source: archive/nftables.xml@ 45ab6c7

11.0 qt5new trunk
Last change on this file since 45ab6c7 was 45ab6c7, checked in by Xi Ruoyao <xry111@…>, 5 months ago

more SVN prop clean up

Remove "$LastChanged$" everywhere, and also some unused $Date$

  • Property mode set to 100644
File size: 13.2 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7 <!ENTITY nftables-download-http "https://netfilter.org/projects/nftables/files/nftables-&nftables-version;.tar.bz2">
8 <!ENTITY nftables-download-ftp " ">
9 <!ENTITY nftables-md5sum "9913b2b46864394d41916b74638e0875">
10 <!ENTITY nftables-size "772 KB">
11 <!ENTITY nftables-buildsize "34 MB">
12 <!ENTITY nftables-time "0.2 SBU">
13]>
14
15<sect1 id="nftables" xreflabel="nftables-&nftables-version;">
16 <?dbhtml filename="nftables.html"?>
17
18 <sect1info>
19 <date>$Date$</date>
20 </sect1info>
21
22 <title>nftables-&nftables-version;</title>
23
24 <indexterm zone="nftables">
25 <primary sortas="a-nftables">nftables</primary>
26 </indexterm>
27
28 <sect2 role="package">
29 <title>Introduction to nftables</title>
30
31 <para>
32 The <application>nftables</application> package, intended to be the
33 successor to <xref linkend="iptables"/>, provides a low-level netlink
34 programming interface (API), and userspace uitlities for the in-kernel
35 nf_tables subsystem.
36 </para>
37
38 &lfs90_checked;
39
40 <bridgehead renderas="sect3">Package Information</bridgehead>
41 <itemizedlist spacing='compact'>
42 <listitem>
43 <para>
44 Download (HTTP): <ulink url="&nftables-download-http;"/>
45 </para>
46 </listitem>
47 <listitem>
48 <para>
49 Download (FTP): <ulink url="&nftables-download-ftp;"/>
50 </para>
51 </listitem>
52 <listitem>
53 <para>
54 Download MD5 sum: &nftables-md5sum;
55 </para>
56 </listitem>
57 <listitem>
58 <para>
59 Download size: &nftables-size;
60 </para>
61 </listitem>
62 <listitem>
63 <para>
64 Estimated disk space required: &nftables-buildsize;
65 </para>
66 </listitem>
67 <listitem>
68 <para>
69 Estimated build time: &nftables-time;
70 </para>
71 </listitem>
72 </itemizedlist>
73
74 <bridgehead renderas="sect3">nftables Dependencies</bridgehead>
75
76 <bridgehead renderas="sect4">Required</bridgehead>
77 <para role="required">
78 <xref linkend="libnftnl"/>
79 </para>
80
81 <bridgehead renderas="sect4">Recommended</bridgehead>
82 <para role="recommended">
83 <xref linkend="jansson"/> (for JSON rules table support)
84 </para>
85
86 <bridgehead renderas="sect4">Optional</bridgehead>
87 <para role="optional">
88 <xref linkend="iptables"/> and
89 <xref linkend="docbook-utils"/>
90 </para>
91
92 <bridgehead renderas="sect4">Optional (runtime)</bridgehead>
93
94 <para role="optional">
95 <ulink url="https://netfilter.org/projects/conntrack-tools/index.html">
96 contrack-tools</ulink>
97 <ulink url="https://netfilter.org/projects/nfacct/index.html">
98 nfacct</ulink>
99 <ulink url="https://netfilter.org/projects/ulogd/index.html">
100 ulogd</ulink>
101 </para>
102
103 <para condition="html" role="usernotes">User Notes:
104 <ulink url="&blfs-wiki;/nftables"/>
105 </para>
106 </sect2>
107
108 <sect2 role="kernel">
109 <title>Kernel Configuration</title>
110
111 <para>
112 Enable the following options in the kernel configuration and recompile the
113 kernel if necessary (add any additional nf_tables features as needed):
114 </para>
115
116<screen><literal>[*] Networking support [CONFIG_NET] ---&gt;
117 Networking options ---&gt;
118 [*] Network packet filtering framework (Netfilter) [CONFIG_NETFILTER] ---&gt;
119 Core Netfilter Configuration ---&gt;
120 &lt;*&gt; * protocol support [CONFIG_NF_CONNTRACK_*]
121 &lt;*&gt; Netfilter nf_tables support [CONFIG_NF_TABLES]
122 [*] Netfilter nf_tables * support [CONFIG_NF_TABLES_*]</literal></screen>
123
124 <para>
125 Include any connection tracking protocols that will be used, and
126 any protocols that you wish to use for match suppport under the
127 "Core Netfilter Configuration" section. Additionally, include any
128 "Netfilter nf_tables * module" that will be used under the
129 "Netfilter nf_tables support" section.
