bpi-r2:network:nftables
Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen RevisionVorhergehende ÜberarbeitungNächste Überarbeitung | Vorhergehende Überarbeitung | ||
bpi-r2:network:nftables [2021/03/20 10:27] – [hwnat] frank | bpi-r2:network:nftables [2023/06/08 17:06] (aktuell) – Externe Bearbeitung 127.0.0.1 | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
+ | ====== NFTables ====== | ||
+ | < | ||
+ | apt install nftables | ||
+ | echo 1 > / | ||
+ | |||
+ | nft list ruleset | ||
+ | nft add table nat | ||
+ | nft add chain ip nat prerouting { type nat hook prerouting priority 100 \; } | ||
+ | nft add chain ip nat postrouting { type nat hook postrouting priority 100 \; } | ||
+ | nft add rule nat postrouting masquerade | ||
+ | |||
+ | # | ||
+ | nft add rule nat prerouting iif lan1 tcp dport 443 dnat 192.168.0.10: | ||
+ | </ | ||
+ | ===== einfache Befehle ===== | ||
+ | |||
+ | nft flush ruleset #alles löschen | ||
+ | nft -f flowoffload.nft # | ||
+ | nft show ruleset #alles anzeigen | ||
+ | | ||
+ | ===== einfache struktur ===== | ||
+ | |||
+ | < | ||
+ | table ip filter { | ||
+ | chain input { | ||
+ | type filter hook input priority 0; policy accept; | ||
+ | } | ||
+ | |||
+ | chain output { | ||
+ | type filter hook output priority 0; policy accept; | ||
+ | } | ||
+ | |||
+ | chain forward { | ||
+ | type filter hook forward priority 0; policy accept; | ||
+ | } | ||
+ | } | ||
+ | table ip nat { | ||
+ | chain post { | ||
+ | type nat hook postrouting priority 0; policy accept; | ||
+ | oifname " | ||
+ | } | ||
+ | |||
+ | chain pre { | ||
+ | type nat hook prerouting priority 0; policy accept; | ||
+ | } | ||
+ | } | ||
+ | </ | ||
+ | ===== links ===== | ||
+ | |||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | * https:// | ||
+ | ===== hwnat ===== | ||
+ | |||
+ | https:// | ||
+ | |||
+ | ipv6 mangle crasht noch | ||
+ | |||
+ | für hwnat wird eine neuere version der nftables benötigt als in debian buster angeboten wird | ||
+ | |||
+ | https:// | ||
+ | |||
+ | kompiliert: https:// | ||
+ | |||
+ | basic IPv4 Ruleset: | ||
+ | < | ||
+ | flush ruleset | ||
+ | table ip filter { | ||
+ | flowtable f { | ||
+ | hook ingress priority filter + 1 | ||
+ | devices = { lan3, lan0, wan } | ||
+ | flags offload; | ||
+ | } | ||
+ | chain input { | ||
+ | type filter hook input priority filter; policy accept; | ||
+ | } | ||
+ | |||
+ | chain output { | ||
+ | type filter hook output priority filter; policy accept; | ||
+ | } | ||
+ | |||
+ | chain forward { | ||
+ | type filter hook forward priority filter; policy accept; | ||
+ | ip protocol { tcp, udp } flow add @f | ||
+ | } | ||
+ | } | ||
+ | table ip nat { | ||
+ | chain post { | ||
+ | type nat hook postrouting priority filter; policy accept; | ||
+ | oifname " | ||
+ | } | ||
+ | |||
+ | chain pre { | ||
+ | type nat hook prerouting priority filter; policy accept; | ||
+ | } | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | basic v6 Ruleset (crash!): | ||
+ | |||
+ | < | ||
+ | flush ruleset | ||
+ | table ip6 filter { | ||
+ | flowtable f { | ||
+ | hook ingress priority 1 | ||
+ | devices = { lan3, lan0, wan } | ||
+ | flags offload; | ||
+ | } | ||
+ | chain input { | ||
+ | type filter hook input priority 0; policy accept; | ||
+ | } | ||
+ | |||
+ | chain output { | ||
+ | type filter hook output priority 0; policy accept; | ||
+ | } | ||
+ | |||
+ | chain forward { | ||
+ | type filter hook forward priority 0; policy accept; | ||
+ | ip6 nexthdr { tcp, udp } flow add @f | ||
+ | } | ||
+ | } | ||
+ | table ip6 nat { | ||
+ | chain post { | ||
+ | type nat hook postrouting priority 0; policy accept; | ||
+ | oifname " | ||
+ | } | ||
+ | |||
+ | chain pre { | ||
+ | type nat hook prerouting priority 0; policy accept; | ||
+ | } | ||
+ | } | ||
+ | </ | ||
+ | |||
+ | testen: | ||
+ | |||
+ | nft -f nft-nat-flowoffload.nft | ||
+ | #vom client traffic generieren | ||
+ | cat / | ||
+ | |||
+ | IPV6-Setup | ||
+ | < | ||
+ | #!/bin/bash | ||
+ | #on main-router: | ||
+ | #ip -6 route add fd00: | ||
+ | #ip -6 route add 2001: | ||
+ | |||
+ | ip -6 addr add fd00: | ||
+ | ip -6 addr add fd00: | ||
+ | |||
+ | ip -6 addr add 2001: | ||
+ | ip -6 addr add 2001: | ||
+ | |||
+ | sysctl -w net.ipv6.conf.all.forwarding=1 | ||
+ | </ |