Context Navigation

source: archive/nftables.xml@ d3717bf

Visit:

10.1 11.0 11.1 11.2 11.3 12.0 12.1 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts lazarus lxqt plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal

Last change on this file since d3717bf was d3717bf, checked in by Pierre Labastie <pieere@…>, 3 years ago

Move two files to archive, because they have not been in use for a while

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@24233 af4574ff-66df-0310-9fd7-8a98e5e911e0

Property mode set to 100644

File size: 13.2 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY nftables-download-http "https://netfilter.org/projects/nftables/files/nftables-&nftables-version;.tar.bz2">
8	<!ENTITY nftables-download-ftp " ">
9	<!ENTITY nftables-md5sum "9913b2b46864394d41916b74638e0875">
10	<!ENTITY nftables-size "772 KB">
11	<!ENTITY nftables-buildsize "34 MB">
12	<!ENTITY nftables-time "0.2 SBU">
13	]>
14
15	<sect1 id="nftables" xreflabel="nftables-&nftables-version;">
16	<?dbhtml filename="nftables.html"?>
17
18	<sect1info>
19	<othername>$LastChangedBy$</othername>
20	<date>$Date$</date>
21	</sect1info>
22
23	<title>nftables-&nftables-version;</title>
24
25	<indexterm zone="nftables">
26	<primary sortas="a-nftables">nftables</primary>
27	</indexterm>
28
29	<sect2 role="package">
30	<title>Introduction to nftables</title>
31
32	<para>
33	The <application>nftables</application> package, intended to be the
34	successor to <xref linkend="iptables"/>, provides a low-level netlink
35	programming interface (API), and userspace uitlities for the in-kernel
36	nf_tables subsystem.
37	</para>
38
39	&lfs90_checked;
40
41	<bridgehead renderas="sect3">Package Information</bridgehead>
42	<itemizedlist spacing='compact'>
43	<listitem>
44	<para>
45	Download (HTTP): <ulink url="&nftables-download-http;"/>
46	</para>
47	</listitem>
48	<listitem>
49	<para>
50	Download (FTP): <ulink url="&nftables-download-ftp;"/>
51	</para>
52	</listitem>
53	<listitem>
54	<para>
55	Download MD5 sum: &nftables-md5sum;
56	</para>
57	</listitem>
58	<listitem>
59	<para>
60	Download size: &nftables-size;
61	</para>
62	</listitem>
63	<listitem>
64	<para>
65	Estimated disk space required: &nftables-buildsize;
66	</para>
67	</listitem>
68	<listitem>
69	<para>
70	Estimated build time: &nftables-time;
71	</para>
72	</listitem>
73	</itemizedlist>
74
75	<bridgehead renderas="sect3">nftables Dependencies</bridgehead>
76
77	<bridgehead renderas="sect4">Required</bridgehead>
78	<para role="required">
79	<xref linkend="libnftnl"/>
80	</para>
81
82	<bridgehead renderas="sect4">Recommended</bridgehead>
83	<para role="recommended">
84	<xref linkend="jansson"/> (for JSON rules table support)
85	</para>
86
87	<bridgehead renderas="sect4">Optional</bridgehead>
88	<para role="optional">
89	<xref linkend="iptables"/> and
90	<xref linkend="docbook-utils"/>
91	</para>
92
93	<bridgehead renderas="sect4">Optional (runtime)</bridgehead>
94
95	<para role="optional">
96	<ulink url="https://netfilter.org/projects/conntrack-tools/index.html">
97	contrack-tools</ulink>
98	<ulink url="https://netfilter.org/projects/nfacct/index.html">
99	nfacct</ulink>
100	<ulink url="https://netfilter.org/projects/ulogd/index.html">
101	ulogd</ulink>
102	</para>
103
104	<para condition="html" role="usernotes">User Notes:
105	<ulink url="&blfs-wiki;/nftables"/>
106	</para>
107	</sect2>
108
109	<sect2 role="kernel">
110	<title>Kernel Configuration</title>
111
112	<para>
113	Enable the following options in the kernel configuration and recompile the
114	kernel if necessary (add any additional nf_tables features as needed):
115	</para>
116
117	<screen><literal>[*] Networking support [CONFIG_NET] --->
118	Networking options --->
119	[*] Network packet filtering framework (Netfilter) [CONFIG_NETFILTER] --->
120	Core Netfilter Configuration --->
121	<> protocol support [CONFIG_NF_CONNTRACK_*]
122	<*> Netfilter nf_tables support [CONFIG_NF_TABLES]
123	[] Netfilter nf_tables support [CONFIG_NF_TABLES_*]</literal></screen>
124
125	<para>
126	Include any connection tracking protocols that will be used, and
127	any protocols that you wish to use for match suppport under the
128	"Core Netfilter Configuration" section. Additionally, include any
129	"Netfilter nf_tables * module" that will be used under the
130	"Netfilter nf_tables support" section.
131	</para>
132
133
134	</sect2>
135
