Context Navigation

nftables.xml@ ad09788d

Visit:

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 9.1 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts lazarus lxqt plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal

Last change on this file since ad09788d was ad09788d, checked in by DJ Lucas <dj@…>, 4 years ago

Fix libnftables links.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@22311 af4574ff-66df-0310-9fd7-8a98e5e911e0

Property mode set to 100644

File size: 13.0 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY nftables-download-http "https://netfilter.org/projects/nftables/files/nftables-&nftables-version;.tar.bz2">
8	<!ENTITY nftables-download-ftp " ">
9	<!ENTITY nftables-md5sum "dfe130724d7c998eb26b56447e932899">
10	<!ENTITY nftables-size "764 KB">
11	<!ENTITY nftables-buildsize "31 MB">
12	<!ENTITY nftables-time "0.2 SBU">
13	]>
14
15	<sect1 id="nftables" xreflabel="nftables-&nftables-version;">
16	<?dbhtml filename="nftables.html"?>
17
18	<sect1info>
19	<othername>$LastChangedBy: $</othername>
20	<date>$Date: $</date>
21	</sect1info>
22
23	<title>nftables-&nftables-version;</title>
24
25	<indexterm zone="nftables">
26	<primary sortas="a-nftables">nftables</primary>
27	</indexterm>
28
29	<sect2 role="package">
30	<title>Introduction to nftables</title>
31
32	<para>
33	The <application>nftables</application> package, intended to be the
34	successor to <xref linkend="iptables"/>, provides a low-level netlink
35	programming interface (API), and userspace uitlities for the in-kernel
36	nf_tables subsystem.
37	</para>
38
39	&lfs90_checked;
40
41	<bridgehead renderas="sect3">Package Information</bridgehead>
42	<itemizedlist spacing='compact'>
43	<listitem>
44	<para>
45	Download (HTTP): <ulink url="&nftables-download-http;"/>
46	</para>
47	</listitem>
48	<listitem>
49	<para>
50	Download (FTP): <ulink url="&nftables-download-ftp;"/>
51	</para>
52	</listitem>
53	<listitem>
54	<para>
55	Download MD5 sum: &nftables-md5sum;
56	</para>
57	</listitem>
58	<listitem>
59	<para>
60	Download size: &nftables-size;
61	</para>
62	</listitem>
63	<listitem>
64	<para>
65	Estimated disk space required: &nftables-buildsize;
66	</para>
67	</listitem>
68	<listitem>
69	<para>
70	Estimated build time: &nftables-time;
71	</para>
72	</listitem>
73	</itemizedlist>
74
75	<bridgehead renderas="sect3">nftables Dependencies</bridgehead>
76
77	<bridgehead renderas="sect4">Required</bridgehead>
78	<para role="required">
79	<xref linkend="libnftnl"/>
80	</para>
81
82	<bridgehead renderas="sect4">Optional</bridgehead>
83	<para role="optional">
84	<xref linkend="iptables"/>,
85	<xref linkend="jansson"/>, and
86	<xref linkend="docbook-utils"/>
87	</para>
88
89	<bridgehead renderas="sect4">Optional (runtime)</bridgehead>
90
91	<para role="optional">
92	<ulink url="https://netfilter.org/projects/conntrack-tools/index.html">
93	contrack-tools</ulink>
94	<ulink url="https://netfilter.org/projects/nfacct/index.html">
95	nfacct</ulink>
96	<ulink url="https://netfilter.org/projects/ulogd/index.html">
97	ulogd</ulink>
98	</para>
99
100	<para condition="html" role="usernotes">User Notes:
101	<ulink url="&blfs-wiki;/nftables"/>
102	</para>
103	</sect2>
104
105	<sect2 role="kernel">
106	<title>Kernel Configuration</title>
107
108	<para>
109	Enable the following options in the kernel configuration and recompile the
110	kernel if necessary (add any additional nf_tables features as needed):
111	</para>
112
113	<screen><literal>[*] Networking support [CONFIG_NET] --->
114	Networking options --->
115	[*] Network packet filtering framework (Netfilter) [CONFIG_NETFILTER] --->
116	Core Netfilter Configuration --->
117	<> protocol support [CONFIG_NF_CONNTRACK_*]
118	<*> Netfilter nf_tables support [CONFIG_NF_TABLES]
119	[] Netfilter nf_tables support [CONFIG_NF_TABLES_*]</literal></screen>
120
121	<para>
122	Include any connection tracking protocols that will be used, and
123	any protocols that you wish to use for match suppport under the
124	"Core Netfilter Configuration" section. Additionally, include any
125	"Netfilter nf_tables * module" that will be used under the
126	"Netfilter nf_tables support" section.
127	</para>
128
129
130	</sect2>
131
132	<sect2 role="installation">
133	<title>Installation of nftables</title>
134
135	<para>
