如何讓 nftables 記錄丟棄的資料包?

tag-icon tag-icon linux networking debian firewall
如何讓 nftables 記錄丟棄的資料包?

我似乎已經讓 nftables 記錄所有允許的傳入流量,而不是僅記錄拒絕的流量,我不知道如何說「拒絕並記錄其他所有內容」。

這是我的/etc/nftables.conf文件:

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
  chain input {
    type filter hook input priority 0;

    # Accept any localhost traffic
    iif lo accept

    # Accept traffic originated from us
    ct state established,related accept

    # Accept neighbour discovery otherwise IPv6 connectivity breaks
    ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept

    # Allow incoming SSH connections
    tcp dport ssh ct state new counter accept

    # Allow mdns from the LAN
    ip saddr 192.168.1.0/24 udp dport mdns counter accept
    ip6 saddr fe80::/10 udp dport mdns counter accept

    ip saddr 192.168.1.0/24 log prefix "Rejected: " flags all reject comment "send rejection to LAN only"
    ip6 saddr fe80::/10 log prefix "Rejected: " flags all reject comment "send rejection to LAN only"

    # Log and drop any other traffic
    # THIS IS THE BROKEN PART
    log prefix "Dropped:  " flags all drop
  }
  chain forward {
    type filter hook forward priority 0;
  }
  chain output {
    type filter hook output priority 0;
  }
}

答案1

我想您錯過了有關鏈預設值的部分。從手冊:

{add | create} chain [family] table chain [{ type type hook hook [device device] priority priority ; [policy policy ;] }]

這裡提到的這個policy值描述如下:

基礎鏈還允許設定鏈的policy,即在包含的規則中未明確接受或拒絕的資料包會發生什麼情況。支援的策略值為accept(預設值)或drop

所以我想你會想​​要切換掉這些行:

  chain input {
    type filter hook input priority 0;

對於這些:

  chain input {
    type filter hook input priority 0;
    policy drop;

但請確保您有某種方式可以訪問這台機器,以防您因規則而將自己鎖在門外。對於iptables要使用的命令是iptables-apply,但我不確定可以用什麼來代替它nftiptables-apply如果您無法在給定的逾時期限內確認您能夠(仍然)存取主機,將恢復規則...

答案2

我最終透過跳到僅限 LAN 規則的單獨鏈來解決此問題,以便該input鏈只有一個日誌行。我不知道為什麼僅僅按照 @0xC0000022L 的建議添加policy drop到鏈中是不夠的。input

#!/usr/sbin/nft --file

flush ruleset

table inet filter {
  chain input {
    type filter hook input priority 0
    policy drop
    # Normal "prelude" things you always want.
    ct state vmap {
      new: continue,
      established: accept,
      related: accept,
      invalid: drop
    }
    ct status dnat  accept
    iiftype loopback  accept
    icmp type echo-request  accept
    icmpv6 type {
      echo-request,
      nd-neighbor-solicit,
      nd-router-advert,
      nd-neighbor-advert
    } accept

    tcp dport ssh accept comment "Allow incoming SSH connections"

    ip  saddr 192.168.1.0/24  jump lan_only
    ip6 saddr fe80::/10       jump lan_only

    log prefix "Dropped:  " flags all drop comment "non-LAN gets dropped brusquely"
  }

  chain lan_only {
    udp dport mdns counter accept comment "Allow mdns from the LAN"
    log prefix "Rejected: " flags all reject comment "LAN gets rejected politely (others get dropped brusquely)"
  }

  chain forward {
    type filter hook forward priority 0
  }
  chain output {
    type filter hook output priority 0
  }
}

相關內容