Context Navigation

nftables.xml@ 8c5b0070

Visit:

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 9.1 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts lazarus lxqt plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal

Last change on this file since 8c5b0070 was cb21554, checked in by DJ Lucas <dj@…>, 5 years ago

The nftables package uses asciidoc, not DocBook-Utils.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@22330 af4574ff-66df-0310-9fd7-8a98e5e911e0

Property mode set to 100644

File size: 13.0 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY nftables-download-http "https://netfilter.org/projects/nftables/files/nftables-&nftables-version;.tar.bz2">
8	<!ENTITY nftables-download-ftp " ">
9	<!ENTITY nftables-md5sum "dfe130724d7c998eb26b56447e932899">
10	<!ENTITY nftables-size "764 KB">
11	<!ENTITY nftables-buildsize "31 MB">
12	<!ENTITY nftables-time "0.2 SBU">
13	]>
14
15	<sect1 id="nftables" xreflabel="nftables-&nftables-version;">
16	<?dbhtml filename="nftables.html"?>
17
18	<sect1info>
19	<othername>$LastChangedBy: $</othername>
20	<date>$Date: $</date>
21	</sect1info>
22
23	<title>nftables-&nftables-version;</title>
24
25	<indexterm zone="nftables">
26	<primary sortas="a-nftables">nftables</primary>
27	</indexterm>
28
29	<sect2 role="package">
30	<title>Introduction to nftables</title>
31
32	<para>
33	The <application>nftables</application> package, intended to be the
34	successor to <xref linkend="iptables"/>, provides a low-level netlink
35	programming interface (API), and userspace uitlities for the in-kernel
36	nf_tables subsystem.
37	</para>
38
39	&lfs90_checked;
40
41	<bridgehead renderas="sect3">Package Information</bridgehead>
42	<itemizedlist spacing='compact'>
43	<listitem>
44	<para>
45	Download (HTTP): <ulink url="&nftables-download-http;"/>
46	</para>
47	</listitem>
48	<listitem>
49	<para>
50	Download (FTP): <ulink url="&nftables-download-ftp;"/>
51	</para>
52	</listitem>
53	<listitem>
54	<para>
55	Download MD5 sum: &nftables-md5sum;
56	</para>
57	</listitem>
58	<listitem>
59	<para>
60	Download size: &nftables-size;
61	</para>
62	</listitem>
63	<listitem>
64	<para>
65	Estimated disk space required: &nftables-buildsize;
66	</para>
67	</listitem>
68	<listitem>
69	<para>
70	Estimated build time: &nftables-time;
71	</para>
72	</listitem>
73	</itemizedlist>
74
75	<bridgehead renderas="sect3">nftables Dependencies</bridgehead>
76
77	<bridgehead renderas="sect4">Required</bridgehead>
78	<para role="required">
79	<xref linkend="libnftnl"/>
80	</para>
81
82	<bridgehead renderas="sect4">Optional</bridgehead>
83	<para role="optional">
84	<xref linkend="iptables"/>,
85	<xref linkend="jansson"/>, and
86	<xref linkend="docbook-utils"/>
87	</para>
88
89	<bridgehead renderas="sect4">Optional (runtime)</bridgehead>
90
91	<para role="optional">
92	<ulink url="https://netfilter.org/projects/conntrack-tools/index.html">
93	contrack-tools</ulink>
94	<ulink url="https://netfilter.org/projects/nfacct/index.html">
95	nfacct</ulink>
96	<ulink url="https://netfilter.org/projects/ulogd/index.html">
97	ulogd</ulink>
98	</para>
99
100	<para condition="html" role="usernotes">User Notes:
101	<ulink url="&blfs-wiki;/nftables"/>
102	</para>
103	</sect2>
104
105	<sect2 role="kernel">
106	<title>Kernel Configuration</title>
107
108	<para>
109	Enable the following options in the kernel configuration and recompile the
110	kernel if necessary (add any additional nf_tables features as needed):
111	</para>
112
113	<screen><literal>[*] Networking support [CONFIG_NET] --->
114	Networking options --->
115	[*] Network packet filtering framework (Netfilter) [CONFIG_NETFILTER] --->
116	Core Netfilter Configuration --->
117	<> protocol support [CONFIG_NF_CONNTRACK_*]
118	<*> Netfilter nf_tables support [CONFIG_NF_TABLES]
119	[] Netfilter nf_tables support [CONFIG_NF_TABLES_*]</literal></screen>
120
121	<para>
122	Include any connection tracking protocols that will be used, and
123	any protocols that you wish to use for match suppport under the
124	"Core Netfilter Configuration" section. Additionally, include any
125	"Netfilter nf_tables * module" that will be used under the
126	"Netfilter nf_tables support" section.
127	</para>
128
129
130	</sect2>
131
132	<sect2 role="installation">
133	<title>Installation of nftables</title>
