Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
linux_router:nftables_control [2020-04-24 Fri wk17 21:52] – created baumkplinux_router:nftables_control [2023-04-30 Sun wk17 17:43] (current) – external edit 127.0.0.1
Line 1: Line 1:
 +{{tag>linux nft nftables nmap}}
 + =====NFTables IP Control=====
 +I primarily set this feature up to act as a form of parental control on my home internet access.  
  
-=====NFTables IP Control===== +====Disable Range of IP addresses, with count-down timer==== 
-I primarily set this feature up to act as a form of parental control on my home internet access.  The DHCP assigned addresses in the range 100 - 254 were to be disabled (dropped) in the evening. The addresses below 100 were assigned a specific IP address in the DHCP based upon  MAC. +The DHCP assigned addresses in the range 100 - 254 were to be disabled (dropped) in the evening. The addresses below 100 were assigned a specific IP address in the DHCP based upon  MAC. 
  
 I added a [[https://wiki.nftables.org/wiki-nftables/index.php/Sets#Named_sets|NFtables named set]] with ipV4 address and timeout function: I added a [[https://wiki.nftables.org/wiki-nftables/index.php/Sets#Named_sets|NFtables named set]] with ipV4 address and timeout function:
Line 198: Line 201:
      chain postrouting {       chain postrouting { 
          type nat hook postrouting priority 0; policy accept;           type nat hook postrouting priority 0; policy accept; 
 +         
 +         # Allow internal clients to correctly see external address "hairpin dnat" 
          ip saddr 192.168.1.0/24 ip daddr $http_server tcp dport {http, https} counter snat $router_ip4          ip saddr 192.168.1.0/24 ip daddr $http_server tcp dport {http, https} counter snat $router_ip4
          ip saddr 192.168.1.0/24 ip daddr $mail_server tcp dport {http, https, pop3s, imaps, smtp} counter snat $router_ip4          ip saddr 192.168.1.0/24 ip daddr $mail_server tcp dport {http, https, pop3s, imaps, smtp} counter snat $router_ip4
 +         
          oifname $wan counter masquerade           oifname $wan counter masquerade 
          oifname $modem counter masquerade                 oifname $modem counter masquerade       
          #oifname {$wan, tun0} masquerade          #oifname {$wan, tun0} masquerade
-         # Allow internal clients to correctly see external address "hairpin dnat"          +             
-#         ip saddr 192.168.1.0/24 ip daddr $http_server tcp dport {http, https} counter snat $router_ip4 +
-#         ip saddr 192.168.1.0/24 ip daddr $mail_server tcp dport {http, https, pop3s, imaps, smtp} counter snat $router_ip4 +
-                 +
          # For Static IP address use SNAT instead of masquerade          # For Static IP address use SNAT instead of masquerade
          # ip saddr 192.168.1.0/24 oif $wan snat $wan_ip4          # ip saddr 192.168.1.0/24 oif $wan snat $wan_ip4
-         #oifname $modem snat 192.168.2.2+         # oifname $modem snat 192.168.2.2
          # oifname $modem masquerade           # oifname $modem masquerade 
          # where the snat address is the external router fix IP address.          # where the snat address is the external router fix IP address.
Line 272: Line 275:
 ''crontab'' is finicky! crontab does not necessary use BASH and the full path to the command must be given for reliable performance. Further to this cron error messages are sent to the system mail server, so if this is not setup or otherwise not working the error message go nowhere.   Systemd has a service to redirect output of cron jobs to systemd's journal: ''/usr/bin/systemd-cat -t controllist'', again the full path is given.  The command path can be found using ''which'', e.g. ''which nft'' In any case the final crontab command entry would look like: ''/usr/bin/systemd-cat -t controllist /home/baumkp/controllist.sh'', remembering everything after the 5th space is passed to the system shell command interpreter. ''crontab'' is finicky! crontab does not necessary use BASH and the full path to the command must be given for reliable performance. Further to this cron error messages are sent to the system mail server, so if this is not setup or otherwise not working the error message go nowhere.   Systemd has a service to redirect output of cron jobs to systemd's journal: ''/usr/bin/systemd-cat -t controllist'', again the full path is given.  The command path can be found using ''which'', e.g. ''which nft'' In any case the final crontab command entry would look like: ''/usr/bin/systemd-cat -t controllist /home/baumkp/controllist.sh'', remembering everything after the 5th space is passed to the system shell command interpreter.
  
