๐ง Linux ้ฒ็ซ็ๅฎๆด่งฃๆ:iptables ่ nftables ๆถๆง、่ฆๅ、ๅทฎ็ฐ่ๆไฝณๅฏฆๅ
Linux ้ฒ็ซ็ๆฏ็ณป็ตฑ็ฎก็่้ฒ็ซฏๆถๆง็ๆ ธๅฟๆ่ฝไนไธ,่็พไปไธปๆตๆถๆงไพ็ถๅๆๅ ฉๆดพ:
- iptables:ๅณ็ตฑ้ฒ็ซ็ๆกๆถ,ๆฒฟ็จๅคๅนด
- nftables:ๆฐไธไปฃ Netfilter ๅ็ซฏ,็พไปฃ Linux ๆจๆบ
ๆฌ็ฏๆ็ซ ๅฐไปฅๆทฑๅ ฅไฝๆๆ็ๆนๅผ,ๅฎๆด่งฃๆๅ ฉ็จฎๆถๆง็ๅทฎ็ฐ、ๅฐๅ ๆต็จ、ๅธธ่ฆ็จ้、ๅฏฆไฝๆนๅผ,ไปฅๅๅฆไฝ่จญ่จๆไฝณ้ฒ็ซ็่ฆๅ。
๐งฉ ไธ、Linux ้ฒ็ซ็็ๅบ็ค:Netfilter ่ๅฐๅ ๆต็จ
็ก่ซๆฏ iptables ๆ nftables,ๅ ถๆ ธๅฟ้ฝไพ่ณด Linux Kernel ็ Netfilter ๅญ็ณป็ตฑ。Netfilter ๆไพ:
- ๅฐๅ ้ๆฟพ(Filtering)
- NAT(Network Address Translation)
- Port Forwarding
- Connection Tracking(็ๆ ่ฟฝ่นค)
- Mangle(็นๆฎๅฐๅ ่็)
- Raw(็น้ conntrack)
๐ Linux ๅฐๅ ๆต็จ(็คบๆๅ)
PREROUTING → INPUT → ๆ็จ็จๅผ
↓
OUTPUT → POSTROUTING → ็ถฒ่ทฏไป้ข
FORWARD(้่ฝ็ผๆ)
๐งฑ ไบ、iptables ๆถๆง่งฃๆ(ๅณ็ตฑ็ณป็ตฑ)
iptables ๆฏ Linux ๆฉๆ็้ฒ็ซ็ๅทฅๅ ท,่ฆๅๅๆฃๆผๅคๅ Table/Chain。
iptables Table ่ๅ่ฝ
| Table | ๅ่ฝ |
|---|---|
| filter | ไธ่ฌๅฐๅ ้ๆฟพ(ไธป่ฆไฝฟ็จ) |
| nat | NAT、Port Forward |
| mangle | ็นๆฎๅฐๅ ไฟฎๆน |
| raw | ไธ้ฒ่ก conntrack |
ๅธธ่ฆ Chain
- INPUT
- OUTPUT
- FORWARD
- PREROUTING
- POSTROUTING
๐ฅ ไธ、nftables ๆถๆง่งฃๆ(ๆฐไธไปฃ,ๅไปฃ iptables)
nftables ่ช Linux Kernel 3.13 ่ตทๅ ๅ ฅ,ๆฏ่จญ่จ็ตฆๆชไพ็้ซๆ้ฒ็ซ็ๅทฅๅ ท。
๐ nftables ๅชๅข
- ๅฎไธๅทฅๅ ทๅไปฃ iptables/ip6tables/ebtables/arptables
- Set/Map ๆๅๆ็
- IPv4/IPv6 ๅฏ้้ inet table ๅๆ็ฎก็
- ่ฆๅๆดๆฐไธไธญๆท้ฃ็ท
- ๆ่ฝๆดไฝณ
nftables ๅบๆฌ็ตๆง
- Table
- Chain
- Rule
- Set / Map
table inet filter {
chain input {
type filter hook input priority 0;
tcp dport 22 accept
ip saddr { 1.1.1.1, 8.8.8.8 } drop
}
}
⚔️ ๅ、iptables vs nftables ๅทฎ็ฐ็ธฝ่กจ
| ็น่ฒ | iptables | nftables |
|---|---|---|
| ๅทฅๅ ทๆถๆง | ๅค็ตๅทฅๅ ท | ๅฎไธ nft |
| ๆ่ฝ | ไธญ | ้ซ |
| IPv4/IPv6 | ๅ้ | ๆดๅ inet table |
| ๅคง้่ฆๅ่็ | ่ผๅผฑ | Set/Map ้ซๆ |
| ๆชไพ่ถจๅข | ่ขซๅไปฃ | ไธปๅ |
๐ ไบ、iptables ๅฏฆๅๆไปค
ๆฅ็่ฆๅ
iptables -L -n -v
ๅ ่จฑ SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
้ปๆ IP
iptables -A INPUT -s 1.2.3.4 -j DROP
NAT ่ Port Forward
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to 192.168.1.100:80 iptables -t nat -A POSTROUTING -j MASQUERADE
๐ ๅ ญ、nftables ๅฏฆๅๆไปค
1️⃣ ๅปบ็ซ Table / Chain
nft add table inet filter
nft add chain inet filter input { type filter hook input priority 0; }
2️⃣ ๅ ่จฑ SSH
nft add rule inet filter input tcp dport 22 accept
3️⃣ ้ปๆ IP
nft add rule inet filter input ip saddr 1.2.3.4 drop
4️⃣ NAT
nft add table ip nat
nft add chain ip nat postrouting { type nat hook postrouting priority 100; }
nft add rule ip nat postrouting oif "eth0" masquerade
๐ ไธ、ๆไฝณๅฏฆๅ(Production ็)
- ้ ่จญ DROP → ้ๆญฅ้ๆพๅฟ ่ฆๆๅ
- ๅ ่จฑๅ ง็ถฒไพๆบ,ๅฆ 192.168.0.0/16
- ๅ ่จฑ loopback
- ๅ ่จฑๅทฒๅปบ็ซ้ฃ็ท:ct state established,related
- ้้้ฒๆญข SSH ็็ ด:limit rate 3/minute
- ้ไธญ็ด้:journald / rsyslog / Loki
- ๅปบ่ญฐไปฅ nftables ไฝ็บ 2025 ไนๅพ็ๆจๆบ
๐ ๅ ซ、ๅฎๆด nftables ้ฒ็ซ็็ฏๆฌ(ๅฏ็ดๆฅไฝฟ็จ)
table inet filter {
chain input {
type filter hook input priority 0;
policy drop;
iif lo accept;
ct state established,related accept;
tcp dport 22 accept;
ip protocol icmp accept;
drop
}
}
๐ ๅปถไผธ้ฑ่ฎ
- ๐ง Linux ็ณปๅๆ็ซ
- ๐งฑ ็ถฒ่ทฏ่จบๆท่ๅฎๅ จ
- ๐ฅ ็ณป็ตฑ็ฎก็็ฒพ้ธ
๐ฌ ็ไธไฝ ็่ง้ป,่ฎ่จ่ซๆด็ฒพๅฝฉ!
ไฝ ็็ถ้ฉ、็ๅๆๆณๆณ้ฝ่ฝ่ฎๆฌๆๆดๅฎๆด,ๆญก่ฟๅจไธๆน็่จไบคๆต。
ๆฒๆ็่จ:
ๅผต่ฒผ็่จ