Context Navigation

source: archive/nftables.xml

Visit:

trunk

Last change on this file was 3f2db3a6, checked in by Pierre Labastie <pierre.labastie@…>, 17 months ago

Remove sect1info tags

They only contain a date tag that is nowhere used.

Property mode set to 100644

File size: 13.2 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY nftables-download-http "https://netfilter.org/projects/nftables/files/nftables-&nftables-version;.tar.bz2">
8	<!ENTITY nftables-download-ftp " ">
9	<!ENTITY nftables-md5sum "9913b2b46864394d41916b74638e0875">
10	<!ENTITY nftables-size "772 KB">
11	<!ENTITY nftables-buildsize "34 MB">
12	<!ENTITY nftables-time "0.2 SBU">
13	]>
14
15	<sect1 id="nftables" xreflabel="nftables-&nftables-version;">
16	<?dbhtml filename="nftables.html"?>
17
18
19	<title>nftables-&nftables-version;</title>
20
21	<indexterm zone="nftables">
22	<primary sortas="a-nftables">nftables</primary>
23	</indexterm>
24
25	<sect2 role="package">
26	<title>Introduction to nftables</title>
27
28	<para>
29	The <application>nftables</application> package, intended to be the
30	successor to <xref linkend="iptables"/>, provides a low-level netlink
31	programming interface (API), and userspace uitlities for the in-kernel
32	nf_tables subsystem.
33	</para>
34
35	&lfs90_checked;
36
37	<bridgehead renderas="sect3">Package Information</bridgehead>
38	<itemizedlist spacing='compact'>
39	<listitem>
40	<para>
41	Download (HTTP): <ulink url="&nftables-download-http;"/>
42	</para>
43	</listitem>
44	<listitem>
45	<para>
46	Download (FTP): <ulink url="&nftables-download-ftp;"/>
47	</para>
48	</listitem>
49	<listitem>
50	<para>
51	Download MD5 sum: &nftables-md5sum;
52	</para>
53	</listitem>
54	<listitem>
55	<para>
56	Download size: &nftables-size;
57	</para>
58	</listitem>
59	<listitem>
60	<para>
61	Estimated disk space required: &nftables-buildsize;
62	</para>
63	</listitem>
64	<listitem>
65	<para>
66	Estimated build time: &nftables-time;
67	</para>
68	</listitem>
69	</itemizedlist>
70
71	<bridgehead renderas="sect3">nftables Dependencies</bridgehead>
72
73	<bridgehead renderas="sect4">Required</bridgehead>
74	<para role="required">
75	<xref linkend="libnftnl"/>
76	</para>
77
78	<bridgehead renderas="sect4">Recommended</bridgehead>
79	<para role="recommended">
80	<xref linkend="jansson"/> (for JSON rules table support)
81	</para>
82
83	<bridgehead renderas="sect4">Optional</bridgehead>
84	<para role="optional">
85	<xref linkend="iptables"/> and
86	<xref linkend="docbook-utils"/>
87	</para>
88
89	<bridgehead renderas="sect4">Optional (runtime)</bridgehead>
90
91	<para role="optional">
92	<ulink url="https://netfilter.org/projects/conntrack-tools/index.html">
93	contrack-tools</ulink>
94	<ulink url="https://netfilter.org/projects/nfacct/index.html">
95	nfacct</ulink>
96	<ulink url="https://netfilter.org/projects/ulogd/index.html">
97	ulogd</ulink>
98	</para>
99
100	<para condition="html" role="usernotes">User Notes:
101	<ulink url="&blfs-wiki;/nftables"/>
102	</para>
103	</sect2>
104
105	<sect2 role="kernel">
106	<title>Kernel Configuration</title>
107
108	<para>
109	Enable the following options in the kernel configuration and recompile the
110	kernel if necessary (add any additional nf_tables features as needed):
111	</para>
112
113	<screen><literal>[*] Networking support [CONFIG_NET] --->
114	Networking options --->
115	[*] Network packet filtering framework (Netfilter) [CONFIG_NETFILTER] --->
116	Core Netfilter Configuration --->
117	<> protocol support [CONFIG_NF_CONNTRACK_*]
118	<*> Netfilter nf_tables support [CONFIG_NF_TABLES]
119	[] Netfilter nf_tables support [CONFIG_NF_TABLES_*]</literal></screen>
120
121	<para>
122	Include any connection tracking protocols that will be used, and
123	any protocols that you wish to use for match suppport under the
124	"Core Netfilter Configuration" section. Additionally, include any
125	"Netfilter nf_tables * module" that will be used under the
126	"Netfilter nf_tables support" section.
127	</para>
128
129
130	</sect2>
131
132	<sect2 role="installation">
133	<title>Installation of nftables</title>
134
135	<para>
136	Install <application>nftables</application> by running the following
137	commands:
138	</para>
139
140	<screen><userinput>./configure --prefix=/usr \
