linux:netzwerk:firewall
Firewall mit nft
Firewall Regel welche nur bestimmte MAC-Adressen zulässt:
table inet filter {
chain INPUT {
type filter hook input priority filter; policy drop;
ct state { established, related } accept
ct state invalid drop
iifname "lo" accept
ip protocol icmp drop
icmpv6 type echo-request drop
icmpv6 type { nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept
tcp dport 22 accept
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
}
}
table arp filter {
chain INPUT {
type filter hook input priority filter; policy drop;
arp operation request ether saddr 12:34:56:78:9a:bc accept
arp operation request ether saddr bc:9a:78:56:34:12 accept
arp operation reply accept
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
}
}
nft list ruleset nft flush ruleset nft --check -f <ruleset-file> nft -f <ruleset-file> nft list rules nft list tables nft monitor [new | destroy] [tables | chains | sets | rules | elements] [xml | json] systemctl status nftables.service
Ruleset automatisch beim Booten starten
vi /etc/nftables.conf
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
...
Brute Force auf ssh erschweren
add rule ip filter INPUT tcp dport 22 ct state new counter jump SSHBFORCE
add chain ip filter SSHBFORCE
add set ip filter denylist { type ipv4_addr; flags dynamic, timeout; timeout 5m }
add rule ip filter SSHBFORCE ip protocol tcp ct state new, untracked limit rate over 3/minute add @denylist { ip saddr }
add rule ip filter SSHBFORCE ip saddr @denylist drop
linux/netzwerk/firewall.txt · Last modified: 2023/11/05 21:54 by ms