Product SiteDocumentation Site

14.2. Firewall oder Paketfilter

ZURÜCK ZU DEN GRUNDLAGEN Firewall

Eine Firewall ist eine Computereinrichtung aus Hard- oder Software, die ein- und ausgehende Netzwerkpakete (zum lokalen Netzwerk kommend oder von ihm ausgehend) sortiert und nur diejenigen durchlässt, die bestimmte vorher festgelegte Bedingungen erfüllen.
Eine Firewall ist ein filternder Netzübergang und nur bei Paketen wirksam, die durch sie hindurchgehen müssen. Deshalb kann sie nur dann wirksam sein, wenn der Weg durch die Firewall für diese Pakete die einzige Route ist.

SONDERFALL Lokale Firewall

Eine Firewall kann auf einen bestimmten Rechner beschränkt sein (im Gegensatz zu einem ganzen Netzwerk), wobei ihre Rolle dann darin besteht, den Zugang zu einigen Diensten zu filtern oder zu beschränken, oder möglicherweise ausgehende Verbindungen von Schadsoftware, die ein Anwender vorsätzlich oder unabsichtlich installiert hat, zu unterbinden.
The Linux kernel embeds the netfilter firewall, which can be controlled from user space with the iptables, ip6tables, arptables and ebtables commands.
However, Netfilter iptables commands are being replaced by nftables, which avoids many of its problems. Its design involves less code duplication, and it can be managed with just the nft command. Debian Buster uses the nftables framework by default.
To enable a default firewall in Debian execute: 
# apt install -y nftables
Reading package lists... Done
...
# systemctl enable nftables.service
Created symlink /etc/systemd/system/sysinit.target.wants/nftables.service → /lib/systemd/system/nftables.service.

14.2.1. nftables Behavior

As the kernel is processing a network packet it pauses and allows us to inspect the packet and decide what to do with that package. For example, we might want to drop or discard certain incoming packages, modify other packages in various ways, block certain outgoing packets to control against malware or redirect some packets at the earliest possible stage to bridge network interfaces or to spread the load of incoming packets between systems.
A good understanding of the layers 3, 4 and 5 of the OSI (Open Systems Interconnection) model is essential to get the most from netfilter.

CULTURE The OSI model

The OSI model is a conceptual model to implement networking protocols without regard to its underlying internal structure and technology. Its goal is the interoperability of diverse communication systems with standard communication protocols.
This model was defined in the standard ISO/EIC 7498. The following seven layers are described:
  1. Physical: transmission and reception of raw bit streams over a physical medium
  2. Data Link: reliable transmission of data frames between two nodes connected by a physical layer
  3. Network: structuring and managing a multi-node network, including addressing, routing and traffic control
  4. Transport: reliable transmission of data segments between points on a network, including segmentation, acknowledgment and multiplexing
  5. Session: managing communication sessions, i.e. continuous exchange of information in the form of multiple back-and-forth transmissions between two nodes
  6. Presentation: translation of data between a networking service and an application; including character encoding, data compression and encryption/decryption
  7. Application: High-level APIs, including resource sharing, remote file access.
More information can be found on Wikipedia:
→ https://en.wikipedia.org/wiki/Osi_model
The firewall is configured with tables, which hold rules contained in chains. Unlike iptables, nftables does not have any default table. The user decides which and how many tables to create. Every table must have only one of the following five families assigned: ip, ip6, inet, arp and bridge. ip is used if the family is not specified.
There are two types of chains: base chains and regular chains. A base chain is an entry point for packets from the networking stack, they are registered into the Netfilter hooks, ie. these chains see packets flowing through the TCP/IP stack. On the other hand, and a regular chain is not attached to any hook, so they do not see any traffic, but it may be used as a jump target for better organization.
Rules are made of statements, which includes some expressions to be matched and then a verdict statement, like accept, drop, queue, continue, return, jump chain and goto chain.

