使用 NFT 远程应用安全规则

使用 NFT 远程应用安全规则

如果您有经验,能否请您告知如何在 Linux 上安全地远程应用防火墙规则NFT

特别是在 Debian 上,我们很长一段时间iptables-apply(8)都使用安全地应用远程防火墙规则,以避免在规则出现某些错误时将自己锁定。截至目前,最新的 Debian 版本附带了,nftables而不是iptables,官方建议是开始使用新工具nft。我知道有一个包装器可以iptables动态转换旧样式规则,但它到处都建议不要将旧样式与新样式混合,所以我们最终决定将所有规则切换为新的(pf有点)样式,但我们仍然是人类并且不会在规则错误的情况下锁定远程服务器,那么很快,是否有一些程序可以执行与iptables-apply但使用相同的操作nft

由于某种原因,谷歌和必应都将其保密,因此如果有人能指出一条通往真相的道路,我将不胜感激。

PS 我半个月前在超级用户上问过同样的问题,但没有人找到任何解决方案,所以我很抱歉交叉发帖,但半个月等待一个资源我的事情足以有时间在这里问它......

答案1

iptables-apply 是一个非常基本的 bash 脚本,我确信您可以对其进行编辑以使其与 nft 兼容。如果你这样做了,如果你在某个地方发布它那就太好了。

答案2

这是我对 iptables-apply for nftables 所做的免费改编:

#!/usr/bin/env bash
#
# This program is free software: you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by the
# Free Software Foundation, either version 3 of the License, or (at your
# option) any later version.  Please see LICENSE.txt at the top level of
# the source code distribution for details.
#
# @package nftables-apply
# @author <[email protected]>
# @link https://github.com/fbouynot/scripts/blob/main/nftables-apply
# @copyright <[email protected]>
#
# Free adaptation for nftables of iptables-apply (https://github.com/wertarbyte/iptables/blob/master/iptables-apply)
#

# -e: When a command fails, bash exits instead of continuing with the rest of the script
# -u: This will make the script fail, when accessing an unset variable
# -o pipefail: This will ensure that a pipeline command is treated as failed, even if one command in the pipeline fails
set -euo pipefail

# Replace the Internal Field Separator ' \n\t' by '\n\t' so you can loop through names with spaces 
IFS=$'\n\t'

# Enable debug mode by running your script as TRACE=1 ./script.sh instead of ./script.sh
if [[ "${TRACE-0}" == "1" ]]
then
    set -o xtrace
fi

# Define constants
PROGNAME="${0##*/}"
VERSION='1.2.4'
RED="$(tput setaf 1)"
NC="$(tput sgr0)" # No Color

DEFAULT_TIMEOUT=15
DEFAULT_DESTINATION_FILE='/etc/nftables.conf'
DEFAULT_SOURCE_FILE='/etc/nftables-candidate.conf'

readonly PROGNAME VERSION RED NC DEFAULT_TIMEOUT DEFAULT_DESTINATION_FILE DEFAULT_SOURCE_FILE

help() {
    cat << EOF
Usage: ${PROGNAME} [-Vh] [ { -s | --source-file } <source-file> ] [ { -d | --destination-file } <destination-file> ] [ { -t | --timeout } <timeout> ]
-h    --help                                                     Print this message.
-V    --version                                                  Print the version.
-s    --source-file        STRING                                The source file for candidate config.           (default: ${DEFAULT_SOURCE_FILE})
-d    --destination-file   STRING                                The destination file where to write the config. (default: ${DEFAULT_DESTINATION_FILE})
-t    --timeout            INT                                   The time to wait before rolling back.           (default: ${DEFAULT_TIMEOUT})
EOF

    exit 2
}

version() {
    cat << EOF
${PROGNAME} version ${VERSION} under GPLv3 licence.
EOF

    exit 2
}

# Deal with arguments
while [[ $# -gt 1 ]]
do
    key="${1}"

    case $key in
        -h|--help)
            help
            ;;
        -s|--source-file)
            export source_file="${2}"
            shift # consume -s
            ;;
        -d|--destination-file)
            export destination_file="${2}"
            shift # consume -d
            ;;
        -t|--timeout)
            export timeout="${2}"
            shift # consume -t
            ;;
        -V|--version)
            version
            ;;
        *)
        ;;
    esac
    shift # consume $1
done

# Set defaults if no options specified
source_file="${source_file:-$DEFAULT_SOURCE_FILE}"
destination_file="${destination_file:-$DEFAULT_DESTINATION_FILE}"
timeout="${timeout:-$DEFAULT_TIMEOUT}"

# Change directory to base script directory
cd "$(dirname "${0}")"

# Check root permissions
check_root() {
    # Check the command is run as root
    if [ "${EUID}" -ne 0 ]
    then
        echo -e "${RED}E:${NC} please run as root" >&2
        exit 3
    fi

    return 0
}

restore() {
    nft flush ruleset
    nft -f /tmp/nftables.conf.bak
    rm -f /tmp/nftables.conf.bak

    # Start fail2ban
    if systemctl is-enabled fail2ban > /dev/null 2>&1
    then
        systemctl start fail2ban 2>/dev/null
    fi

    return 0
}

save() {
    cp "${source_file}" "${destination_file}"
    echo -e "\nConfiguration changed"

    return 0
}

# Main function
main() {
    # Check the command is run as root
    check_root

    # Check if we can read the destination file
    if [[ ! -r "${destination_file}" ]]
    then
        echo -e "${RED}E:${NC} cannot read ${destination_file}" >&2
        exit 4
    fi

    # Backup current ruleset
    nft list ruleset > /tmp/nftables.conf.bak

    # Check if we can read the source file
    if [[ ! -r "${source_file}" ]]
    then
        echo -e "${RED}E:${NC} cannot read ${source_file}" >&2
        exit 5
    fi

    # Dry run new ruleset, exit if failures
    nft -f "${source_file}" || (echo -e "${RED}E:${NC} Invalid rules, exiting" >&2 && exit 6)

    # Check the candidate configuration starts by flushing ruleset
    if [[ $(head -n 1 /etc/nftables-candidate.conf) != "flush ruleset" ]]
    then
        sed -i '1s/^/flush ruleset\n/' "${source_file}"
    fi

    # Stop fail2ban
    if systemctl is-active fail2ban > /dev/null 2>&1
    then
        systemctl stop fail2ban 2>/dev/null
    fi

    # Apply new ruleset, rollback if timeout
    timeout "${timeout}"s nft -f "${source_file}" || (echo -e "${RED}E:${NC} timeout while applying new configuration, rolling back to the previous ruleset" >&2 && restore && exit 7)

    # Ask the user if they can open a new connection
    # If they can't, rollback
    # If they can, save
    echo -n "Can you establish NEW connections to the machine? (y/N) "
    read -r -n1 -t "${timeout}" answer 2>&1 || :
    if [[ "${answer}" == "y" ]]
    then
        save
    else
        echo -e "\n${RED}E:${NC} rolling back to the previous ruleset" >&2
        restore
        exit 8
    fi
    rm -f /tmp/nftables.conf.bak

    # Start fail2ban
    if systemctl is-enabled fail2ban > /dev/null 2>&1
    then
        systemctl start fail2ban 2>/dev/null
    fi

    exit 0
}

main "$@"

要点链接

相关内容