* Grammar in a bash script
@ 2020-08-17 5:55 Mario V Guenzi
2020-08-17 8:56 ` Pablo Neira Ayuso
2020-09-25 12:01 ` Mario Vittorio Guenzi
0 siblings, 2 replies; 12+ messages in thread
From: Mario V Guenzi @ 2020-08-17 5:55 UTC (permalink / raw)
To: Netfilter list
[-- Attachment #1.1: Type: text/plain, Size: 1734 bytes --]
Goodmorning everyone,
Does it make sense to use this kind of grammar in a bash script?
$NFT add table inet firewall
$NFT add table inet nat
$NFT add table netdev noddos
$NFT add chain inet firewall INPUT { type filter hook input priority 0 \; }
$NFT add chain inet firewall OUTPUT { type filter hook output priority 0
\; }
$NFT add chain inet firewall FORWARD { type filter hook forward priority
0 \; }
$NFT add chain inet firewall IPS { type filter hook forward priority 10 \; }
$NFT add chain inet firewall POSTROUTING { type filter hook postrouting
priority 0 \; }
$NFT add chain inet firewall SYN-FLOOD { type filter hook input priority
0 \; }
$NFT -- add chain inet nat PREROUTING { type nat hook prerouting
priority -100 \; }
$NFT add chain inet nat OUTPUT { type nat hook output priority 0 \; }
$NFT add chain inet nat POSTROUTING { type nat hook postrouting priority
100 \; }
$NFT -- add chain netdev noddos ingress { type filter hook ingress
device $EXTIF priority -500 \; }
my rules
my rules
my rules
.
.
.
$NFT add chain inet firewall INPUT { type filter hook input priority 0
\; policy drop \; }
$NFT add chain inet firewall OUTPUT { type filter hook output priority 0
\; policy drop \; }
$NFT add chain inet firewall FORWARD { type filter hook forward priority
0 \; policy drop \; }
$NFT -- add chain inet nat PREROUTING { type nat hook prerouting
priority -100 \; policy drop \; }
$NFT add chain inet nat OUTPUT { type nat hook output priority 0
\;policy drop \; }
The reasoning that I have done and of which I ask for confirmation is,
after having given permission to what I need, I deny everything as a policy
Thanks in advance to those who want to answer me.
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
^ permalink raw reply [flat|nested] 12+ messages in thread* Re: Grammar in a bash script 2020-08-17 5:55 Grammar in a bash script Mario V Guenzi @ 2020-08-17 8:56 ` Pablo Neira Ayuso 2020-08-18 5:12 ` Mario V Guenzi 2020-09-25 12:01 ` Mario Vittorio Guenzi 1 sibling, 1 reply; 12+ messages in thread From: Pablo Neira Ayuso @ 2020-08-17 8:56 UTC (permalink / raw) To: Mario V Guenzi; +Cc: Netfilter list Hi, On Mon, Aug 17, 2020 at 07:55:32AM +0200, Mario V Guenzi wrote: > Goodmorning everyone, > Does it make sense to use this kind of grammar in a bash script? Please, don't do bash scripting, use native scripting instead for nftables. Bash scripting breaks atomicity when applying the ruleset. You have to remove $NFT from your example below and use 'nft -f ruleset.nft' > $NFT add table inet firewall > $NFT add table inet nat > $NFT add table netdev noddos > > $NFT add chain inet firewall INPUT { type filter hook input priority 0 \; } > $NFT add chain inet firewall OUTPUT { type filter hook output priority 0 > \; } > $NFT add chain inet firewall FORWARD { type filter hook forward priority > 0 \; } > $NFT add chain inet firewall IPS { type filter hook forward priority 10 \; } > $NFT add chain inet firewall POSTROUTING { type filter hook postrouting > priority 0 \; } > $NFT add chain inet firewall SYN-FLOOD { type filter hook input priority > 0 \; } > $NFT -- add chain inet nat PREROUTING { type nat hook prerouting > priority -100 \; } > $NFT add chain inet nat OUTPUT { type nat hook output priority 0 \; } > $NFT add chain inet nat POSTROUTING { type nat hook postrouting priority > 100 \; } > $NFT -- add chain netdev noddos ingress { type filter hook ingress > device $EXTIF priority -500 \; } > > my rules > my rules > my rules > . > . > . > $NFT add chain inet firewall INPUT { type filter hook input priority 0 > \; policy drop \; } > $NFT add chain inet firewall OUTPUT { type filter hook output priority 0 > \; policy drop \; } > $NFT add chain inet firewall FORWARD { type filter hook forward priority > 0 \; policy drop \; } > $NFT -- add chain inet nat PREROUTING { type nat hook prerouting > priority -100 \; policy drop \; } > $NFT add chain inet nat OUTPUT { type nat hook output priority 0 > \;policy drop \; } > > The reasoning that I have done and of which I ask for confirmation is, > after having given permission to what I need, I deny everything as a policy You can set default policy to drop wehn defining the chain (in the same go), no need to call it twice, my suggestion for your ruleset is to place this in ruleset.nft: add table inet firewall add table inet nat add table netdev noddos add chain inet firewall INPUT { type filter hook input priority 0; policy drop; } add chain inet firewall OUTPUT { type filter hook output priority 0; policy drop; } add chain inet firewall FORWARD { type filter hook forward priority 0; policy drop; } ... my rules my rules my rules ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Grammar in a bash script 2020-08-17 8:56 ` Pablo Neira Ayuso @ 2020-08-18 5:12 ` Mario V Guenzi 2020-08-18 10:04 ` A L ` (2 more replies) 0 siblings, 3 replies; 12+ messages in thread From: Mario V Guenzi @ 2020-08-18 5:12 UTC (permalink / raw) To: Netfilter list [-- Attachment #1.1: Type: text/plain, Size: 972 bytes --] Il 17/08/20 10:56, Pablo Neira Ayuso ha scritto: > Hi, > You can set default policy to drop wehn defining the chain (in the > same go), no need to call it twice, my suggestion for your ruleset is > to place this in ruleset.nft: > > add table inet firewall > add table inet nat > add table netdev noddos > > add chain inet firewall INPUT { type filter hook input priority 0; policy drop; } > add chain inet firewall OUTPUT { type filter hook output priority 0; policy drop; } > add chain inet firewall FORWARD { type filter hook forward priority 0; policy drop; } > ... > > my rules > my rules > my rules > At first many thanks. another question given your kindness, I can use bash only to define my variables eg EXTIF = "eth0" LAN = "192.168.2.0/24" etc use the variables defined in writing the rules.nft file as per your example and then write nft -f /path/rules.nft in my bash script? as usual I apologize for my terrible English. [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 195 bytes --] ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Grammar in a bash script 2020-08-18 5:12 ` Mario V Guenzi @ 2020-08-18 10:04 ` A L 2020-08-18 10:11 ` Pablo Neira Ayuso 2020-08-18 10:32 ` Reindl Harald 2 siblings, 0 replies; 12+ messages in thread From: A L @ 2020-08-18 10:04 UTC (permalink / raw) To: Mario V Guenzi, Netfilter list Hi, I'm not using nft yet myself, but I do use bash scripting with iptables. What I to is that the bash script generates a iptables-save file which it submits at the end. This way I think it is atomic. Shouldn't it be possible to do the same with nft? Regards ---- From: Mario V Guenzi <jclark@tiscali.it> -- Sent: 2020-08-18 - 07:12 ---- > Il 17/08/20 10:56, Pablo Neira Ayuso ha scritto: >> Hi, > >> You can set default policy to drop wehn defining the chain (in the >> same go), no need to call it twice, my suggestion for your ruleset is >> to place this in ruleset.nft: >> >> add table inet firewall >> add table inet nat >> add table netdev noddos >> >> add chain inet firewall INPUT { type filter hook input priority 0; policy drop; } >> add chain inet firewall OUTPUT { type filter hook output priority 0; policy drop; } >> add chain inet firewall FORWARD { type filter hook forward priority 0; policy drop; } >> ... >> >> my rules >> my rules >> my rules >> > > At first many thanks. > another question given your kindness, > I can use bash only to define my variables eg > EXTIF = "eth0" > LAN = "192.168.2.0/24" > etc > use the variables defined in writing the rules.nft file as per your > example and then write > nft -f /path/rules.nft in my bash script? > as usual I apologize for my terrible English. > ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Grammar in a bash script 2020-08-18 5:12 ` Mario V Guenzi 2020-08-18 10:04 ` A L @ 2020-08-18 10:11 ` Pablo Neira Ayuso 2020-08-18 10:28 ` Mario Vittorio Guenzi 