Benutzer-Werkzeuge

Webseiten-Werkzeuge



bpi-r2:network:nftables

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Beide Seiten der vorigen RevisionVorhergehende Überarbeitung
bpi-r2:network:nftables [2021/09/05 19:23] – [links] frankbpi-r2:network:nftables [2023/06/08 17:06] (aktuell) – Externe Bearbeitung 127.0.0.1
Zeile 1: Zeile 1:
 +====== NFTables ======
  
 +<code>
 +apt install nftables
 +echo 1 > /proc/sys/net/ipv4/ip_forward
 +
 +nft list ruleset
 +nft add table nat
 +nft add chain ip nat prerouting { type nat hook prerouting priority 100 \; }
 +nft add chain ip nat postrouting { type nat hook postrouting priority 100 \; }
 +nft add rule nat postrouting masquerade
 +
 +#portforwarding
 +nft add rule nat prerouting iif lan1 tcp dport 443 dnat 192.168.0.10:443 # ip needs to be routed to other interface then in-interface (here lan1)
 +</code>
 +===== einfache Befehle =====
 +
 +  nft flush ruleset #alles löschen
 +  nft -f flowoffload.nft #importieren
 +  nft show ruleset #alles anzeigen
 +  
 +===== einfache struktur =====
 +
 +<code>
 +table ip filter {
 +        chain input {
 +                type filter hook input priority 0; policy accept;
 +        }
 +
 +        chain output {
 +                type filter hook output priority 0; policy accept;
 +        }
 +
 +        chain forward {
 +                type filter hook forward priority 0; policy accept;
 +        }
 +}
 +table ip nat {
 +        chain post {
 +                type nat hook postrouting priority 0; policy accept;
 +                oifname "wan" masquerade
 +        }
 +
 +        chain pre {
 +                type nat hook prerouting priority 0; policy accept;
 +        }
 +}
 +</code>
 +===== links =====
 +
 +  * https://developers.redhat.com/blog/2017/01/10/migrating-my-iptables-setup-to-nftables/
 +  * https://wiki.gentoo.org/wiki/Nftables/Examples#Basic_routing_firewall
 +  * https://wiki.nftables.org/wiki-nftables/index.php
 +  * https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes
 +  * https://github.com/alpinelinux/aports/blob/master/main/nftables/nftables.nft
 +===== hwnat =====
 +
 +https://github.com/frank-w/BPI-R2-4.14/commits/5.12-hnat
 +
 +ipv6 mangle crasht noch
 +
 +für hwnat wird eine neuere version der nftables benötigt als in debian buster angeboten wird
 +
 +https://github.com/frank-w/nftables-bpi
 +
 +kompiliert: https://drive.google.com/drive/folders/1hajKvqQa96WRrAy52fQX90i59I1s0h-i?usp=sharing
 +
 +basic IPv4 Ruleset:
 +<code>
 +flush ruleset
 +table ip filter {
 +        flowtable f {
 +                hook ingress priority filter + 1
 +                devices = { lan3, lan0, wan }
 +                flags offload;
 +        }
 +        chain input {
 +                type filter hook input priority filter; policy accept;
 +        }
 +
 +        chain output {
 +                type filter hook output priority filter; policy accept;
 +        }
 +
 +        chain forward {
 +                type filter hook forward priority filter; policy accept;
 +                ip protocol { tcp, udp } flow add @f
 +        }
 +}
 +table ip nat {
 +        chain post {
 +                type nat hook postrouting priority filter; policy accept;
 +                oifname "wan" masquerade
 +        }
 +
 +        chain pre {
 +                type nat hook prerouting priority filter; policy accept;
 +        }
 +}
 +</code>
 +
 +basic v6 Ruleset (crash!):
 +
 +<code>
 +flush ruleset
 +table ip6 filter {
 +        flowtable f {
 +                hook ingress priority 1
 +                devices = { lan3, lan0, wan }
 +                flags offload;
 +        }
 +        chain input {
 +                type filter hook input priority 0; policy accept;
 +        }
 +
 +        chain output {
 +                type filter hook output priority 0; policy accept;
 +        }
 +
 +        chain forward {
 +                type filter hook forward priority 0; policy accept;
 +                ip6 nexthdr { tcp, udp } flow add @f
 +        }
 +}
 +table ip6 nat {
 +        chain post {
 +                type nat hook postrouting priority 0; policy accept;
 +                oifname "wan" masquerade
 +        }
 +
 +        chain pre {
 +                type nat hook prerouting priority 0; policy accept;
 +        }
 +}
 +</code>
 +
 +testen:
 +
 +  nft -f nft-nat-flowoffload.nft
 +  #vom client traffic generieren
 +  cat /sys/kernel/debug/mtk_ppe/entries
 +
 +IPV6-Setup
 +<code>
 +#!/bin/bash
 +#on main-router:
 +#ip -6 route add fd00:a2::/64 via fd00:a::12
 +#ip -6 route add 2001:470:xxxx:a2::/64 via 2001:470:xxxx::12
 +
 +ip -6 addr add fd00:a::12/64 dev wan                             
 +ip -6 addr add fd00:a2::12/64 dev lan3
 +
 +ip -6 addr add 2001:470:xxxx::12/64 dev wan                             
 +ip -6 addr add 2001:470:xxxx:a2::12/64 dev lan3
 +
 +sysctl -w net.ipv6.conf.all.forwarding=1
 +</code>
bpi-r2/network/nftables.txt · Zuletzt geändert: 2023/06/08 17:06 von 127.0.0.1