134
135	<para>
136	Install <application>nftables</application> by running the following
137	commands:
138	</para>
139
140	<screen><userinput>./configure --prefix=/usr \
141	--sbindir=/sbin \
142	--sysconfdir=/etc \
143	--with-python-bin=/usr/bin/python3 &&
144	make</userinput></screen>
145
146	<para>
147	This package does not come with a test suite.
148	</para>
149
150	<para>
151	Now, as the <systemitem class="username">root</systemitem> user:
152	</para>
153
154	<screen role="root"><userinput>make install &&
155	mv /usr/lib/libnftables.so.* /lib &&
156	ln -sfv ../../lib/$(readlink /usr/lib/libnftables.so) /usr/lib/libnftables.so</userinput></screen>
157
158	</sect2>
159
160	<sect2 role="commands">
161	<title>Command Explanations</title>
162
163	<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
164	href="../../xincludes/static-libraries.xml"/>
165
166	<para>
167	<parameter>--with-python-bin=/usr/bin/python3</parameter>: force use of
168	<application>Python3</application>.
169	</para>
170
171	<para>
172	<option>--enable-man-doc</option>: build man pages if
173	<xref linkend="asciidoc"/> is installed (required if adding
174	json support).
175	</para>
176
177	<para>
178	<parameter>--with-json</parameter>: build with support for JSON output if
179	<xref linkend="jansson"/> is available.
180	</para>
181
182	<para>
183	<parameter>--with-xtables</parameter>: build with
184	<xref linkend="iptables"/> libxtables support.
185	</para>
186
187	<para>
188	<command>mv -v /usr/lib/nftables.so.* ...</command>: Move shared
189	libraries into /lib so they are available before /usr is mounted.
190	</para>
191
192	</sect2>
193
194	<sect2 role="configuration">
195	<title>Configuring nftables</title>
196
197	<note>
198	<para>
199	If you intend to use <xref linkend="firewalld"/> to configure your
200	firewall rules, you should not use the example configuration provided
201	here, nor should you enable the
202	<phrase revision="sysv">bootscript.</phrase>
203	<phrase revision="systemd">systemd unit.</phrase>
204	</para>
205	</note>
206
207	<sect3 id="fw-masqRouter-nft"
208	xreflabel="Creating a Masquerading Router With nftables">
209	<title>Masquerading Router</title>
210
211	<para>
212	A network Firewall has two interfaces, one connected to an
213	intranet, in this example <emphasis role="strong">LAN1</emphasis>,
214	and one connected to the Internet, here <emphasis
215	role="strong">WAN1</emphasis>. You will need to adjust these value to
216	match your particular system. To provide the maximum security
217	for the firewall itself, make sure that there are no unnecessary
218	servers running on it such as <application>X11</application> et al.
219	As a general principle, the firewall itself should not access
220	any untrusted service (think of a remote server giving answers that
221	makes a daemon on your system crash, or even worse, that implements
222	a worm via a buffer-overflow).
223	</para>
224
225	<note>
226	<para>
227	In the following example configuration, <emphasis
228	role="strong">LAN1</emphasis> is used for the internal LAN interface,
229	and <emphasis role="strong">WAN1</emphasis> is used for the external
230	interface connected to the Internet. You will need to replace these
231	values with appropriate interface names for your system.
232	</para>
233	</note>
234
235
236	<screen role="root"><?dbfo keep-together="auto"?><userinput>cat > /etc/nftables/nftables.conf << "EOF"
237	<literal>#!/sbin/nft -f
238
239	# You're using the example configuration for a setup of a firewall
240	# from Beyond Linux From Scratch.
241	#
242	# This example is far from being complete, it is only meant
243	# to be a reference.
244	#
245	# Firewall security is a complex issue, that exceeds the scope
246	# of the configuration rules below.
247	#
248	# You can find additional information
249	# about firewalls in Chapter 4 of the BLFS book.
250	# http://www.&lfs-domainname;/blfs
251
252	# Drop all existing rules
253	flush ruleset
254
255	# Filter for both ip4 and ip6 (inet)
256	table inet filter {
257
258	# filter incomming packets
259	chain input {
260
261	# Drop everything that doesn't match policy
262	type filter hook input priority 0; policy drop;
263
264	# accept packets for established connections
265	ct state { established, related } accept
266
