Nftables, ağ paketlerinin, ağ datagramlarının, ağ çerçevelerinin filtrelenmesini ve sınıflandırılmasını sağlayan Linux çekirdeğinin bir alt sistemidir.
Linux çekirdeği 3.13'te çalışır.
Iptables'in yeni sürümü olarak görülebilir ancak söz dizimi iptables'tan farklıdır. Aynı zamanda iptables komutlarının da çalıştırılmasına izin verilen bir uyumluluk modu vardır.
En önemli yeniliği kural sayısını çok fazla azaltmasıdır.
handle parametresi belirli bir kuralı tanımlayan dahili bir sayıdır.
position parametresi belirli bir handle'dan önce bir kural eklemek için kullanılan dahili bir sayıdır.
Matches Parametresi
Ip
ip match
dscp <value>
ip dscp cs1
ip dscp != cs1
ip dscp 0x38
ip dscp != 0x20
ip dscp {cs0, cs1, cs2, cs3, cs4, cs5, cs6, cs7, af11, af12, af13, af21,
af22, af23, af31, af32, af33, af41, af42, af43, ef}
length <length>
Total packet length
ip length 232
ip length !=233
ip length 333-435
ip length !=333-453
ip length {333, 553, 673, 838}
id <id>
IP ID
ip id 22
ip id !=233
ip id 33-45
ip id !=33-45
ip id {33, 55, 67, 88}
frag-off <value>
Fragmentation offset
ip frag-off 222
ip frag-off !=233
ip frag-off 33-45
ip frag-off !=33-45
ip frag-off {33, 55, 67, 88}
ttl <ttl>
Time to live
ip ttl 0
ip ttl 233
ip ttl 33-55
ip ttl !=45-50
ip ttl {43, 53, 45}
ip ttl {33-55 }
protocol <protocol>
Upper layer protocol
ip protocol tcp
ip protocol 6
ip protocol != tcp
ip protocol { icmp, esp, ah, comp, udp, udplite, tcp, dccp, sctp }
checksum <checksum>
IP header checksum
ip checksum 13172
ip checksum 22
ip checksum !=233
ip checksum 33-45
ip checksum !=33-45
ip checksum {33, 55, 67, 88}
ip checksum {33-55 }
saddr <ip source address>
Source address
ip saddr 192.168.2.0/24
ip saddr !=192.168.2.0/24
ip saddr 192.168.3.1 ip daddr 192.168.3.100
ip saddr !=1.1.1.1
ip saddr 1.1.1.1
ip saddr &0xff==1
ip saddr &0.0.0.255 < 0.0.0.127
daddr <ip destination address>
Destination address
ip daddr 192.168.0.1
ip daddr !=192.168.0.1
ip daddr 192.168.0.1-192.168.0.250
ip daddr 10.0.0.0-10.255.255.255
ip daddr 172.16.0.0-172.31.255.255
ip daddr 192.168.3.1-192.168.4.250
ip daddr !=192.168.0.1-192.168.0.250
ip daddr {192.168.0.1-192.168.0.250 }
ip daddr {192.168.5.1, 192.168.5.2, 192.168.5.3 }
udplite sport 22
udplite sport !=33-45
udplite sport {33, 55, 67, 88}
udplite sport {33-55}
udplite sport vmap {25:accept, 28:drop }
udplite sport 1024 tcp dport 22
ct state { new, established, related, untracked }
ct state != related
ct state established
ct state 8
direction <value>
Direction of the packet relative to the connection
ct direction original
ct direction != original
ct direction {reply, original}
status <status>
Status of the connection
ct status expected
ct status != expected
ct status {expected,seen-reply,assured,confirmed,snat,dnat,dying}
mark [set]
Mark of the connection
ct mark 0
ct mark or 0x23== 0x11
ct mark or 0x3 != 0x1
ct mark and 0x23== 0x11
ct mark and 0x3 != 0x1
ct mark xor 0x23== 0x11
ct mark xor 0x3 != 0x1
ct mark 0x00000032
ct mark != 0x00000032
ct mark 0x00000032-0x00000045
ct mark != 0x00000032-0x00000045
ct mark {0x32, 0x2222, 0x42de3}
ct mark {0x32-0x2222, 0x4444-0x42de3}
ct mark set 0x11 xor 0x1331
ct mark set 0x11333 and 0x11
ct mark set 0x12 or 0x11
ct mark set 0x11
ct mark set mark
ct mark set mark map {1 : 10, 2 : 20, 3 : 30}
ct original saddr 192.168.0.1
ct reply saddr 192.168.0.1
ct original saddr 192.168.1.0/24
ct reply saddr 192.168.1.0/24
[original | reply] daddr <ip destination address>
ct original daddr 192.168.0.1
ct reply daddr 192.168.0.1
ct original daddr 192.168.1.0/24
ct reply daddr 192.168.1.0/24
[original | reply] l3proto <protocol>
ct original l3proto ipv4
[original | reply] protocol <protocol>
ct original protocol 6
[original | reply] proto-dst <port>
ct original proto-dst 22
[original | reply] proto-src <port>
ct reply proto-src 53
Meta
meta match
iifname <input interface name>
Input interface name
meta iifname "eth0"
meta iifname !="eth0"
meta iifname {"eth0", "lo"}
meta iifname "eth*"
oifname <output interface name>
Output interface name
meta oifname "eth0"
meta oifname !="eth0"
meta oifname {"eth0", "lo"}
meta oifname "eth*"
iif <input interface index>
Input interface index
meta iif eth0
meta iif != eth0
oif <output interface index>
Output interface index
meta oif lo
meta oif != lo
meta oif {eth0, lo}
iiftype <input interface type>
Input interface type
meta iiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}
meta iiftype != ether
meta iiftype ether
oiftype <output interface type>
Output interface hardware type
meta oiftype {ether, ppp, ipip, ipip6, loopback, sit, ipgre}
meta oiftype != ether
meta oiftype ether
length <length>
Length of the packet in bytes
meta length 1000
meta length !=1000
meta length > 1000
meta length 33-45
meta length !=33-45
meta length {33, 55, 67, 88}
meta length {33-55, 67-88 }
protocol <protocol>
ethertype protocol
meta protocol ip
meta protocol != ip
meta protocol { ip, arp, ip6, vlan }
nfproto <protocol>
meta nfproto ipv4
meta nfproto != ipv6
meta nfproto { ipv4, ipv6 }
l4proto <protocol>
meta l4proto 22
meta l4proto !=233
meta l4proto 33-45
meta l4proto {33, 55, 67, 88}
meta l4proto {33-55 }
mark [set] <mark>
Packet mark
meta mark 0x4
meta mark 0x00000032
meta mark and 0x03== 0x01
meta mark and 0x03 != 0x01
meta mark != 0x10
meta mark or 0x03== 0x01
meta mark or 0x03 != 0x01
meta mark xor 0x03== 0x01
meta mark xor 0x03 != 0x01
meta mark set 0xffffffc8 xor 0x16
meta mark set 0x16 and 0x16
meta mark set 0xffffffe9 or 0x16
meta mark set 0xffffffde and 0x16
meta mark set 0x32 or 0xfffff
meta mark set 0xfffe xor 0x16
skuid <user id>
UID associated with originating socket
meta skuid {bin, root, daemon}
meta skuid root
meta skuid != root
meta skuid lt 3000
meta skuid gt 3000
meta skuid eq 3000
meta skuid 3001-3005
meta skuid !=2001-2005
meta skuid {2001-2005 }
skgid <group id>
GID associated with originating socket
meta skgid {bin, root, daemon}
meta skgid root
meta skgid != root
meta skgid lt 3000
meta skgid gt 3000
meta skgid eq 3000
meta skgid 3001-3005
meta skgid !=2001-2005
meta skgid {2001-2005 }
rtclassid <class>
Routing realm
meta rtclassid cosmos
pkttype <type>
Packet type
meta pkttype broadcast
meta pkttype != broadcast
meta pkttype { broadcast, unicast, multicast}
cpu <cpu index>
CPU ID
meta cpu 1
meta cpu !=1
meta cpu 1-3
meta cpu !=1-2
meta cpu {2,3 }
meta cpu {2-3, 5-7 }
iifgroup <input group>
Input interface group
meta iifgroup 0
meta iifgroup !=0
meta iifgroup default
meta iifgroup != default
meta iifgroup {default}
meta iifgroup {11,33 }
meta iifgroup {11-33}
oifgroup <group>
Output interface group
meta oifgroup 0
meta oifgroup !=0
meta oifgroup default
meta oifgroup != default
meta oifgroup {default}
meta oifgroup {11,33 }
meta oifgroup {11-33}
cgroup <group>
meta cgroup 1048577
meta cgroup !=1048577
meta cgroup {1048577, 1048578}
meta cgroup 1048577-1048578
meta cgroup !=1048577-1048578
meta cgroup {1048577-1048578}
Statements
Statement, paket kuralla eşleştiğinde gerçekleştirilen eylemdir. Terminal ve terminal dışı olabilir. Belli bir kuralda, birkaç terminal dışı ifadeyi düşünebiliriz, yalnızca tek bir terminal bildirimi düşünebilirsiniz.
Statement, kural setindeki akış kontrolünü değiştirir ve paketler için politika kararları verir.
accept: Paketi kabul et ve kalıcı kurallar değerlendirmesini durdur.
drop: Paketi düşür ve kalan kuralların değerlendirmesini durdurun.
queue: Paketi kuyruğa al ve kalan kural değerlendirmesini durdurun.
continue: Bir sonraki kuralla kural seti değerlendirmesine devam edin.
return: Geçerli zincirden dönün ve son zincirin bir sonraki kuralı ile devam edin. Base zincirinde accept ile eş değerdir.
jump <chain>: <chain> ile belirtilen zincirin ilk kuralıyla devam edin. İade ifadesinin yayınlanmasının ardından bir sonraki kuralda devam edecektir.
goto <chain>: Jump'a benzer, ancak yeni zincirden sonra değerlendirme, goto deyimini içeren son zincirde devam edecektir.
group <value> [queue-threshold <value>] [snaplen <value>] [prefix "<prefix>"]
log prefix aaaaa-aaaaaa group 2 snaplen 33
log group 2 queue-threshold 2
log group 2 snaplen 33
Reject
reject statement
with <protocol> type <type>
reject
reject with icmp type host-unreachable
reject with icmp type net-unreachable
reject with icmp type prot-unreachable
reject with icmp type port-unreachable
reject with icmp type net-prohibited
reject with icmp type host-prohibited
reject with icmp type admin-prohibited
reject with icmpv6 type no-route
reject with icmpv6 type admin-prohibited
reject with icmpv6 type addr-unreachable
reject with icmpv6 type port-unreachable
ip protocol tcp reject with tcp reset
reject with icmpx type host-unreachable
reject with icmpx type no-route
reject with icmpx type admin-prohibited
reject with icmpx type port-unreachable
No comments:
Post a Comment