我有一台 Debian 11 服务器,并且正在其上运行通过 Qemu 命令创建的 Qemu/KVM 虚拟机,服务器上有一个名为的桥接设备br0,VM 有一个名为的 TAP 设备vm0。
我想通过创建nft规则集来避免 MAC/IP 欺骗。
我尝试了以下操作,但是没有效果,也就是说当我通过该macchanger工具更改 MAC 地址时数据包不会丢失:
nft add table bridge filter
nft add chain bridge filter forward \{ type filter hook forward priority filter \; policy accept \;}
nft add rule bridge filter forward iifname vm0 ether type ip ether saddr != <MAC_ADDR_ALLOWED> ether type ip ip saddr != <IP_ADDR_ALLOWED> drop
输出nft list ruleset如下所示:
table bridge filter {
chain forward {
type filter hook forward priority filter; policy accept;
iifname "vm0" ether type ip ether saddr != <MAC_ADDR_ALLOWED> ip <IP_ADDR_ALLOWED> drop
}
}
我认为我做错了什么,任何帮助都值得感激,
问题:如何创建有效规则?
提前致谢。
答案1
正确的实现方法如下:
nft add table bridge filter
nft add chain bridge filter forward '{ type filter hook forward priority filter; policy accept }'
nft add chain bridge filter allowed-mac
nft add rule bridge filter forward iifname "vm0" ether type ip jump allowed-mac
nft add rule bridge filter allowed-mac ether type ip ether saddr <MAC_ADDR_ALLOWED> ip saddr <IP_ADDR_ALLOWED> accept
nft add rule bridge filter allowed-mac drop
输出结果如下:
nft list ruleset
table bridge filter {
chain forward {
type filter hook forward priority filter; policy accept;
iifname "vm0" ether type ip jump allowed-mac
}
chain allowed-mac {
ether saddr <MAC_ADDR_ALLOWED> ip saddr <IP_ADDR_ALLOWED> accept
drop
}
}