2020-08-18 10:32 ` Reindl Harald 2 siblings, 1 reply; 12+ messages in thread From: Pablo Neira Ayuso @ 2020-08-18 10:11 UTC (permalink / raw) To: Mario V Guenzi; +Cc: Netfilter list On Tue, Aug 18, 2020 at 07:12:38AM +0200, Mario V Guenzi wrote: > Il 17/08/20 10:56, Pablo Neira Ayuso ha scritto: > > Hi, > > > You can set default policy to drop wehn defining the chain (in the > > same go), no need to call it twice, my suggestion for your ruleset is > > to place this in ruleset.nft: > > > > add table inet firewall > > add table inet nat > > add table netdev noddos > > > > add chain inet firewall INPUT { type filter hook input priority 0; policy drop; } > > add chain inet firewall OUTPUT { type filter hook output priority 0; policy drop; } > > add chain inet firewall FORWARD { type filter hook forward priority 0; policy drop; } > > ... > > > > my rules > > my rules > > my rules > > > > At first many thanks. > another question given your kindness, > I can use bash only to define my variables eg > EXTIF = "eth0" > LAN = "192.168.2.0/24" > etc > use the variables defined in writing the rules.nft file as per your > example and then write > nft -f /path/rules.nft in my bash script? You can define variables in nftables, e.g. define EXTIF = "eth0" add rule inet firewall INPUT iifname $EXTIF accept ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Grammar in a bash script 2020-08-18 10:11 ` Pablo Neira Ayuso @ 2020-08-18 10:28 ` Mario Vittorio Guenzi 2020-08-19 7:55 ` Pablo Neira Ayuso 0 siblings, 1 reply; 12+ messages in thread From: Mario Vittorio Guenzi @ 2020-08-18 10:28 UTC (permalink / raw) To: Netfilter list [-- Attachment #1.1: Type: text/plain, Size: 2342 bytes --] Il 18/08/20 12:11, Pablo Neira Ayuso ha scritto: > On Tue, Aug 18, 2020 at 07:12:38AM +0200, Mario V Guenzi wrote: >> Il 17/08/20 10:56, Pablo Neira Ayuso ha scritto: >>> Hi, >> >>> You can set default policy to drop wehn defining the chain (in the >>> same go), no need to call it twice, my suggestion for your ruleset is >>> to place this in ruleset.nft: >>> >>> add table inet firewall >>> add table inet nat >>> add table netdev noddos >>> >>> add chain inet firewall INPUT { type filter hook input priority 0; policy drop; } >>> add chain inet firewall OUTPUT { type filter hook output priority 0; policy drop; } >>> add chain inet firewall FORWARD { type filter hook forward priority 0; policy drop; } >>> ... >>> >>> my rules >>> my rules >>> my rules >>> >> >> At first many thanks. >> another question given your kindness, >> I can use bash only to define my variables eg >> EXTIF = "eth0" >> LAN = "192.168.2.0/24" >> etc >> use the variables defined in writing the rules.nft file as per your >> example and then write >> nft -f /path/rules.nft in my bash script? > > You can define variables in nftables, e.g. > > define EXTIF = "eth0" > > add rule inet firewall INPUT iifname $EXTIF accept > Again Thank You. Yes I have read about, but for my convenience I do take the IPs with command and do not believe that nft can execute it. This are my variables You can see how take IP from eth NFT="`whereis -b nft | cut -d \" \" -f 2`" EXTIF="eth0" ## word interface INTIF="eth1" ## lan interface VPNIF="eth0:0" LO="lo" LO_IP="127.0.0.1" LAN="192.168.2.0/23" #our lan BCAST="192.168.3.255" EXTIP=`ifconfig $EXTIF | awk '$1 == "inet" { print $2 }'` INTIP=`ifconfig $INTIF | awk '$1 == "inet" { print $2 }'` VPNIP=`ifconfig $VPNIF | awk '$1 == "inet" { print $2 }'` CHIMERA="192.168.2.224" GRECALE="192.168.2.251" PERSEO="192.168.2.240" STROMBOLI="192.168.2.232" RESERVED_NET="0.0.0.0/8, 1.0.0.0/8, 2.0.0.0/8, 10.0.0.0/8, 100.64.0.0/10, 127.0.0.0/16, 169.254.0.0/16, 172.16.0.0/12, \ 192.0.0.0/24, 192.0.2.0/24, 192.168.0.0/16, 198.18.0.0/15, 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/4, 240.0.0.0/5" GOOD_BOYS="2.233.119.3, 88.149.179.177, 81.208.25.146, 82.85.80.100" -- Mario Vittorio Guenzi E-mail jclark@tiscali.it Si vis pacem, para bellum [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 195 bytes --] ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Grammar in a bash script 