130 </para>
131
132
133 </sect2>
134
135 <sect2 role="installation">
136 <title>Installation of nftables</title>
137
138 <para>
139 Install <application>nftables</application> by running the following
140 commands:
141 </para>
142
143<screen><userinput>./configure --prefix=/usr \
144 --sbindir=/sbin \
145 --sysconfdir=/etc \
146 --with-json \
147 --with-python-bin=/usr/bin/python3 &amp;&amp;
148make</userinput></screen>
149
150 <para>
151 This package does not come with a test suite.
152 </para>
153
154 <para>
155 Now, as the <systemitem class="username">root</systemitem> user:
156 </para>
157
158<screen role="root"><userinput>make install &amp;&amp;
159mv /usr/lib/libnftables.so.* /lib &amp;&amp;
160ln -sfv ../../lib/$(readlink /usr/lib/libnftables.so) /usr/lib/libnftables.so</userinput></screen>
161
162 </sect2>
163
164 <sect2 role="commands">
165 <title>Command Explanations</title>
166
167<!-- there is no disable-static option in the configure string
168 <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
169 href="../../xincludes/static-libraries.xml"/>
170-->
171 <para>
172 <parameter>--with-json</parameter>: build with support for JSON rules.
173 Omit if <xref linkend="jansson"/> is not available.
174 </para>
175
176 <para>
177 <parameter>--with-python-bin=/usr/bin/python3</parameter>: force use of
178 <application>Python3</application>.
179 </para>
180
181 <para>
182 <option>--enable-man-doc</option>: build man pages if
183 <xref linkend="asciidoc"/> is installed (required if adding
184 json support).
185 </para>
186
187 <para>
188 <option>--with-xtables</option>: build with
189 <xref linkend="iptables"/> libxtables support.
190 </para>
191
192 <para>
193 <command>mv -v /usr/lib/nftables.so.* ...</command>: Move shared
194 libraries into /lib so they are available before /usr is mounted.
195 </para>
196
197 </sect2>
198
199 <sect2 role="configuration">
200 <title>Configuring nftables</title>
201
202 <note>
203 <para>
204 If you intend to use <xref linkend="firewalld"/> to configure your
205 firewall rules, you should not use the example configuration provided
206 here, nor should you enable the
207 <phrase revision="sysv">bootscript.</phrase>
208 <phrase revision="systemd">systemd unit.</phrase>
209 </para>
210 </note>
211
212 <sect3 id="fw-masqRouter-nft"
213 xreflabel="Creating a Masquerading Router With nftables">
214 <title>Masquerading Router</title>
215
216 <para>
217 A network Firewall has two interfaces, one connected to an
218 intranet, in this example <emphasis role="strong">LAN1</emphasis>,
219 and one connected to the Internet, here <emphasis
220 role="strong">WAN1</emphasis>. You will need to adjust these value to
221 match your particular system. To provide the maximum security
222 for the firewall itself, make sure that there are no unnecessary
223 servers running on it such as <application>X11</application> et al.
224 As a general principle, the firewall itself should not access
225 any untrusted service (think of a remote server giving answers that
226 makes a daemon on your system crash, or even worse, that implements
227 a worm via a buffer-overflow).
228 </para>
229
230 <note>
231 <para>
232 In the following example configuration, <emphasis
233 role="strong">LAN1</emphasis> is used for the internal LAN interface,
234 and <emphasis role="strong">WAN1</emphasis> is used for the external
235 interface connected to the Internet. You will need to replace these
236 values with appropriate interface names for your system.
237 </para>
238 </note>
239
240
241<screen role="root"><?dbfo keep-together="auto"?><userinput>cat &gt; /etc/nftables/nftables.conf &lt;&lt; "EOF"
242<literal>#!/sbin/nft -f
243
244# You're using the example configuration for a setup of a firewall
245# from Beyond Linux From Scratch.
246#
247# This example is far from being complete, it is only meant
248# to be a reference.
249#
250# Firewall security is a complex issue, that exceeds the scope
251# of the configuration rules below.
252#
253# You can find additional information
254# about firewalls in Chapter 4 of the BLFS book.