267	# Drop packets that have a connection state of invalid
268	ct state invalid drop
269
270	# Allow connections to the loopback adapter
271	iifname "lo" accept
272
273	# Allow connections to the LAN1 interface
274	iifname "LAN1" accept
275
276	# Accept icmp requests
277	ip protocol icmp accept
278
279	# Allow ssh connections on LAN1
280	iifname "LAN1" tcp dport ssh accept
281
282	# Drop everything else
283	drop
284	}
285
286	# Allow forwarding for external connections to WAN1
287	chain forward {
288
289	# Drop if it doesn't match policy
290	type filter hook forward priority 0; policy drop;
291
292	# Accept connections on WAN1
293	oifname "WAN1" accept
294
295	# Allow forwarding to another host via this interface
296	# Uncomment the following line to allow connections
297	# ip daddr 192.168.0.2 ct status dnat accept
298
299	# Allow established and related connections
300	iifname "WAN1" ct state { established, related } accept
301	}
302
303	# Filter output traffic
304	chain output {
305
306	# Allow everything outbound
307	type filter hook output priority 0; policy accept;
308	}
309	}
310
311	# Allow NAT for ip protocol (both ip4 and ip6)
312	table ip nat {
313
314	chain prerouting {
315
316	# Accept on inbound interface for policy match
317	type nat hook prerouting priority 0; policy accept;
318
319	# Accept http and https on 192.168.0.2
320	# Uncomment the following line to allow http and https
321	#iifname "WAN1" tcp dport { http, https } dnat to 192.168.0.2
322	}
323
324	chain postrouting {
325
326	# accept outbound
327	type nat hook postrouting priority 0; policy accept;
328
329	# Masquerade on WAN1 outbound
330	oifname "WAN1" masquerade
331	}
332	}</literal>
333	EOF</userinput></screen>
334
335	<para>
336	With this configuration your intranet should be reasonably secure
337	against external attacks. No one should be able to setup a new
338	connection to any internal service not configured above.
339	</para>
340
341	<para>
342	There are several other examples in the
343	<filename class="directory">/etc/nftables</filename> directory.
344	</para>
345
346	</sect3>
347
348	<sect3 id="nftables-init">
349	<title><phrase revision="sysv">Boot Script</phrase>
350	<phrase revision="systemd">Systemd Unit</phrase></title>
351
352	<para revision="sysv">
353	To set up the nftables firewall at boot, install the
354	<filename>/etc/rc.d/init.d/nftables</filename> init script included
355	in the <xref linkend="bootscripts"/> package.
356	</para>
357
358	<para revision="systemd">
359	To set up the nftables firewall at boot, install the
360	<filename>nftables.service</filename> unit included in the
361	<xref linkend="systemd-units"/> package.
362	</para>
363
364	<indexterm zone="nftables nftables-init">
365	<primary sortas="f-nftables">nftables</primary>
366	</indexterm>
367
368	<screen role="root"><userinput>make install-nftables</userinput></screen>
369
370	</sect3>
371
372	</sect2>
373
374	<sect2 role="content">
375	<title>Contents</title>
376
377	<segmentedlist>
378	<segtitle>Installed Programs</segtitle>
379	<segtitle>Installed Libraries</segtitle>
380	<segtitle>Installed Directories</segtitle>
381
382	<seglistitem>
383	<seg>
384	nft
385	</seg>
386	<seg>
387	libnftables.{a,so}
388	</seg>
389	<seg>
390	/etc/nftables
391	</seg>
392	</seglistitem>
393	</segmentedlist>
394
395	<variablelist>
396	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
397	<?dbfo list-presentation="list"?>
398	<?dbhtml list-presentation="table"?>
399
400	<varlistentry id="nft">
401	<term><filename>nft</filename></term>
402	<listitem>
403	<para>
404	command line interface for the nf_tables subsystem.
405	</para>
406	<indexterm zone="nftables nft">
407	<primary sortas="a-nft">nft</primary>
408	</indexterm>
409	</listitem>
410	</varlistentry>
411
412	<varlistentry id="libnftables">
413	<term><filename class="libraryfile">libnftables.{a,so}</filename></term>
414	<listitem>
415	<para>
416	provides functions for manipulating the nf_tables subsystem.
417	</para>
418	<indexterm zone="nftables libnftables">
419	<primary sortas="c-libnftables">libnftables.so</primary>
420	</indexterm>
421	</listitem>
422	</varlistentry>
423
424	</variablelist>
425
426	</sect2>
427
428	</sect1>

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: postlfs/security/nftables.xml@ 8c5b0070

Download in other formats: