====== nftables ======

===== Otestuj si pravidla, než se ustřelíš... =====

<code bash>sh -c 'nft -f /etc/nftables.conf; sleep 30; nft flush ruleset'</code>

===== Další poznámky =====

  * Pro NAT je potřeba vytvořit chain ''prerouting'' (i když prázdný).

===== The Pravidla =====

<code>
#!/usr/sbin/nft -f

flush ruleset

define port_dns = 53

define port_email_imap = 143
define port_email_managesieve = 4190
define port_email_pop3s = 995
define port_email_smtp_exchange = 25
define port_email_smtp_submission_starttls = 587

define port_http = 80
define port_https = 443

define port_irc_default = 6667
define port_irc_freenode_tls = 7000
define port_irc_tls = 6697

define port_ntp = 123

define port_prosody_clients = 5222
define port_prosody_servers = 5269

define port_quake3 = 27960

define port_quassel_core = 4242

define port_rsync = 873

define port_ssh = 48922

define port_torrent_opentracker = 6969

table inet filter {

  chain global {
    # stateful firewall on
    ct state established,related accept
    ct state invalid drop
    ip protocol icmp accept
    ip6 nexthdr icmpv6 accept
  }

  chain input {
    type filter hook input priority 0;
    policy drop;

    jump global

    # loopback
    iif lo accept

    tcp dport $port_dns accept
    udp dport $port_dns accept

    tcp dport { $port_email_imap , \
	        $port_email_managesieve , \
	        $port_email_smtp_exchange, \
	        $port_email_smtp_submission_starttls } accept

    tcp dport { $port_http, $port_https } accept

    tcp dport { $port_irc_tls } accept

    tcp dport { $port_prosody_clients, $port_prosody_servers } accept

    udp dport $port_quake3 accept

    tcp dport $port_ssh limit rate 15/minute burst 5 packets accept

    tcp dport $port_torrent_opentracker accept

    counter drop
  }

  chain output {
    type filter hook output priority 0;
    policy drop;

    jump global
    
    # loopback
    oif lo accept

    tcp dport $port_dns accept
    udp dport $port_dns accept

    tcp dport { $port_email_pop3s, $port_email_smtp_exchange } accept

    tcp dport { $port_http, $port_https } accept

    tcp dport { $port_irc_tls,  \
	        $port_irc_default, \
	        $port_irc_freenode_tls } accept

    udp dport $port_ntp accept

    tcp dport $port_prosody_servers accept

    tcp dport $port_rsync accept

    skuid { ww, neo } accept
  }
}

</code>

----

===== The NAT =====

<code>
table ip nat {
  chain prerouting {
    type nat hook prerouting priority 0;
    policy accept;
    
    iif "tun0" tcp dport 12345 dnat to 192.168.1.10:3389
  }
}
</code>

===== Docker smrdí =====

==== Komunikace host <-> container ====
  - Smazat ''/sbin/iptables'', jinak bude docker hrabat do firewallu. [info z 28. března 2020]
  - Udělat si override pro síť dockeru, aby se daly ručně specifikovat pravidla na vyžádané IP adresy:
  ''nano /etc/docker/daemon.json''
<code json>{
  "iptables": false, <-- "nehrabej do firewallu" / "tak určitěěě"
  "ipv6": true,
  "bip": "172.19.0.1/24", <-- "IP adresa hosta, na iface docker0"
  "fixed-cidr": "172.19.0.0/24", <-- "IPv4 rozsah pro containery"
  "fixed-cidr-v6": "2a02:8304:29:d00d:d00d::/80" <-- "IPv6 rozsah pro containery - ukrojeno z alokovaného /64"
}</code>

  - Přidat do nftables:
<code>
table inet filter {
  chain output {
    # Docker
    oifname "docker*" accept
  }
}
</code>