set to be merged now into the Linux 3.13 kernel.

NFTables has been in development for years and to replace IPTables by offering a simpler kernel ABI, reduce code duplication, improved error reporting, and provide more efficient support of filtering rules. Beyond IPTables, it also replaces the ip6tables, arptables, and ebtables frameworks but nftables does offer a compatibility layer to iptables support.

For those into networking and wanting to learn more about NFTables, visit its Netfilter.org project page.

Earlier this week a pull request was sent in for pulling in nf_tables for the next Linux kernel release through the net-next branch. The pull request was accepted and is now living in the net-next Git repository for Linux 3.13.

IPTables won't die off in Linux 3.13 as there's still work ahead for NFTables, but those wanting to try out the new code when it's mainlined can find this how-to guide.

Sursa: [Phoronix] NFTables IPTables-Replacement Queued For Linux 3.13

aelius Grand Master

aelius

Posted
Posted
Ai QoS si pe iptables

Ai targetul 'TOS', dar nu se compara. E ceva low end. In plus sunt doar 5 optiuni sinistre. Atentie, vorbim de netfilter nu de tc din pachetul iproute2

Functioneaza foarte empiric prioridizant pachetele, atata tot.

aelius Grand Master

aelius

Posted
Posted

:)

Domnu, fai asta cu iptables (vezi ce e cu bold). Connmark este pentru marcarea pachetelor iar cu hashlimit definesti o rata de pachete intr-o unitate de timp, nicidecum o latime de banda.


ext_if            =  "hme0"
ext_if2           =  "hme1"
int_if            =  "hme2"
ext_gw2           =  "192.168.1.1"
protocols         =  "{ tcp, udp, icmp, gre, ipv6, esp, ipencap }"
icmp_types        =  "{ echoreq, unreach }"
state_inspection  =  "flags S/SAFR modulate state"
udpblock          =  "{ 22, 80, 443 }"
ftp_ports         =  "{ 20:21 }"
passive           =  "{ 32000:63000 }"
voipports         =  "{ 5060, 5061, 5062, 5063, 5064 }"
torrent           =  "{ 6881:6999 }"

table <BLACKLIST> persist file "/etc/firewall/blacklist"
table <SLOWQUEUE> persist file "/etc/firewall/slowqueue"

set fingerprints "/etc/firewall/os-fingerprint"
set block-policy drop
set optimization aggressive
#set ruleset-optimization basic

# http://kestas.kuliukas.com/pf.conf/#NATQueueing
set state-policy if-bound

set optimization normal
set loginterface $ext_if
set skip on lo0
set skip on tun0
set skip on hme1
set skip on hme3
set skip on gif0
set skip on gre0
set skip on $int_if
set require-order yes
set timeout { frag 10, tcp.established 3600, interval 5 }
set timeout { tcp.first 30, tcp.closing 30, tcp.closed 30, tcp.finwait 30 }
set timeout { udp.first 30, udp.single 30, udp.multiple 30 }
set timeout { other.first 30, other.single 30, other.multiple 30 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 32000000, frags 32000000, src-nodes 320000000, tables 32000000, table-entries 32000000 }

scrub on $ext_if all random-id reassemble tcp fragment reassemble

[B]altq on $int_if bandwidth 100Mb hfsc queue { ether, nattraffic }
queue nattraffic hfsc ( upperlimit 400Kb ) bandwidth 420Kb { toint_pri, toint_def }
queue toint_pri qlimit 10 hfsc ( red, realtime 35%, linkshare 50% ) priority 4 bandwidth 70%
queue toint_def qlimit 10 hfsc ( red, realtime 15%, linkshare 30% ) priority 3 bandwidth 20%

altq on $ext_if priq bandwidth 2.0Mb qlimit 800 queue { ftp, ssh, web, voip, icmp, torrent, other }
  queue other qlimit 200 priority 5 priq(rio,default)
  queue ftp qlimit 50 priority 2 priq(rio,ecn)
  queue web qlimit 300 priority 14 priq(rio,ecn)
  queue voip qlimit 500 priority 15 priq(red)
  queue ssh qlimit 50 priority 4 priq(red)
  queue icmp qlimit 50 priority 3 priq(red)
  queue torrent qlimit 20 priority 6 priq(rio,ecn)[/B]

nat from 10.0.0.2 to any -> ($ext_if)  # Workstation
nat from 10.0.0.3 to any -> ($ext_if)  # Voip
nat from 10.0.0.4 to any -> ($ext_if)  # SUN
nat from 10.0.0.5 to any -> ($ext_if)  # NetBSD
nat from 10.0.0.6 to any -> ($ext_if)  # VM
nat from 10.0.0.7 to any -> ($ext_if)  # IBM
nat from 10.0.0.8 to any -> ($ext_if)  # HP
nat from 10.0.0.9 to any -> ($ext_if)  # Alina (Wireless)
nat from 10.0.0.10 to any -> ($ext_if) # HP Printer
nat from 10.0.0.11 to any -> ($ext_if) # Netgear Wireless
nat from 10.0.0.12 to any -> ($ext_if)  # Server nou
nat from 172.16.0.2 to any -> ($ext_if) # tex