-Some other tools: +++++ example: ''sudo crontab -e''
-  *''sudo nmap -sP 192.168.1.0/24''+<code> 
 +# Edit this file to introduce tasks to be run by cron.  
 +#   
 +# Each task to run has to be defined through a single line  
 +# indicating with different fields when the task will be run  
 +# and what command to run for the task  
 +#   
 +# To define the time you can provide concrete values for  
 +# minute (m), hour (h), day of month (dom), month (mon),  
 +# and day of week (dow) or use '*' in these fields (for 'any').  
 +#   
 +# Notice that tasks will be started based on the cron's system  
 +# daemon's notion of time and timezones.  
 +#   
 +# Output of the crontab jobs (including errors) is sent through  
 +# email to the user the crontab file belongs to (unless redirected).  
 +#   
 +# For example, you can run a backup of all your user accounts  
 +# at 5 a.m every week with:  
 +# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/  
 +#   
 +# For more information see the manual pages of crontab(5) and cron(8)  
 +#   
 +# m h  dom mon dow   command  
 +# Example of job definition:  
 +# .---------------- minute (0 - 59)  
 +# |  .------------- hour (0 - 23)  
 +# |  |  .---------- day of month (1 - 31)  
 +# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...  
 +# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat,sun  
 +# |  |  |  |  |  
 +# *  *  *  *  *   user-name command to be executed  
 +# 45 23 *  *  *   /usr/bin/systemd-cat -t controllist /home/baumkp/controllist.sh 5h15m  
 +# 30 23 *  *  5-6 /usr/bin/systemd-cat -t controllist /home/baumkp/controllist.sh 5h30m  
 +# 30 22 *  *  0-4 /usr/bin/systemd-cat -t controllist /home/baumkp/controllist.sh 6h30m 
 +</code> ++++ 
 + 
 +The crontab files are stored at ''/var/spool/cron/crontabs/$USER'' You should not edit these files directly, use ''crontab -e'' for current user or ''sudo crontab -e'' for root. 
 + 
 +====Limit Rate on IP Address Range==== 
 +The rate limit command needs to be placed before the other commands that could accept packets before reaching the rate limit command, e.g. ''ct state established, related counter accept'' The following command will add the command at handle 29: 
 +  *''sudo nft add rule inet firewall forward handle 29 iifname ppp1 ip daddr { 192.168.1.100-192.168.1.253 } limit rate 1200kbytes/second burst 4000kbytes counter accept'' 
 +The existing rules with handles displayed can be displayed with:  
 +  *''sudo nft list table inet firewall -a''  
 +The above command will accept packets according to filter that do not exceed 1200kbytes/second with a burst of 9000kbytes. 
 +Another form of syntax would be to drop packets that exceed the limit, this allows the amount of drop packets to be seen with the counter enabled:  
 +  *''sudo nft add rule inet firewall forward handle 29 iifname ppp1 ip daddr { 192.168.1.100-192.168.1.253 } limit rate over 1200kbytes/second burst 4000kbytes counter drop'' 
 + 
 +My internet bandwidth is currently limited to about 25Mbit/s, dividing by 8 give approximate MByte/s, i.e. about 3MB/s or 3000mbytes/s or 3000kbytes/s, hence I limit the kids bandwidth to 1200kbytes/s with an allowed burst of 4000kbytes. 
 +====Some other tools==== 
 +  *''sudo nmap -sn 192.168.1.0/24''
     *''-sP'' lists all IP addresses with any open port (with sudo will also list mac addresses)     *''-sP'' lists all IP addresses with any open port (with sudo will also list mac addresses)
     *''-sL'' lists all IP addresses even not active     *''-sL'' lists all IP addresses even not active
     *''-sT'' lists all IP addresses with all open ports (with sudo will also list mac addresses) Note this can take a long time so better to limit IP address range.     *''-sT'' lists all IP addresses with all open ports (with sudo will also list mac addresses) Note this can take a long time so better to limit IP address range.
-    *''-sn'' Ping scan+    *''-sn'' Ping scan, does not scan for port and is hence much faster (with sudo will also list mac addresses)
  
 ---- ----
  
 <-  linux_router:nftables|Prev page ^ linux_router:start|Start page ^ linux_router:iptables|Next page -> <-  linux_router:nftables|Prev page ^ linux_router:start|Start page ^ linux_router:iptables|Next page ->