255# http://www.&lfs-domainname;/blfs
256
257# Drop all existing rules
258flush ruleset
259
260# Filter for both ip4 and ip6 (inet)
261table inet filter {
262
263 # filter incomming packets
264 chain input {
265
266 # Drop everything that doesn't match policy
267 type filter hook input priority 0; policy drop;
268
269 # accept packets for established connections
270 ct state { established, related } accept
271
272 # Drop packets that have a connection state of invalid
273 ct state invalid drop
274
275 # Allow connections to the loopback adapter
276 iifname "lo" accept
277
278 # Allow connections to the LAN1 interface
279 iifname "LAN1" accept
280
281 # Accept icmp requests
282 ip protocol icmp accept
283
284 # Allow ssh connections on LAN1
285 iifname "LAN1" tcp dport ssh accept
286
287 # Drop everything else
288 drop
289 }
290
291 # Allow forwarding for external connections to WAN1
292 chain forward {
293
294 # Drop if it doesn't match policy
295 type filter hook forward priority 0; policy drop;
296
297 # Accept connections on WAN1
298 oifname "WAN1" accept
299
300 # Allow forwarding to another host via this interface
301 # Uncomment the following line to allow connections
302 # ip daddr 192.168.0.2 ct status dnat accept
303
304 # Allow established and related connections
305 iifname "WAN1" ct state { established, related } accept
306 }
307
308 # Filter output traffic
309 chain output {
310
311 # Allow everything outbound
312 type filter hook output priority 0; policy accept;
313 }
314}
315
316# Allow NAT for ip protocol (both ip4 and ip6)
317table ip nat {
318
319 chain prerouting {
320
321 # Accept on inbound interface for policy match
322 type nat hook prerouting priority 0; policy accept;
323
324 # Accept http and https on 192.168.0.2
325 # Uncomment the following line to allow http and https
326 #iifname "WAN1" tcp dport { http, https } dnat to 192.168.0.2
327 }
328
329 chain postrouting {
330
331 # accept outbound
332 type nat hook postrouting priority 0; policy accept;
333
334 # Masquerade on WAN1 outbound
335 oifname "WAN1" masquerade
336 }
337}</literal>
338EOF</userinput></screen>
339
340 <para>
341 With this configuration your intranet should be reasonably secure
342 against external attacks. No one should be able to setup a new
343 connection to any internal service not configured above.
344 </para>
345
346 <para>
347 There are several other examples in the
348 <filename class="directory">/etc/nftables</filename> directory.
349 </para>
350
351 </sect3>
352
353 <sect3 id="nftables-init">
354 <title><phrase revision="sysv">Boot Script</phrase>
355 <phrase revision="systemd">Systemd Unit</phrase></title>
356
357 <para revision="sysv">
358 To set up the nftables firewall at boot, install the
359 <filename>/etc/rc.d/init.d/nftables</filename> init script included
360 in the <xref linkend="bootscripts"/> package.
361 </para>
362
363 <para revision="systemd">
364 To set up the nftables firewall at boot, install the
365 <filename>nftables.service</filename> unit included in the
366 <xref linkend="systemd-units"/> package.
367 </para>
368
369 <indexterm zone="nftables nftables-init">
370 <primary sortas="f-nftables">nftables</primary>
371 </indexterm>
372
373<screen role="root"><userinput>make install-nftables</userinput></screen>
374
375 </sect3>
376
377 </sect2>
378
379 <sect2 role="content">
380 <title>Contents</title>
381
382 <segmentedlist>
383 <segtitle>Installed Programs</segtitle>
384 <segtitle>Installed Libraries</segtitle>
385 <segtitle>Installed Directories</segtitle>
386
387 <seglistitem>
388 <seg>
389 nft
390 </seg>
391 <seg>
392 libnftables.{a,so}
393 </seg>
394 <seg>
395 /etc/nftables
396 </seg>
397 </seglistitem>
398 </segmentedlist>
399
400 <variablelist>
401 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
402 <?dbfo list-presentation="list"?>
403 <?dbhtml list-presentation="table"?>
404
405 <varlistentry id="nft">
406 <term><filename>nft</filename></term>
407 <listitem>
408 <para>
409 command line interface for the nf_tables subsystem.
410 </para>
411 <indexterm zone="nftables nft">
412 <primary sortas="a-nft">nft</primary>
413 </indexterm>
414 </listitem>
415 </varlistentry>
416
417 <varlistentry id="libnftables">
418 <term><filename class="libraryfile">libnftables.{a,so}</filename></term>
419 <listitem>
420 <para>
421 provides functions for manipulating the nf_tables subsystem.
422 </para>
423 <indexterm zone="nftables libnftables">
424 <primary sortas="c-libnftables">libnftables.so</primary>
425 </indexterm>
426 </listitem>
427 </varlistentry>
428
429 </variablelist>
430
431 </sect2>
432
433</sect1>
Note: See TracBrowser for help on using the repository browser.