2020-08-18 10:28 ` Mario Vittorio Guenzi @ 2020-08-19 7:55 ` Pablo Neira Ayuso 0 siblings, 0 replies; 12+ messages in thread From: Pablo Neira Ayuso @ 2020-08-19 7:55 UTC (permalink / raw) To: Mario Vittorio Guenzi; +Cc: Netfilter list On Tue, Aug 18, 2020 at 12:28:04PM +0200, Mario Vittorio Guenzi wrote: > > > Il 18/08/20 12:11, Pablo Neira Ayuso ha scritto: > > On Tue, Aug 18, 2020 at 07:12:38AM +0200, Mario V Guenzi wrote: > >> Il 17/08/20 10:56, Pablo Neira Ayuso ha scritto: > >>> Hi, > >> > >>> You can set default policy to drop wehn defining the chain (in the > >>> same go), no need to call it twice, my suggestion for your ruleset is > >>> to place this in ruleset.nft: > >>> > >>> add table inet firewall > >>> add table inet nat > >>> add table netdev noddos > >>> > >>> add chain inet firewall INPUT { type filter hook input priority 0; policy drop; } > >>> add chain inet firewall OUTPUT { type filter hook output priority 0; policy drop; } > >>> add chain inet firewall FORWARD { type filter hook forward priority 0; policy drop; } > >>> ... > >>> > >>> my rules > >>> my rules > >>> my rules > >>> > >> > >> At first many thanks. > >> another question given your kindness, > >> I can use bash only to define my variables eg > >> EXTIF = "eth0" > >> LAN = "192.168.2.0/24" > >> etc > >> use the variables defined in writing the rules.nft file as per your > >> example and then write > >> nft -f /path/rules.nft in my bash script? > > > > You can define variables in nftables, e.g. > > > > define EXTIF = "eth0" > > > > add rule inet firewall INPUT iifname $EXTIF accept > > > Again Thank You. > Yes I have read about, but for my convenience I do take the IPs with > command and do not believe that nft can execute it. > This are my variables You can see how take IP from eth > > NFT="`whereis -b nft | cut -d \" \" -f 2`" > EXTIF="eth0" ## word interface > INTIF="eth1" ## lan interface > VPNIF="eth0:0" > LO="lo" > LO_IP="127.0.0.1" > LAN="192.168.2.0/23" #our lan > BCAST="192.168.3.255" > EXTIP=`ifconfig $EXTIF | awk '$1 == "inet" { print $2 }'` > INTIP=`ifconfig $INTIF | awk '$1 == "inet" { print $2 }'` > VPNIP=`ifconfig $VPNIF | awk '$1 == "inet" { print $2 }'` > CHIMERA="192.168.2.224" > GRECALE="192.168.2.251" > PERSEO="192.168.2.240" > STROMBOLI="192.168.2.232" > RESERVED_NET="0.0.0.0/8, 1.0.0.0/8, 2.0.0.0/8, 10.0.0.0/8, > 100.64.0.0/10, 127.0.0.0/16, 169.254.0.0/16, 172.16.0.0/12, \ > 192.0.0.0/24, 192.0.2.0/24, 192.168.0.0/16, 198.18.0.0/15, > 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/4, 240.0.0.0/5" > GOOD_BOYS="2.233.119.3, 88.149.179.177, 81.208.25.146, 82.85.80.100" I suggest: 1) Add these variables to vars.nft, generate vars.nft via script as it was suggested. 2) From ruleset.nft, use: include "vars.nft" to include your autogenerated variable definitions, so you can keep your variables and your ruleset in separated files. ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Grammar in a bash script 2020-08-18 5:12 ` Mario V Guenzi 2020-08-18 10:04 ` A L 2020-08-18 10:11 ` Pablo Neira Ayuso @ 2020-08-18 10:32 ` Reindl Harald 2020-08-18 10:41 ` Mario Vittorio Guenzi 2 siblings, 1 reply; 12+ messages in thread From: Reindl Harald @ 2020-08-18 10:32 UTC (permalink / raw) To: Mario V Guenzi, Netfilter list Am 18.08.20 um 07:12 schrieb Mario V Guenzi: > At first many thanks. > another question given your kindness, > I can use bash only to define my variables eg > EXTIF = "eth0" > LAN = "192.168.2.0/24" > etc > use the variables defined in writing the rules.nft file as per your > example and then write > nft -f /path/rules.nft in my bash script? surely how would nft know if you have written "rules.nft" by hand or from a script? doing the same with generated bash scripts for years ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Grammar in a bash script 2020-08-18 10:32 ` Reindl Harald @ 2020-08-18 10:41 ` Mario Vittorio Guenzi 0 siblings, 0 replies; 12+ messages in thread From: Mario Vittorio Guenzi @ 2020-08-18 10:41 UTC (permalink / raw) To: Netfilter list [-- Attachment #1.1: Type: text/plain, Size: 301 bytes --] Il 18/08/20 12:32, Reindl Harald ha scritto: > surely > > how would nft know if you have written "rules.nft" by hand or from a > script? doing the same with generated bash scripts for years OK Many thanks -- Mario Vittorio Guenzi E-mail jclark@tiscali.it Si vis pacem, para bellum [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 195 bytes --] ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Grammar in a bash script 2020-08-17 5:55 Grammar in a bash script Mario V Guenzi 2020-08-17 8:56 ` Pablo Neira Ayuso @ 2020-09-25 12:01 ` Mario Vittorio Guenzi 1 sibling, 0 replies; 12+ messages in thread From: Mario Vittorio Guenzi @ 2020-09-25 12:01 UTC (permalink / raw) To: Netfilter list [-- Attachment #1.1: Type: text/plain, Size: 412 bytes --] Il 17/08/20 07:55, Mario V Guenzi ha scritto: > Goodmorning everyone, > Does it make sense to use this kind of grammar in a bash script? > Thanks everyone for your invaluable help. I solved it by doing as you suggested, and the bash script only serves to launch external nftables files. Thanks again -- Mario Vittorio Guenzi E-mail jclark@tiscali.it Si vis pacem, para bellum [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 195 bytes --] ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: Grammar in a bash script
@ 2020-08-17 8:09 Mario V Guenzi
2020-08-17 8:42 ` Reindl Harald
0 siblings, 1 reply; 12+ messages in thread
From: Mario V Guenzi @ 2020-08-17 8:09 UTC (permalink / raw)
To: Netfilter list; +Cc: david
[-- Attachment #1.1: Type: text/plain, Size: 371 bytes --]
Il 17/08/20 09:58, david@hajes.org ha scritto:
> Standard firewall strategy - policy DROP all and allow only what you really need.
yes, but if I put drop as default policy it doesn't even let me access
via ssh, that's why I was forced not to put policy and then drop with
the rules, and for this, once finished I wanted to further close
Sorry for my poor english
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 195 bytes --]
^ permalink raw reply [flat|nested] 12+ messages in thread* Re: Grammar in a bash script 2020-08-17 8:09 Mario V Guenzi @ 2020-08-17 8:42 ` Reindl Harald 0 siblings, 0 replies; 12+ messages in thread From: Reindl Harald @ 2020-08-17 8:42 UTC (permalink / raw) To: Mario V Guenzi, Netfilter list; +Cc: david Am 17.08.20 um 10:09 schrieb Mario V Guenzi: > Il 17/08/20 09:58, david@hajes.org ha scritto: >> Standard firewall strategy - policy DROP all and allow only what you really need. > yes, but if I put drop as default policy it doesn't even let me access > via ssh, that's why I was forced not to put policy and then drop with > the rules, and for this, once finished I wanted to further close > Sorry for my poor english your script first set a default drop policy and then opens the ports which should be open, including SSH * deny policy * est/related allow * ports to allow doing otherwise has a chance that there is a timewindow where you accept unwanted connections which then land in conntrack and stay open because packets belong to a existing connection below how iptables scripts looking for decades and no, you don't lose your ssh session when execute it because of how tcp works with re-transmits --------------------------------- #!/bin/bash iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -F iptables -X iptables -A INPUT -p all -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -p all -j DROP ^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2020-09-25 12:01 UTC | newest] Thread overview: 12+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2020-08-17 5:55 Grammar in a bash script Mario V Guenzi 2020-08-17 8:56 ` Pablo Neira Ayuso 2020-08-18 5:12 ` Mario V Guenzi 2020-08-18 10:04 ` A L 2020-08-18 10:11 ` Pablo Neira Ayuso 2020-08-18 10:28 ` Mario Vittorio Guenzi 2020-08-19 7:55 ` Pablo Neira Ayuso 2020-08-18 10:32 ` Reindl Harald 2020-08-18 10:41 ` Mario Vittorio Guenzi 2020-09-25 12:01 ` Mario Vittorio Guenzi -- strict thread matches above, loose matches on Subject: below -- 2020-08-17 8:09 Mario V Guenzi 2020-08-17 8:42 ` Reindl Harald
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.