141	--sbindir=/sbin \
142	--sysconfdir=/etc \
143	--with-json \
144	--with-python-bin=/usr/bin/python3 &&
145	make</userinput></screen>
146
147	<para>
148	This package does not come with a test suite.
149	</para>
150
151	<para>
152	Now, as the <systemitem class="username">root</systemitem> user:
153	</para>
154
155	<screen role="root"><userinput>make install &&
156	mv /usr/lib/libnftables.so.* /lib &&
157	ln -sfv ../../lib/$(readlink /usr/lib/libnftables.so) /usr/lib/libnftables.so</userinput></screen>
158
159	</sect2>
160
161	<sect2 role="commands">
162	<title>Command Explanations</title>
163
164	<!-- there is no disable-static option in the configure string
165	<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
166	href="../../xincludes/static-libraries.xml"/>
167	-->
168	<para>
169	<parameter>--with-json</parameter>: build with support for JSON rules.
170	Omit if <xref linkend="jansson"/> is not available.
171	</para>
172
173	<para>
174	<parameter>--with-python-bin=/usr/bin/python3</parameter>: force use of
175	<application>Python3</application>.
176	</para>
177
178	<para>
179	<option>--enable-man-doc</option>: build man pages if
180	<xref linkend="asciidoc"/> is installed (required if adding
181	json support).
182	</para>
183
184	<para>
185	<option>--with-xtables</option>: build with
186	<xref linkend="iptables"/> libxtables support.
187	</para>
188
189	<para>
190	<command>mv -v /usr/lib/nftables.so.* ...</command>: Move shared
191	libraries into /lib so they are available before /usr is mounted.
192	</para>
193
194	</sect2>
195
196	<sect2 role="configuration">
197	<title>Configuring nftables</title>
198
199	<note>
200	<para>
201	If you intend to use <xref linkend="firewalld"/> to configure your
202	firewall rules, you should not use the example configuration provided
203	here, nor should you enable the
204	<phrase revision="sysv">bootscript.</phrase>
205	<phrase revision="systemd">systemd unit.</phrase>
206	</para>
207	</note>
208
209	<sect3 id="fw-masqRouter-nft"
210	xreflabel="Creating a Masquerading Router With nftables">
211	<title>Masquerading Router</title>
212
213	<para>
214	A network Firewall has two interfaces, one connected to an
215	intranet, in this example <emphasis role="strong">LAN1</emphasis>,
216	and one connected to the Internet, here <emphasis
217	role="strong">WAN1</emphasis>. You will need to adjust these value to
218	match your particular system. To provide the maximum security
219	for the firewall itself, make sure that there are no unnecessary
220	servers running on it such as <application>X11</application> et al.
221	As a general principle, the firewall itself should not access
222	any untrusted service (think of a remote server giving answers that
223	makes a daemon on your system crash, or even worse, that implements
224	a worm via a buffer-overflow).
225	</para>
226
227	<note>
228	<para>
229	In the following example configuration, <emphasis
230	role="strong">LAN1</emphasis> is used for the internal LAN interface,
231	and <emphasis role="strong">WAN1</emphasis> is used for the external
232	interface connected to the Internet. You will need to replace these
233	values with appropriate interface names for your system.
234	</para>
235	</note>
236
237
238	<screen role="root"><?dbfo keep-together="auto"?><userinput>cat > /etc/nftables/nftables.conf << "EOF"
239	<literal>#!/sbin/nft -f
240
241	# You're using the example configuration for a setup of a firewall
242	# from Beyond Linux From Scratch.
243	#
244	# This example is far from being complete, it is only meant
245	# to be a reference.
246	#
247	# Firewall security is a complex issue, that exceeds the scope
248	# of the configuration rules below.
249	#
250	# You can find additional information
251	# about firewalls in Chapter 4 of the BLFS book.
252	# https://www.&lfs-domainname;/blfs
253
254	# Drop all existing rules
255	flush ruleset
256
257	# Filter for both ip4 and ip6 (inet)
258	table inet filter {
259
260	# filter incomming packets
261	chain input {
262
263	# Drop everything that doesn't match policy
264	type filter hook input priority 0; policy drop;
265
266	# accept packets for established connections
267	ct state { established, related } accept
268
269	# Drop packets that have a connection state of invalid