136	Install <application>nftables</application> by running the following
137	commands:
138	</para>
139
140	<screen><userinput>./configure --prefix=/usr \
141	--sbindir=/sbin \
142	--sysconfdir=/etc \
143	--with-python-bin=/usr/bin/python3 &&
144	make</userinput></screen>
145
146	<para>
147	This package does not come with a test suite.
148	</para>
149
150	<para>
151	Now, as the <systemitem class="username">root</systemitem> user:
152	</para>
153
154	<screen role="root"><userinput>make install &&
155	mv /usr/lib/libnftables.so.* /lib &&
156	ln -sfv ../../lib/$(readlink /usr/lib/libnftables.so) /usr/lib/libnftables.so</userinput></screen>
157
158	</sect2>
159
160	<sect2 role="commands">
161	<title>Command Explanations</title>
162
163	<xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
164	href="../../xincludes/static-libraries.xml"/>
165
166	<para>
167	<parameter>--with-python-bin=/usr/bin/python3</parameter>: force use of
168	<application>Python3</application>.
169	</para>
170
171	<para>
172	<option>--enable-man-doc</option>: build man pages if
173	<xref linkend="docbook-utils"/> is installed.
174	</para>
175
176	<para>
177	<parameter>--with-json</parameter>: build with support for JSON output if
178	<xref linkend="jansson"/> is available.
179	</para>
180
181	<para>
182	<parameter>--with-xtables</parameter>: build with
183	<xref linkend="iptables"/> libxtables support.
184	</para>
185
186	<para>
187	<command>mv -v /usr/lib/nftables.so.* ...</command>: Move shared
188	libraries into /lib so they are available before /usr is mounted.
189	</para>
190
191	</sect2>
192
193	<sect2 role="configuration">
194	<title>Configuring nftables</title>
195
196	<note>
197	<para>
198	If you intend to use <xref linkend="firewalld"/> to configure your
199	firewall rules, you should not use the example configuration provided
200	here, nor should you enable the
201	<phrase revision="sysv">bootscript.</phrase>
202	<phrase revision="systemd">systemd unit.</phrase>
203	</para>
204	</note>
205
206	<sect3 id="fw-masqRouter-nft"
207	xreflabel="Creating a Masquerading Router With nftables">
208	<title>Masquerading Router</title>
209
210	<para>
211	A network Firewall has two interfaces, one connected to an
212	intranet, in this example <emphasis role="strong">LAN1</emphasis>,
213	and one connected to the Internet, here <emphasis
214	role="strong">WAN1</emphasis>. You will need to adjust these value to
215	match your particular system. To provide the maximum security
216	for the firewall itself, make sure that there are no unnecessary
217	servers running on it such as <application>X11</application> et al.
218	As a general principle, the firewall itself should not access
219	any untrusted service (think of a remote server giving answers that
220	makes a daemon on your system crash, or even worse, that implements
221	a worm via a buffer-overflow).
222	</para>
223
224	<note>
225	<para>
226	In the follwoing example configuration, <emphasis
227	role="strong">LAN1</emphasis> is used for the internal LAN interface,
228	and <emphasis role="strong">WAN1</emphasis> is used for the external
229	interface connected to the Internet. You will need to replace these
230	values with appropriate interface names for your system.
231	</para>
232	</note>
233
234
235	<screen role="root"><?dbfo keep-together="auto"?><userinput>cat > /etc/nftables/nftables.conf << "EOF"
236	<literal>#!/sbin/nft -f
237
238	# You're using the example configuration for a setup of a firewall
239	# from Beyond Linux From Scratch.
240	#
241	# This example is far from being complete, it is only meant
242	# to be a reference.
243	#
244	# Firewall security is a complex issue, that exceeds the scope
245	# of the configuration rules below.
246	#
247	# You can find additional information
248	# about firewalls in Chapter 4 of the BLFS book.
249	# http://www.&lfs-domainname;/blfs
250
251	# Drop all existing rules
252	flush ruleset
253
254	# Filter for both ip4 and ip6 (inet)
255	table inet filter {
256
257	# filter incomming packets
258	chain input {
259
260	# Drop everything that doesn't match policy
261	type filter hook input priority 0; policy drop;
262
263	# accept packets for established connections
264	ct state { established, related } accept
265
266	# Drop packets that have a connection state of invalid
