linux ファイアウォールが『iptables』から『nftables』に代わりました。
という事で新しくファイアウォールを作る必要があります。以下に簡易
ファイルスクリプトを記載しておきます。使い方は『nft.sh』とした上で
『chmod +x ./nft.sh』で実行権限を付与。『su』or『sudo』で実行して
ください。『Debian buster 』で確認済み
#!/usr/sbin/nft -f
# This script need privilege.
# "su" or "sudo" needs to run.
flush ruleset
add table inet filter
add chain inet filter input {type filter hook input priority 0;policy drop;}
add chain inet filter forward {type filter hook input priority 0;policy drop;}
add chain inet filter output {type filter hook input priority 0;policy accept;}
# Local host accept
add rule inet filter input iif lo accept
# Multicast drop
add rule inet filter input meta pkttype {broadcast ,multicast} drop
# Fragment drop
add rule inet filter input ip frag-off & 0x1fff != 0 counter drop
add rule inet filter input ip6 nexthdr ipv6-frag drop
# IP spoofing drop
add rule inet filter input ip saddr 10.0.0.0/8 counter drop
add rule inet filter input ip saddr 172.16.0.0/12 counter drop
add rule inet filter input ip saddr 169.254.0.0/16 counter drop
add rule inet filter input ip saddr 192.0.2.0/24 counter drop
add rule inet filter input ip daddr 255.255.255.255 counter drop
# ICMPv6 accept
add rule inet filter input ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate 10/minute accept
add rule inet filter input ip6 nexthdr icmpv6 icmpv6 type destination-unreachable accept
add rule inet filter input ip6 nexthdr icmpv6 icmpv6 type packet-too-big accept
add rule inet filter input ip6 nexthdr icmpv6 icmpv6 type time-exceeded accept
add rule inet filter input ip6 nexthdr icmpv6 icmpv6 type parameter-problem accept
add rule inet filter input ip6 nexthdr icmpv6 icmpv6 type nd-router-advert accept
add rule inet filter input ip6 nexthdr icmpv6 icmpv6 type nd-neighbor-solicit accept
add rule inet filter input ip6 nexthdr icmpv6 icmpv6 type nd-neighbor-advert accept
# ICMPv4 accept
add rule inet filter input ip protocol icmp icmp type echo-request limit rate 10/minute accept
add rule inet filter input ip protocol icmp icmp type destination-unreachable accept
add rule inet filter input ip protocol icmp icmp type router-advertisement accept
add rule inet filter input ip protocol icmp icmp type time-exceeded accept
add rule inet filter input ip protocol icmp icmp type parameter-problem accept
# SSH accept.if you want to use next header "#" remove it.
#add rule inet filter input tcp dport ssh limit rate 10/minute accept
# Established connections
add rule inet filter input ct state established,related accept
add rule inet filter input ct state invalid drop
はじめまして。
返信削除この記事のコードをUbuntu18.04LTSでスクリプトとして実行したら、syntax errorが出ました。
解決方法が分かる様でしたら教えて頂けませんか?
Error: syntax error, unexpected end of file
add chain inet filter input {type filter hook input priority 0
^
Error: syntax error, unexpected end of file
add chain inet filter forward {type filter hook input priority 0
^
Error: syntax error, unexpected end of file
add chain inet filter output {type filter hook input priority 0
^
./nft.sh: 11: ./nft.sh: policy: not found
./nft.sh: 20: ./nft.sh: 0x1fff: not found
Error: syntax error, unexpected newline
add rule inet filter input ip frag-off
^
こんにちは
削除Ubuntuで試していない為よく分かりませんがエラー内容を見る限りでは
『改行』がエラー原因の様に見えます。上3つのエラーは『}』が抜け
ている事が原因では?Nftablesは色々と新しい部分があるので試行錯誤
してみると良いですよ。