270	ct state invalid drop
271
272	# Allow connections to the loopback adapter
273	iifname "lo" accept
274
275	# Allow connections to the LAN1 interface
276	iifname "LAN1" accept
277
278	# Accept icmp requests
279	ip protocol icmp accept
280
281	# Allow ssh connections on LAN1
282	iifname "LAN1" tcp dport ssh accept
283
284	# Drop everything else
285	drop
286	}
287
288	# Allow forwarding for external connections to WAN1
289	chain forward {
290
291	# Drop if it doesn't match policy
292	type filter hook forward priority 0; policy drop;
293
294	# Accept connections on WAN1
295	oifname "WAN1" accept
296
297	# Allow forwarding to another host via this interface
298	# Uncomment the following line to allow connections
299	# ip daddr 192.168.0.2 ct status dnat accept
300
301	# Allow established and related connections
302	iifname "WAN1" ct state { established, related } accept
303	}
304
305	# Filter output traffic
306	chain output {
307
308	# Allow everything outbound
309	type filter hook output priority 0; policy accept;
310	}
311	}
312
313	# Allow NAT for ip protocol (both ip4 and ip6)
314	table ip nat {
315
316	chain prerouting {
317
318	# Accept on inbound interface for policy match
319	type nat hook prerouting priority 0; policy accept;
320
321	# Accept http and https on 192.168.0.2
322	# Uncomment the following line to allow http and https
323	#iifname "WAN1" tcp dport { http, https } dnat to 192.168.0.2
324	}
325
326	chain postrouting {
327
328	# accept outbound
329	type nat hook postrouting priority 0; policy accept;
330
331	# Masquerade on WAN1 outbound
332	oifname "WAN1" masquerade
333	}
334	}</literal>
335	EOF</userinput></screen>
336
337	<para>
338	With this configuration your intranet should be reasonably secure
339	against external attacks. No one should be able to setup a new
340	connection to any internal service not configured above.
341	</para>
342
343	<para>
344	There are several other examples in the
345	<filename class="directory">/etc/nftables</filename> directory.
346	</para>
347
348	</sect3>
349
350	<sect3 id="nftables-init">
351	<title><phrase revision="sysv">Boot Script</phrase>
352	<phrase revision="systemd">Systemd Unit</phrase></title>
353
354	<para revision="sysv">
355	To set up the nftables firewall at boot, install the
356	<filename>/etc/rc.d/init.d/nftables</filename> init script included
357	in the <xref linkend="bootscripts"/> package.
358	</para>
359
360	<para revision="systemd">
361	To set up the nftables firewall at boot, install the
362	<filename>nftables.service</filename> unit included in the
363	<xref linkend="systemd-units"/> package.
364	</para>
365
366	<indexterm zone="nftables nftables-init">
367	<primary sortas="f-nftables">nftables</primary>
368	</indexterm>
369
370	<screen role="root"><userinput>make install-nftables</userinput></screen>
371
372	</sect3>
373
374	</sect2>
375
376	<sect2 role="content">
377	<title>Contents</title>
378
379	<segmentedlist>
380	<segtitle>Installed Programs</segtitle>
381	<segtitle>Installed Libraries</segtitle>
382	<segtitle>Installed Directories</segtitle>
383
384	<seglistitem>
385	<seg>
386	nft
387	</seg>
388	<seg>
389	libnftables.{a,so}
390	</seg>
391	<seg>
392	/etc/nftables
393	</seg>
394	</seglistitem>
395	</segmentedlist>
396
397	<variablelist>
398	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
399	<?dbfo list-presentation="list"?>
400	<?dbhtml list-presentation="table"?>
401
402	<varlistentry id="nft">
403	<term><filename>nft</filename></term>
404	<listitem>
405	<para>
406	command line interface for the nf_tables subsystem.
407	</para>
408	<indexterm zone="nftables nft">
409	<primary sortas="a-nft">nft</primary>
410	</indexterm>
411	</listitem>
412	</varlistentry>
413
414	<varlistentry id="libnftables">
415	<term><filename class="libraryfile">libnftables.{a,so}</filename></term>
416	<listitem>
417	<para>
418	provides functions for manipulating the nf_tables subsystem.
419	</para>
420	<indexterm zone="nftables libnftables">
421	<primary sortas="c-libnftables">libnftables.so</primary>
422	</indexterm>
423	</listitem>
424	</varlistentry>
425
426	</variablelist>
427
428	</sect2>
429
430	</sect1>

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: archive/nftables.xml

Download in other formats: