主页 / computer / 问题 / 1579124
Accepted
Helngard
Asked: 2020-08-20 11:10:08 +0800 CST

IPSec nftables strongswan

  • 772

如何将 nftables 配置为仅允许入站 ipsec 流量和解密后的处理规则。我有 nftable.conf:

#!/sbin/nft -f

flush ruleset

# ----- IPv4 -----
table ip filter {
    chain input {
        type filter hook input priority 0; policy drop;
        ct state invalid counter drop comment "early drop of invalid packets"
        ct state {established, related} counter accept comment "accept all connections related to connections made by us"
        iif lo accept comment "accept loopback"
        iif != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback"
        ip protocol icmp icmp type echo-request counter accept comment "accept ICMP echo-request types"

        # Accept SSH incoming traffic
        tcp dport ssh counter accept comment "accept SSH"

        # Accept IPsec traffic
        udp dport { isakmp, ipsec-nat-t } counter accept comment "accept ISAKMP and IPsec NAT traversal"
        ip protocol { ah, esp } counter accept comment "accept AH and ESP"

        counter comment "count dropped packets"
    }

    chain forward {
        type filter hook forward priority 0; policy drop;
        counter comment "count dropped packets"
    }

    # If you're not counting packets, this chain can be omitted.
    chain output {
        type filter hook output priority 0; policy accept;
        counter comment "count accepted packets"
    }
}


# ----- IPv6 -----
table ip6 filter {
    chain input {
        type filter hook input priority 0; policy drop;
        ct state invalid counter drop comment "early drop of invalid packets"
        ct state {established, related} counter accept comment "accept all connections related to connections made by us"
        iif lo accept comment "accept loopback"
        iif != lo ip6 daddr ::1/128 counter drop comment "drop connections to loopback not coming from loopback"
        counter comment "count dropped packets"
    }

    chain forward {
        type filter hook forward priority 0; policy drop;
        counter comment "count dropped packets"
    }

    # If you're not counting packets, this chain can be omitted.
    chain output {
        type filter hook output priority 0; policy accept;
        counter comment "count accepted packets"
    }
}

IPSec 配置了 StrongSwan,添加规则后 ping 通:

ip protocol icmp icmp type echo-request counter accept comment "accept ICMP echo-request types"
ipsec strongswan

1 个回答

  1. Best Answer

    ESP 解封装后,防火墙规则将自动重新处理——您不需要任何特殊操作。

    使用以下匹配条件来过滤受保护的入站数据包:

    • meta ipsec exists在最新版本上 (nft ≥0.9.1)
    • meta secpath exists在旧版本上(Linux ≥4.15,nft ≥0.8.2)

    例如,

    tcp dport 3306 meta ipsec exists accept
tcp dport 3306 reject

    逆:

    meta ipsec missing drop

    另外,不要创建单独的 ip/ip6 过滤表——你只是在重复你需要做的工作。(例如,目前您忘记允许通过 IPv6 进行 SSH 和 ESP...)只需将所有内容放在一个 inet 表中 - 当它们按 IP 地址过滤时,规则将自动应用于正确的协议,当它们不过滤时,将自动应用于这两个协议.

    • 0

相关问题