ZURÜCK ZU DEN GRUNDLAGEN ICMP

ICMP (Internet Control Message Protocol) ist das Protokoll, das zur Übertragung ergänzender Informationen bei der Datenübertragung verwendet wird. Mit ihm kann die Netzanbindung durch den Befehl ping überprüft werden (der Befehl verschickt eine echo request ICMP-Nachricht, die der Empfänger mit einer echo reply ICMP-Nachricht beantworten soll). Es meldet, ob eine Firewall ein Paket zurückweist, zeigt einen Überlauf in einem Empfangspuffer an, schlägt einen besseren Pfad für die nächsten Pakete in einer Verbindung vor und so weiter. Dieses Protokoll ist durch mehrere RFC-Dokumente definiert; die ursprünglichen Dokumente RFC777 und RFC792 wurden schon bald vervollständigt und erweitert.
→ http://www.faqs.org/rfcs/rfc777.html
→ http://www.faqs.org/rfcs/rfc792.html
Hinweis: ein Empfangspuffer ist ein kleiner Speicherbereich, der Daten vom Zeitpunkt ihrer Ankunft aus dem Netzwerk bis zum Zeitpunkt ihrer Verarbeitung durch den Kernel speichert. Wenn dieser Bereich voll ist, können keine weiteren Daten empfangen werden, und ICMP meldet das Problem, so dass der Absender seine Übertragungsgeschwindigkeit reduzieren kann (die nach einiger Zeit möglichst ausgeglichen sein sollte).
Man beachte, dass ein IPv4-Netzwerk zwar ohne ICMP funktionieren kann, dass aber ICMPv6 für ein IPv6-Netzwerk unbedingt erforderlich ist, da es mehrere Funktionen vereint, die in der IPv4-Welt auf ICMPv4, IGMP (Internet Group Membership Protocol) und ARP (Address Resolution Protocol) verteilt waren. ICMPv6 ist in der RFC4443 definiert.
→ http://www.faqs.org/rfcs/rfc4443.html

14.2.2. Moving from iptables to nftables

The iptables-translate and ip6tables-translate commands can be used to translate old iptables commands into the new nftables syntax. Whole rulesets can also be translated, in this case we migrate the rules configured in one computer which has Docker installed: 
# iptables-save > iptables-ruleset.txt
# iptables-restore-translate -f iptables-ruleset.txt

# Translated by iptables-restore-translate v1.8.2 on Thu Jul 18 10:39:33 2019
add table ip filter
add chain ip filter INPUT { type filter hook input priority 0; policy accept; }
add chain ip filter FORWARD { type filter hook forward priority 0; policy drop; }
add chain ip filter OUTPUT { type filter hook output priority 0; policy accept; }
add chain ip filter DOCKER
add chain ip filter DOCKER-ISOLATION-STAGE-1
add chain ip filter DOCKER-ISOLATION-STAGE-2
add chain ip filter DOCKER-USER
add rule ip filter FORWARD counter jump DOCKER-USER
add rule ip filter FORWARD counter jump DOCKER-ISOLATION-STAGE-1
add rule ip filter FORWARD oifname "docker0" ct state related,established counter accept
add rule ip filter FORWARD oifname "docker0" counter jump DOCKER
add rule ip filter FORWARD iifname "docker0" oifname != "docker0" counter accept
add rule ip filter FORWARD iifname "docker0" oifname "docker0" counter accept
add rule ip filter DOCKER-ISOLATION-STAGE-1 iifname "docker0" oifname != "docker0" counter jump DOCKER-ISOLATION-STAGE-2
add rule ip filter DOCKER-ISOLATION-STAGE-1 counter return
add rule ip filter DOCKER-ISOLATION-STAGE-2 oifname "docker0" counter drop
add rule ip filter DOCKER-ISOLATION-STAGE-2 counter return
add rule ip filter DOCKER-USER counter return
add table ip nat
add chain ip nat PREROUTING { type nat hook prerouting priority -100; policy accept; }
add chain ip nat INPUT { type nat hook input priority 100; policy accept; }
add chain ip nat POSTROUTING { type nat hook postrouting priority 100; policy accept; }
add chain ip nat OUTPUT { type nat hook output priority -100; policy accept; }
add chain ip nat DOCKER
add rule ip nat PREROUTING fib daddr type local counter jump DOCKER
add rule ip nat POSTROUTING oifname != "docker0" ip saddr 172.17.0.0/16 counter masquerade
add rule ip nat OUTPUT ip daddr != 127.0.0.0/8 fib daddr type local counter jump DOCKER
add rule ip nat DOCKER iifname "docker0" counter return
# Completed on Thu Jul 18 10:39:33 2019
# iptables-restore-translate -f iptables-ruleset.txt > ruleset.nft
# nft -f ruleset.nft
# nft list ruleset
table ip filter {
	chain INPUT {
		type filter hook input priority 0; policy accept;
	}

