我是 Ubuntu 的新手,已經從使用 iptables 的 CentOS7 上託管,我對 apf 和 bfd 處理(隱藏)我的 iptables 的方式感到滿意..並且運行良好
所以,我已經轉移到Ubuntu(20.04 LSR)和“ubuntu-way”做防火牆自動禁止試圖闖入似乎是nftables和fail2ban
我使用 iRedMail 建立了一個基本的 nginx、postfix、dovecot、clamav、roundcube 等基於郵件伺服器,並配置了fail2ban 來監視日誌以嘗試侵入郵件服務和 ssh 等,我已經看到它正確解析我的郵件日誌並將fial2ban 阻止的ip 儲存在表inet f2b-table 中
這可以在重新啟動後正常運行,但我注意到/etc/nftables.conf 文件中沒有任何fail2ban表- 它有我的基本防火牆,我可以靜態更新它以拒絕所有然後解鎖我想要的tcp端口(基本上郵件和網頁伺服器以及 ssh)
但據我所知,fail2ban規則不在設定檔中,但似乎是在啟動時根據iRedMail設定的mysql資料庫中的fail2ban表中的條目重建的
這很好..但這裡有一個困境:如果我利用現有的fail2ban錶手動向防火牆添加規則,我可以..
nft add element inet f2b-table addr-set-postfix-pregreet { spammer.ip.addr.here }
它顯示並工作。
除非我重新啟動,整個表都會丟失,並由表格條目中的fail2ban重建(我再次對此感到滿意)
所以,我繼續添加我自己的新桌子/東西
table inet spammers {
set blackhole {
type ipv4_addr
elements = { sample.ip.addr.here }
}
chain spammers-chain {
type filter hook input priority filter - 2; policy accept;
ip saddr @blackhole drop
}
}
再次測試它,它運行良好,但為了堅持這一點,我需要將其寫入 /etc/nftables.conf 或設定該目錄以讀取我的規則等。
我可以通過將 nftables.conf 中的包含添加到任意規則的目錄中來做到這一點,然後每次添加地址時將我的表存儲到其中,但這看起來醜陋且錯誤
就像如果我想將新的垃圾郵件發送者添加到我的清單中一樣,我可以這樣做
nft add element inet spammers blackhole { new.ip.addr.here }
但隨後需要..我不知道?將表保存到我的文件中?
nft list table inet spammers > /etc/nftables.d/spammers.conf
所以,這是我可以做到的一種方法,但我見過其他人談論netfilter-persist 但這不是Ubuntu 的一部分,所以在我開始發明自己的輪子或進入netfilter-persist 兔子洞之前或(不,謝謝)做一些類似於fail2ban似乎所做的事情...(將被禁止的IP存儲在資料庫中並在登錄時重建列表)
我可以想出幾種方法來做到這一點..但我想知道是否有我在這裡缺少的“最佳實踐”“Ubuntu方式”...
更新/編輯:除非我得到更好的建議,否則我現在的“解決方案”是
mkdir /etc/nftables.d/
nft list table inet spammers > /etc/nftables.d/spammers.conf
然後我編輯 /etc/nftables.conf 在底部加入這一行
include "/etc/nftables.d/*.conf"
現在,當我在表格中新增一個區塊時,需要執行兩個步驟:
nft add element inet spammers blackhole { some.evildoer.ip.address }
nft list table inet spammers > /etc/nftables.d/spammers.conf
它不是最漂亮的,但它絕對有效..我當然可以將這一切包裝在我自己的自定義腳本中,這樣我就可以調用類似的東西
banspammer "badguy.ip.addr.here"
並且 banspammer 會新增指定的位址元素並保存更新的表定義...
再次,這感覺就像“不是最佳實踐”,因此我提出了問題。
編輯:2021-12-22 好吧,所以我有點自言自語,但由於我沒有收到任何反饋,所以我按照我的想法去做了- 它正在工作,我寫了這個小反垃圾郵件腳本....它是原始的,可能非常危險- 我沒有進行健全性檢查,例如檢查配置文件路徑是否有效,也沒有對所述文件進行任何備份等...