267	ct state invalid drop
268
269	# Allow connections to the loopback adapter
270	iifname "lo" accept
271
272	# Allow connections to the LAN1 interface
273	iifname "LAN1" accept
274
275	# Accept icmp requests
276	ip protocol icmp accept
277
278	# Allow ssh connections on LAN1
279	iifname "LAN1" tcp dport ssh accept
280
281	# Drop everything else
282	drop
283	}
284
285	# Allow forwarding for external connections to WAN1
286	chain forward {
287
288	# Drop if it doesn't match policy
289	type filter hook forward priority 0; policy drop;
290
291	# Accept connections on WAN1
292	oifname "WAN1" accept
293
294	# Allow forwarding to another host via this interface
295	# Uncomment the following line to allow connections
296	# ip daddr 192.168.0.2 ct status dnat accept
297
298	# Allow established and related connections
299	iifname "WAN1" ct state { established, related } accept
300	}
301
302	# Filter output traffic
303	chain output {
304
305	# Allow everything outbound
306	type filter hook output priority 0; policy accept;
307	}
308	}
309
310	# Allow NAT for ip protocol (both ip4 and ip6)
311	table ip nat {
312
313	chain prerouting {
314
315	# Accept on inbound interface for policy match
316	type nat hook prerouting priority 0; policy accept;
317
318	# Accept http and https on 192.168.0.2
319	# Uncomment the following line to allow http and https
320	#iifname "WAN1" tcp dport { http, https } dnat to 192.168.0.2
321	}
322
323	chain postrouting {
324
325	# accept outbound
326	type nat hook postrouting priority 0; policy accept;
327
328	# Masquerade on WAN1 outbound
329	oifname "WAN1" masquerade
330	}
331	}</literal>
332	EOF</userinput></screen>
333
334	<para>
335	With this configuration your intranet should be reasonably secure
336	against external attacks. No one should be able to setup a new
337	connection to any internal service not configured above.
338	</para>
339
340	<para>
341	There are several other examples in the
342	<filename class="directory">/etc/nftables</filename> directory.
343	</para>
344
345	</sect3>
346
347	<sect3 id="nftables-init">
348	<title><phrase revision="sysv">Boot Script</phrase>
349	<phrase revision="systemd">Systemd Unit</phrase></title>
350
351	<para revision="sysv">
352	To set up the nftables firewall at boot, install the
353	<filename>/etc/rc.d/init.d/nftables</filename> init script included
354	in the <xref linkend="bootscripts"/> package.
355	</para>
356
357	<para revision="systemd">
358	To set up the nftables firewall at boot, install the
359	<filename>nftables.service</filename> unit included in the
360	<xref linkend="systemd-units"/> package.
361	</para>
362
363	<indexterm zone="nftables nftables-init">
364	<primary sortas="f-nftables">nftables</primary>
365	</indexterm>
366
367	<screen role="root"><userinput>make install-nftables</userinput></screen>
368
369	</sect3>
370
371	</sect2>
372
373	<sect2 role="content">
374	<title>Contents</title>
375
376	<segmentedlist>
377	<segtitle>Installed Programs</segtitle>
378	<segtitle>Installed Libraries</segtitle>
379	<segtitle>Installed Directories</segtitle>
380
381	<seglistitem>
382	<seg>
383	nft
384	</seg>
385	<seg>
386	libnftables.{a,so}
387	</seg>
388	<seg>
389	/etc/nftables
390	</seg>
391	</seglistitem>
392	</segmentedlist>
393
394	<variablelist>
395	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
396	<?dbfo list-presentation="list"?>
397	<?dbhtml list-presentation="table"?>
398
399	<varlistentry id="nft">
400	<term><filename>nft</filename></term>
401	<listitem>
402	<para>
403	command line interface for the nf_tables subsystem.
404	</para>
405	<indexterm zone="nftables nft">
406	<primary sortas="a-nft">nft</primary>
407	</indexterm>
408	</listitem>
409	</varlistentry>
410
411	<varlistentry id="libnftables">
412	<term><filename class="libraryfile">libnftables.{a,so}</filename></term>
413	<listitem>
414	<para>
415	provides functions for manipulating the nf_tables subsystem.
416	</para>
417	<indexterm zone="nftables libnftables">
418	<primary sortas="c-libnftables">libnftables.so</primary>
419	</indexterm>
420	</listitem>
421	</varlistentry>
422
423	</variablelist>
424
425	</sect2>
426
427	</sect1>

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: postlfs/security/nftables.xml@ ad09788d

Download in other formats: