如何让 nftables 记录丢弃的数据包？

2024-8-3 • tag-icon

linux networking debian firewall

如何让 nftables 记录丢弃的数据包？

我似乎已经让 nftables 记录所有允许的传入流量而不是仅记录被拒绝的流量，而且我无法弄清楚如何说“拒绝并记录其他所有内容”。

这是我的/etc/nftables.conf文件：

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
  chain input {
    type filter hook input priority 0;

    # Accept any localhost traffic
    iif lo accept

    # Accept traffic originated from us
    ct state established,related accept

    # Accept neighbour discovery otherwise IPv6 connectivity breaks
    ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept

    # Allow incoming SSH connections
    tcp dport ssh ct state new counter accept

    # Allow mdns from the LAN
    ip saddr 192.168.1.0/24 udp dport mdns counter accept
    ip6 saddr fe80::/10 udp dport mdns counter accept

    ip saddr 192.168.1.0/24 log prefix "Rejected: " flags all reject comment "send rejection to LAN only"
    ip6 saddr fe80::/10 log prefix "Rejected: " flags all reject comment "send rejection to LAN only"

    # Log and drop any other traffic
    # THIS IS THE BROKEN PART
    log prefix "Dropped:  " flags all drop
  }
  chain forward {
    type filter hook forward priority 0;
  }
  chain output {
    type filter hook output priority 0;
  }
}

答案1

我想你错过了关于链条默认设置的部分。来自手册：

{add | create} chain [family] table chain [{ type type hook hook [device device] priority priority ; [policy policy ;] }]

这里提到的价值policy描述如下：

基础链还允许设置链的policy，即对未在所含规则中明确接受或拒绝的数据包的处理方式。支持的策略值为accept（默认）或drop。

因此我想你会想要切换这些行：

  chain input {
    type filter hook input priority 0;

对于这些：

  chain input {
    type filter hook input priority 0;
    policy drop;

但是，请确保您有某种方式可以访问这台机器，以防您被规则锁定。要iptables使用的命令是iptables-apply，但我不确定可以使用什么来代替nft。iptables-apply如果您无法在给定的超时期限内确认您能够（仍然）访问主机，则会恢复规则...

答案2

我最终通过跳转到 LAN 专用规则的单独链解决了这个问题，这样input链中就只有一行日志。我不确定为什么仅按照 @0xC0000022L 的建议添加policy drop到input链中是不够的。

#!/usr/sbin/nft --file

flush ruleset

table inet filter {
  chain input {
    type filter hook input priority 0
    policy drop
    # Normal "prelude" things you always want.
    ct state vmap {
      new: continue,
      established: accept,
      related: accept,
      invalid: drop
    }
    ct status dnat  accept
    iiftype loopback  accept
    icmp type echo-request  accept
    icmpv6 type {
      echo-request,
      nd-neighbor-solicit,
      nd-router-advert,
      nd-neighbor-advert
    } accept

    tcp dport ssh accept comment "Allow incoming SSH connections"

    ip  saddr 192.168.1.0/24  jump lan_only
    ip6 saddr fe80::/10       jump lan_only

    log prefix "Dropped:  " flags all drop comment "non-LAN gets dropped brusquely"
  }

  chain lan_only {
    udp dport mdns counter accept comment "Allow mdns from the LAN"
    log prefix "Rejected: " flags all reject comment "LAN gets rejected politely (others get dropped brusquely)"
  }

  chain forward {
    type filter hook forward priority 0
  }
  chain output {
    type filter hook output priority 0
  }
}

相关内容