由於表格條目是 ipv4_addr 類型,nftables 會進行驗證,所以我不太擔心這一點
請注意,我的特定設定在inet 系列中已經有一個名為filter 的過濾器- 我專門將其添加為稍低優先級列表我還創建了/etc/nftables.d 目錄並添加到我的程式碼中使其將config 目錄解析為我上面提到過
希望有人覺得有用。
如果有這樣的事情的話,我仍然會對更「Ubuntu 方式」感興趣。
#!/usr/bin/sh
################################################################################
# banspammer 2021-12-22 DigitalSorceress
#
# SUMMARY
# This script adds an ip or range of Ips (see element adding) to nftables
# specifically to my spammer blackhole
# it also persists it out to /etc/nftables.d/spammers.conf
#
# put this somewhere like /root/tandautils
# then go to /user/local/sbin and ln -s /root/tandautils/banspammer.sh banspammer
#
################################################################################
# Handle command line args
COMMAND=$1
ADDRESS=$2
# the location of the ssh daemon config file
# default for CentOS is CONFIG_FILE=/etc/ssh/sshd_config
#
CONFIG_FILE=/etc/nftables.d/spammers.conf
# Here are the subroutines for individual actions
ban_spammer () {
# Issue the basic command to ban the spammer
echo "adding spammer to blackhole ..."
nft add element inet spammers blackhole { ${ADDRESS} }
BAN_SPAMMER_RESULT=$?
if [ $BAN_SPAMMER_RESULT -eq 0 ]
then
echo " DONE: ${ADDRESS} added to spammer table"
fi
echo ""
}
unban_spammer () {
# Issue the basic command to ban the spammer
echo "removing spammer from blackhole ..."
nft delete element inet spammers blackhole { ${ADDRESS} }
UNBAN_SPAMMER_RESULT=$?
if [ $UNBAN_SPAMMER_RESULT -eq 0 ]
then
echo " DONE: ${ADDRESS} removed from table"
fi
echo ""
}
persist_spamtable () {
echo "persisting out spamtable to ${CONFIG_FILE}..."
# we need to persist out the spam table to the config
nft list table inet spammers > ${CONFIG_FILE}
if [ $? -eq 0 ]
then
echo " done.. showing table..."
echo ""
nft list table inet spammers
else
echo "error persisting table.. "
fi
echo ""
}
list_spamtable () {
echo "listing out spamtable"
echo ""
nft list table inet spammers
echo ""
}
kill_spamtable () {
echo "resetting /creating blank spamtable ${CONFIG_FILE}..."
#rm -f /etc/nftables.d/spammers.conf
tee /etc/nftables.d/spammers.conf <<EOF
table inet spammers {
set blackhole {
type ipv4_addr
}
chain spammers-chain {
type filter hook input priority filter - 2; policy accept;
ip saddr @blackhole drop
}
}
EOF
echo ""
if [ $? -eq 0 ]
then
echo "success.. here's the new file:"
echo ""
cat /etc/hftables.d/spammers.conf
else
echo "error writing file... "
fi
echo ""
}
help_me () {
echo "This is a tool to simplify blocking of IP addesses of spammers "
echo " "
echo "banspammer 2021-12-22 DigitalSorceress"
echo " "
echo "SUMMARY "
echo " This script is used to simplify the act of adding/removing spammers from "
echo " a spammers table in the nftables ruleset "
echo " "
echo " "
echo "usage: $0 banspammer command [address] "
echo " "
echo " command options: "
echo " ban address "
echo " bans the target address; can be a singe IP or comma sep list "
echo " "
echo " unban address "
echo " removes the target address can be a singe IP or comma sep list "
echo " "
echo " reset "
echo " clears all entries from the spammers table "
echo " note this can be used to create a new empty table "
echo " "
echo " show "
echo " shows the current spam table list "
echo " "
echo " help "
echo " Displays this help dialog "
}
# Here is where we do the actual work based on the passed command
case "$COMMAND" in
ban)
if [ $# -eq 2 ]
then
echo "banning address: ${ADDRESS}"
ban_spammer ${ADDRESS}
if [ $BAN_SPAMMER_RESULT -eq 0 ]
then
persist_spamtable
fi
else
echo "ban command requires a single IP or comma separated list of IPs "
fi
;;
unban)
if [ $# -eq 2 ]
then
echo "unbanning address: ${ADDRESS}"
unban_spammer ${ADDRESS}
if [ $UNBAN_SPAMMER_RESULT -eq 0 ]
then
persist_spamtable
fi
fi
;;
show)
list_spamtable
;;
reset)
kill_spamtable
;;
help)
help_me
;;
*)
echo "Usage: $0 ban|unban comma-separated-ip-list or $0 show|reset"
exit 1
esac
答案1
如果你apt-get install iptables-persistent它會拉進來,netfilter-persistent這似乎是你正在尋找的來堅持你的 netfilter 規則?