如何配置 nftables 以仅允许入站 ipsec 流量并在解密后处理规则。我有 nftable.conf:
#!/sbin/nft -f
flush ruleset
# ----- IPv4 -----
table ip filter {
chain input {
type filter hook input priority 0; policy drop;
ct state invalid counter drop comment "early drop of invalid packets"
ct state {established, related} counter accept comment "accept all connections related to connections made by us"
iif lo accept comment "accept loopback"
iif != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback"
ip protocol icmp icmp type echo-request counter accept comment "accept ICMP echo-request types"
# Accept SSH incoming traffic
tcp dport ssh counter accept comment "accept SSH"
# Accept IPsec traffic
udp dport { isakmp, ipsec-nat-t } counter accept comment "accept ISAKMP and IPsec NAT traversal"
ip protocol { ah, esp } counter accept comment "accept AH and ESP"
counter comment "count dropped packets"
}
chain forward {
type filter hook forward priority 0; policy drop;
counter comment "count dropped packets"
}
# If you're not counting packets, this chain can be omitted.
chain output {
type filter hook output priority 0; policy accept;
counter comment "count accepted packets"
}
}
# ----- IPv6 -----
table ip6 filter {
chain input {
type filter hook input priority 0; policy drop;
ct state invalid counter drop comment "early drop of invalid packets"
ct state {established, related} counter accept comment "accept all connections related to connections made by us"
iif lo accept comment "accept loopback"
iif != lo ip6 daddr ::1/128 counter drop comment "drop connections to loopback not coming from loopback"
counter comment "count dropped packets"
}
chain forward {
type filter hook forward priority 0; policy drop;
counter comment "count dropped packets"
}
# If you're not counting packets, this chain can be omitted.
chain output {
type filter hook output priority 0; policy accept;
counter comment "count accepted packets"
}
}
使用 StrongSwan 配置的 IPSec,添加规则后 ping 通:
ip protocol icmp icmp type echo-request counter accept comment "accept ICMP echo-request types"
答案1
ESP 解封装后,防火墙规则将自动重新处理 - 您不需要任何特殊操作。
使用以下匹配条件来过滤受保护的入站数据包:
meta ipsec exists最新版本 (nft ≥0.9.1)meta secpath exists在旧版本上(Linux ≥4.15,nft ≥0.8.2)
例如,
tcp dport 3306 meta ipsec exists accept
tcp dport 3306 reject
逆:
meta ipsec missing drop
此外,不要创建单独的 ip/ip6 过滤表 - 您只是重复了需要做的工作。(例如,您目前忘记允许通过 IPv6 的 SSH 和 ESP...)只需将所有内容放在一个 inet 表中 - 当规则按 IP 地址过滤时,它们将自动应用于正确的协议,而当规则不按 IP 地址过滤时,它们将同时应用于两种协议。