136	<sect2 role="installation">
137	<title>Installation of nftables</title>
138
139	<para>
140	Install <application>nftables</application> by running the following
141	commands:
142	</para>
143
144	<screen><userinput>./configure --prefix=/usr \
145	--sbindir=/sbin \
146	--sysconfdir=/etc \
147	--with-json \
148	--with-python-bin=/usr/bin/python3 &&
149	make</userinput></screen>
150
151	<para>
152	This package does not come with a test suite.
153	</para>
154
155	<para>
156	Now, as the <systemitem class="username">root</systemitem> user:
157	</para>
158
159	<screen role="root"><userinput>make install &&
160	mv /usr/lib/libnftables.so.* /lib &&
161	ln -sfv ../../lib/$(readlink /usr/lib/libnftables.so) /usr/lib/libnftables.so</userinput></screen>
162
163	</sect2>
164
165	<sect2 role="commands">
166	<title>Command Explanations</title>
167
168	<!-- there is no disable-static option in the configure string
169	<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
170	href="../../xincludes/static-libraries.xml"/>
171	-->
172	<para>
173	<parameter>--with-json</parameter>: build with support for JSON rules.
174	Omit if <xref linkend="jansson"/> is not available.
175	</para>
176
177	<para>
178	<parameter>--with-python-bin=/usr/bin/python3</parameter>: force use of
179	<application>Python3</application>.
180	</para>
181
182	<para>
183	<option>--enable-man-doc</option>: build man pages if
184	<xref linkend="asciidoc"/> is installed (required if adding
185	json support).
186	</para>
187
188	<para>
189	<option>--with-xtables</option>: build with
190	<xref linkend="iptables"/> libxtables support.
191	</para>
192
193	<para>
194	<command>mv -v /usr/lib/nftables.so.* ...</command>: Move shared
195	libraries into /lib so they are available before /usr is mounted.
196	</para>
197
198	</sect2>
199
200	<sect2 role="configuration">
201	<title>Configuring nftables</title>
202
203	<note>
204	<para>
205	If you intend to use <xref linkend="firewalld"/> to configure your
206	firewall rules, you should not use the example configuration provided
207	here, nor should you enable the
208	<phrase revision="sysv">bootscript.</phrase>
209	<phrase revision="systemd">systemd unit.</phrase>
210	</para>
211	</note>
212
213	<sect3 id="fw-masqRouter-nft"
214	xreflabel="Creating a Masquerading Router With nftables">
215	<title>Masquerading Router</title>
216
217	<para>
218	A network Firewall has two interfaces, one connected to an
219	intranet, in this example <emphasis role="strong">LAN1</emphasis>,
220	and one connected to the Internet, here <emphasis
221	role="strong">WAN1</emphasis>. You will need to adjust these value to
222	match your particular system. To provide the maximum security
223	for the firewall itself, make sure that there are no unnecessary
224	servers running on it such as <application>X11</application> et al.
225	As a general principle, the firewall itself should not access
226	any untrusted service (think of a remote server giving answers that
227	makes a daemon on your system crash, or even worse, that implements
228	a worm via a buffer-overflow).
229	</para>
230
231	<note>
232	<para>
233	In the following example configuration, <emphasis
234	role="strong">LAN1</emphasis> is used for the internal LAN interface,
235	and <emphasis role="strong">WAN1</emphasis> is used for the external
236	interface connected to the Internet. You will need to replace these
237	values with appropriate interface names for your system.
238	</para>
239	</note>
240
241
242	<screen role="root"><?dbfo keep-together="auto"?><userinput>cat > /etc/nftables/nftables.conf << "EOF"
243	<literal>#!/sbin/nft -f
244
245	# You're using the example configuration for a setup of a firewall
246	# from Beyond Linux From Scratch.
247	#
248	# This example is far from being complete, it is only meant
249	# to be a reference.
250	#
251	# Firewall security is a complex issue, that exceeds the scope
252	# of the configuration rules below.
253	#
254	# You can find additional information
255	# about firewalls in Chapter 4 of the BLFS book.
256	# http://www.&lfs-domainname;/blfs
257
258	# Drop all existing rules
259	flush ruleset
260
261	# Filter for both ip4 and ip6 (inet)
262	table inet filter {
263
264	# filter incomming packets
265	chain input {
266
267	# Drop everything that doesn't match policy
268	type filter hook input priority 0; policy drop;
269
270	# accept packets for established connections