	chain FORWARD {
		type filter hook forward priority 0; policy drop;
		counter packets 0 bytes 0 jump DOCKER-USER
		counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-1
		oifname "docker0" ct state related,established counter packets 0 bytes 0 accept
		oifname "docker0" counter packets 0 bytes 0 jump DOCKER
		iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
		iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
	}

	chain OUTPUT {
		type filter hook output priority 0; policy accept;
	}

	chain DOCKER {
	}

	chain DOCKER-ISOLATION-STAGE-1 {
		iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
		counter packets 0 bytes 0 return
	}

	chain DOCKER-ISOLATION-STAGE-2 {
		oifname "docker0" counter packets 0 bytes 0 drop
		counter packets 0 bytes 0 return
	}

	chain DOCKER-USER {
		counter packets 0 bytes 0 return
	}
}
table ip nat {
	chain PREROUTING {
		type nat hook prerouting priority -100; policy accept;
		fib daddr type local counter packets 0 bytes 0 jump DOCKER
	}

	chain INPUT {
		type nat hook input priority 100; policy accept;
	}

	chain POSTROUTING {
		type nat hook postrouting priority 100; policy accept;
		oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 bytes 0 masquerade
	}

	chain OUTPUT {
		type nat hook output priority -100; policy accept;
		ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER
	}

	chain DOCKER {
		iifname "docker0" counter packets 0 bytes 0 return
	}
}
table ip mangle {
	chain PREROUTING {
		type filter hook prerouting priority -150; policy accept;
	}

	chain INPUT {
		type filter hook input priority -150; policy accept;
	}

	chain FORWARD {
		type filter hook forward priority -150; policy accept;
	}

	chain OUTPUT {
		type route hook output priority -150; policy accept;
	}

	chain POSTROUTING {
		type filter hook postrouting priority -150; policy accept;
	}
}
The tools iptables-nft, ip6tables-nft, arptables-nft, ebtables-nft are versions of iptables that use the nftables API, so users can keep using the old iptables syntax with them, but that is not recommended; these tools should only be used for backwards compatibility.

14.2.3. Syntax of nft

The nft commands allow manipulating tables, chains and rules. The table option supports multiple operations: add, create, delete, list and flush. nft add table ip6 mangle adds a new table from the family ip6.
To insert a new base chain to the filter table, you can execute the following command (note that the semicolon is escaped with a backslash when using Bash): 
# nft add chain filter input { type filter hook input priority 0 \; }
Rules are usually added with the following syntax: nft add rule [family] table chain handle handle statement.
insert is similar to the add command, but the given rule is prepended to the beginning of the chain or before the rule with the given handle instead of at the end or after that rule. For example, the following command inserts a rule before the rule with handler number 8: 
# nft insert rule filter output position 8 ip daddr 127.0.0.8 drop
The executed nft commands do not make permanent changes to the configuration, so they are lost if they are not saved. The firewall rules are located in /etc/nftables.conf. A simple way to save the current firewall configuration permanently is to execute nft list ruleset > /etc/nftables.conf as root.
nft allows many more operations, refer to its manual page nft(8) for more information.

14.2.4. Die Regeln bei jedem Rechnerstart installieren

To enable a default firewall in Debian, you need to store the rules in /etc/nftables.conf and execute systemctl enable nftables.service as root. You can stop the firewall executing nft flush ruleset as root.
In other cases, the recommended way is to register the configuration script in up directive of the /etc/network/interfaces file. In the following example, the script is stored under /usr/local/etc/arrakis.fw.

Beispiel 14.1. Aufruf eines Firewallskripts durch eine interfaces-Datei

auto eth0
iface eth0 inet static
    address 192.168.0.1
    network 192.168.0.0
    netmask 255.255.255.0
    broadcast 192.168.0.255
    up /usr/local/etc/arrakis.fw
Dies setzt natürlich voraus, dass Sie ifupdown verwenden, um die Netzwerk-Schnittstellen zu konfigurieren. Wenn Sie etwas anderes (wie NetworkManager oder Systemd Networkd) verwenden, dann suchen Sie in der Dokumentation Möglichkeiten ein Skript auszuführen, nachdem die Schnittstelle hochgefahren wurde.