nat from 192.168.1.0/24 to any -> ($ext_if) # VPN


# HP
rdr on $ext_if inet proto tcp from any to $ext_if port { 20, 21, 22, 53, 81, 443 } tag HP -> 10.0.0.8
rdr on $ext_if inet proto udp from any to $ext_if port { 20, 21 } tag HP -> 10.0.0.8

rdr on $ext_if2 inet proto tcp from any to $ext_if2 tag HP-PRINTER -> 10.0.0.10
rdr on $ext_if inet proto tcp from any to $ext_if port $passive -> 10.0.0.8

# vm
rdr on $ext_if inet proto tcp from any to $ext_if port 400 -> 10.0.0.6 port 22
rdr on $ext_if inet proto tcp from any to $ext_if port 515 -> 10.0.0.7 port 22

# VoIP
rdr on $ext_if inet proto tcp from any to $ext_if port $voipports tag VOIP -> 10.0.0.3
rdr on $ext_if inet proto udp from any to $ext_if port $voipports tag VOIP -> 10.0.0.3

no rdr

block in quick on $ext_if from <SLOWQUEUE> to any probability 97%
block in quick on $ext_if from <BLACKLIST> to any
block out quick on $ext_if from any to <BLACKLIST>
block in quick on $ext_if proto tcp from <HTTP_OVERLOAD> to any port 80
block in quick on $ext_if proto tcp from <HTTPS_OVERLOAD> to any port 443
block in quick on $ext_if proto tcp from <SSH_ABUSIVE> to any port 22
block in quick on $ext_if proto tcp from <FTP_ABUSIVE> to any port 21

## UDP DDoS Block
block in quick on $ext_if proto udp from any to any port { !=20, !=1723 }

## Juno
block in quick on $ext_if proto tcp from any port { 1024,3072 } to any
block out quick on $ext_if proto tcp from any to any port { 1024,3072 }

block in on $ext_if
block out on $ext_if
set skip on lo0
antispoof for $ext_if inet # disabled for vpn
block in from no-route to any
block in from urpf-failed to any

block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF

pass out quick on $ext_if route-to ($ext_if2 $ext_gw2) from { 192.168.1.0/24 } to any

block in quick on $ext_if from any to 255.255.255.255

pass out on $ext_if proto tcp from any port 21 to any flags S/SA modulate state queue ftp
pass out on $ext_if proto tcp from any port 22 to any flags S/SA modulate state queue ssh
pass out on $ext_if proto tcp from any port 80 to any flags S/SA modulate state queue web
pass out on $ext_if proto tcp from any port $torrent to any flags S/SA modulate state queue torrent
pass out on $ext_if proto tcp from any port $voipports to any keep state queue voip
pass out on $ext_if proto tcp from any to any flags S/SA modulate state queue other
pass out on $ext_if proto icmp from any to any keep state queue icmp
pass out on $ext_if proto { udp, gre, ipv6, esp, ipencap } from any to any keep state

pass in on { $int_if, $ext_if } proto tcp from any to any port 515 $state_inspection

pass in on $ext_if proto { tcp, udp } from any to any port 1723 keep state

pass in quick on $ext_if all allow-opts

pass in on $ext_if proto tcp from any to any port 80 $state_inspection \
    (source-track rule, max-src-conn 180, max-src-conn-rate 140/1, overload <HTTP_OVERLOAD> flush global) tag HTTP-SERVICE

pass in on $ext_if proto tcp from any to any port 443 $state_inspection \
    (source-track rule, max-src-conn 180, max-src-conn-rate 140/1, overload <HTTPS_OVERLOAD> flush global) tag HTTPS-SERVICE

pass in on $ext_if proto tcp from any to any port 22 $state_inspection \
    (source-track rule, max-src-conn 10, max-src-conn-rate 1/60, max-src-nodes 20, overload <SSH_ABUSIVE> flush global) tag SSHD-SERVICE

pass in on $ext_if proto tcp from any to any port 81 keep state
pass in on $ext_if proto tcp from any to any port 554 keep state

pass in on $ext_if proto tcp from any to any port $ftp_ports $state_inspection \
    (source-track rule, max-src-conn 30, max-src-conn-rate 30/1, overload <FTP_OVERLOAD> flush global) tag FTP-SERVICE

pass in on $ext_if proto udp from any to any port $ftp_ports keep state
pass in on $ext_if proto tcp from any to any port $passive keep state
pass in on $ext_if proto udp from any to any port $passive keep state

pass in on $ext_if proto tcp from any to any port { 5060, 5061 } keep state tag VOIP-IN

pass in on $ext_if proto {tcp, udp} from any to any port 2222 keep state tag WRT

# allow traceroute out
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...