271	ct state { established, related } accept
272
273	# Drop packets that have a connection state of invalid
274	ct state invalid drop
275
276	# Allow connections to the loopback adapter
277	iifname "lo" accept
278
279	# Allow connections to the LAN1 interface
280	iifname "LAN1" accept
281
282	# Accept icmp requests
283	ip protocol icmp accept
284
285	# Allow ssh connections on LAN1
286	iifname "LAN1" tcp dport ssh accept
287
288	# Drop everything else
289	drop
290	}
291
292	# Allow forwarding for external connections to WAN1
293	chain forward {
294
295	# Drop if it doesn't match policy
296	type filter hook forward priority 0; policy drop;
297
298	# Accept connections on WAN1
299	oifname "WAN1" accept
300
301	# Allow forwarding to another host via this interface
302	# Uncomment the following line to allow connections
303	# ip daddr 192.168.0.2 ct status dnat accept
304
305	# Allow established and related connections
306	iifname "WAN1" ct state { established, related } accept
307	}
308
309	# Filter output traffic
310	chain output {
311
312	# Allow everything outbound
313	type filter hook output priority 0; policy accept;
314	}
315	}
316
317	# Allow NAT for ip protocol (both ip4 and ip6)
318	table ip nat {
319
320	chain prerouting {
321
322	# Accept on inbound interface for policy match
323	type nat hook prerouting priority 0; policy accept;
324
325	# Accept http and https on 192.168.0.2
326	# Uncomment the following line to allow http and https
327	#iifname "WAN1" tcp dport { http, https } dnat to 192.168.0.2
328	}
329
330	chain postrouting {
331
332	# accept outbound
333	type nat hook postrouting priority 0; policy accept;
334
335	# Masquerade on WAN1 outbound
336	oifname "WAN1" masquerade
337	}
338	}</literal>
339	EOF</userinput></screen>
340
341	<para>
342	With this configuration your intranet should be reasonably secure
343	against external attacks. No one should be able to setup a new
344	connection to any internal service not configured above.
345	</para>
346
347	<para>
348	There are several other examples in the
349	<filename class="directory">/etc/nftables</filename> directory.
350	</para>
351
352	</sect3>
353
354	<sect3 id="nftables-init">
355	<title><phrase revision="sysv">Boot Script</phrase>
356	<phrase revision="systemd">Systemd Unit</phrase></title>
357
358	<para revision="sysv">
359	To set up the nftables firewall at boot, install the
360	<filename>/etc/rc.d/init.d/nftables</filename> init script included
361	in the <xref linkend="bootscripts"/> package.
362	</para>
363
364	<para revision="systemd">
365	To set up the nftables firewall at boot, install the
366	<filename>nftables.service</filename> unit included in the
367	<xref linkend="systemd-units"/> package.
368	</para>
369
370	<indexterm zone="nftables nftables-init">
371	<primary sortas="f-nftables">nftables</primary>
372	</indexterm>
373
374	<screen role="root"><userinput>make install-nftables</userinput></screen>
375
376	</sect3>
377
378	</sect2>
379
380	<sect2 role="content">
381	<title>Contents</title>
382
383	<segmentedlist>
384	<segtitle>Installed Programs</segtitle>
385	<segtitle>Installed Libraries</segtitle>
386	<segtitle>Installed Directories</segtitle>
387
388	<seglistitem>
389	<seg>
390	nft
391	</seg>
392	<seg>
393	libnftables.{a,so}
394	</seg>
395	<seg>
396	/etc/nftables
397	</seg>
398	</seglistitem>
399	</segmentedlist>
400
401	<variablelist>
402	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
403	<?dbfo list-presentation="list"?>
404	<?dbhtml list-presentation="table"?>
405
406	<varlistentry id="nft">
407	<term><filename>nft</filename></term>
408	<listitem>
409	<para>
410	command line interface for the nf_tables subsystem.
411	</para>
412	<indexterm zone="nftables nft">
413	<primary sortas="a-nft">nft</primary>
414	</indexterm>
415	</listitem>
416	</varlistentry>
417
418	<varlistentry id="libnftables">
419	<term><filename class="libraryfile">libnftables.{a,so}</filename></term>
420	<listitem>
421	<para>
422	provides functions for manipulating the nf_tables subsystem.
423	</para>
424	<indexterm zone="nftables libnftables">
425	<primary sortas="c-libnftables">libnftables.so</primary>
426	</indexterm>
427	</listitem>
428	</varlistentry>
429
430	</variablelist>
431
432	</sect2>
433
434	</sect1>

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: archive/nftables.xml@ d3717bf

Download in other formats: