2.7.4. nftables スクリプトの作成とアクティブ化

手順

1. 以下の内容で /etc/nftables/firewall.nft スクリプトを作成します。

   # Remove all rules
   flush ruleset
   
   
   # Table for both IPv4 and IPv6 rules
   table inet nftables_svc {
   
     # Define variables for the interface name
     define INET_DEV = enp1s0
     define LAN_DEV  = enp7s0
     define DMZ_DEV  = enp8s0
   
   
     # Set with the IPv4 addresses of admin PCs
     set admin_pc_ipv4 {
       type ipv4_addr
       elements = { 10.0.0.100, 10.0.0.200 }
     }
   
   
     # Chain for incoming trafic. Default policy: drop
     chain INPUT {
       type filter hook input priority filter
       policy drop
   
       # Accept packets in established and related state, drop invalid packets
       ct state vmap { established:accept, related:accept, invalid:drop }
   
       # Accept incoming traffic on loopback interface
       iifname lo accept
   
       # Allow request from LAN and DMZ to local DNS server
       iifname { $LAN_DEV, $DMZ_DEV } meta l4proto { tcp, udp } th dport 53 accept
   
       # Allow admins PCs to access the router using SSH
       iifname $LAN_DEV ip saddr @admin_pc_ipv4 tcp dport 22 accept
   
       # Last action: Log blocked packets
       # (packets that were not accepted in previous rules in this chain)
       log prefix "nft drop IN : "
     }
   
   
     # Chain for outgoing traffic. Default policy: drop
     chain OUTPUT {
       type filter hook output priority filter
       policy drop
   
       # Accept packets in established and related state, drop invalid packets
       ct state vmap { established:accept, related:accept, invalid:drop }
   
       # Accept outgoing traffic on loopback interface
       oifname lo accept
   
       # Allow local DNS server to recursively resolve queries
       oifname $INET_DEV meta l4proto { tcp, udp } th dport 53 accept
   
       # Last action: Log blocked packets
       log prefix "nft drop OUT: "
     }
   
   
     # Chain for forwarding traffic. Default policy: drop
     chain FORWARD {
       type filter hook forward priority filter
       policy drop
   
       # Accept packets in established and related state, drop invalid packets
       ct state vmap { established:accept, related:accept, invalid:drop }
   
       # IPv4 access from LAN and Internet to the HTTPS server in the DMZ
       iifname { $LAN_DEV, $INET_DEV } oifname $DMZ_DEV ip daddr 198.51.100.5 tcp dport 443 accept
   
       # IPv6 access from Internet to the HTTPS server in the DMZ
       iifname $INET_DEV oifname $DMZ_DEV ip6 daddr 2001:db8:b::5 tcp dport 443 accept
   
       # Access from LAN and DMZ to HTTPS servers on the Internet
       iifname { $LAN_DEV, $DMZ_DEV } oifname $INET_DEV tcp dport 443 accept
   
       # Last action: Log blocked packets
       log prefix "nft drop FWD: "
     }
   
   
     # Postrouting chain to handle SNAT
     chain postrouting {
       type nat hook postrouting priority srcnat; policy accept;
   
       # SNAT for IPv4 traffic from LAN to Internet
       iifname $LAN_DEV oifname $INET_DEV snat ip to 203.0.113.1
     }
   }

2. /etc/nftables/firewall.nft スクリプトを /etc/sysconfig/nftables.conf ファイルに追加します。

   include "/etc/nftables/firewall.nft"

3. IPv4 転送を有効にします。

   # echo "net.ipv4.ip_forward=1" > /etc/sysctl.d/95-IPv4-forwarding.conf
   # sysctl -p /etc/sysctl.d/95-IPv4-forwarding.conf

4. nftables サービスを有効にして起動します。

   # systemctl enable --now nftables

検証

1. オプション:nftables ルールセットを確認します。

   # nft list ruleset
   ...

2. ファイアウォールが阻止するアクセスの実行を試みます。たとえば、DMZ から SSH を使用してルーターにアクセスします。

   # ssh router.example.com
   ssh: connect to host router.example.com port 22: Network is unreachable

3. ロギング設定に応じて、以下を検索します。

   • ブロックされたパケットの systemd ジャーナル:

     # journalctl -k -g "nft drop"
     Oct 14 17:27:18 router kernel: nft drop IN : IN=enp8s0 OUT= MAC=... SRC=198.51.100.5 DST=198.51.100.1 ... PROTO=TCP SPT=40464 DPT=22 ... SYN ...

   • ブロックされたパケットの /var/log/nftables.log ファイル:

     Oct 14 17:27:18 router kernel: nft drop IN : IN=enp8s0 OUT= MAC=... SRC=198.51.100.5 DST=198.51.100.1 ... PROTO=TCP SPT=40464 DPT=22 ... SYN ...