paulmataruso/osmo-ggsn
1
0
Fork 0
mirror of https://gitea.osmocom.org/cellular-infrastructure/osmo-ggsn.git synced 2025-10-23 08:22:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

doc: Update all iptables references with nftables

Browse Source 
Change-Id: I3caf316e8ccf1d757b83f7a119271084c55e018c
This commit is contained in:
Pau Espin Pedrol
2024-10-24 16:15:22 +02:00
committed by pespin
parent 13d23077d2
commit 2b161df6af
3 changed files with 23 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
doc/examples/firewall
View File

@@ -13,36 +13,36 @@
# to and from the Gn interface.
# * Masquerede on Gi interface.
IPTABLES="/sbin/iptables"
NFT="nft"
IFGN="eth0"
IFGI="eth1"
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$NFT add chain ip filter input '{ policy drop; }'
$NFT add chain ip filter forward '{ policy accept; }'
$NFT add chain ip filter output '{ policy accept; }'
#Allow related and established on all interfaces (input)
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$NFT add rule ip filter input ct state related,established counter accept
#Allow releated, established, GTP and ssh on $IFGN. Reject everything else.
$IPTABLES -A INPUT -i $IFGN -p tcp -m tcp --dport 22 --syn -j ACCEPT
$IPTABLES -A INPUT -i $IFGN -p udp -m udp --dport 2123 -j ACCEPT
$IPTABLES -A INPUT -i $IFGN -p udp -m udp --dport 2152 -j ACCEPT
$IPTABLES -A INPUT -i $IFGN -p udp -m udp --dport 3386 -j ACCEPT
$IPTABLES -A INPUT -i $IFGN -j REJECT
$NFT add rule ip filter input iifname $IFGN tcp dport 22 tcp flags syn / fin,syn,rst,ack counter accept
$NFT add rule ip filter input iifname $IFGN udp dport 2123 counter accept
$NFT add rule ip filter input iifname $IFGN udp dport 2152 counter accept
$NFT add rule ip filter input iifname $IFGN udp dport 3386 counter accept
$NFT add rule ip filter input iifname $IFGN counter reject
#Allow related, established and ssh. Drop everything else.
$IPTABLES -A INPUT -i $IFGI -p tcp -m tcp --dport 22 --syn -j ACCEPT
$IPTABLES -A INPUT -i $IFGI -j DROP
$NFT add rule ip filter input iifname $IFGI tcp dport 22 tcp flags syn / fin,syn,rst,ack counter accept
$NFT add rule ip filter input iifname $IFGI counter drop
# Masquerade everything going out on $IFGI
$IPTABLES -t nat -A POSTROUTING -o $IFGI -j MASQUERADE
$NFT add rule ip nat POSTROUTING oifname $IFGI counter masquerade
#Allow everything on loopback interface.
$IPTABLES -A INPUT -i lo -j ACCEPT
$NFT add rule ip filter input iifname "lo" counter accept
# Drop everything to and from $IFGN (forward)
$IPTABLES -A FORWARD -i $IFGN -j DROP
$IPTABLES -A FORWARD -o $IFGN -j DROP
$NFT add rule ip filter forward iifname $IFGN counter drop
$NFT add rule ip filter forward oifname $IFGN counter drop

10
doc/manuals/chapters/mtu.adoc
View File

@@ -150,13 +150,13 @@ account that TCP header can span up to 56 bytes, we'd get to an MSS value of:
MSS = TUNNEL_MTU - IP_HDR - TCP_HDR = 1420 - 60 - 56 = 1304
----
In linux, the MSS of TCP connections can be clamped using iptables:
In linux, the MSS of TCP connections can be clamped using nftables:
----
iptables -t nat -A PREROUTING -p tcp --tcp-flags SYN,RST SYN -i apn0 -j TCPMSS --set-mss 1304
iptables -t nat -I POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o apn0 -j TCPMSS --set-mss 1304
ip6tables -t nat -A PREROUTING -p tcp --tcp-flags SYN,RST SYN -i apn0 -j TCPMSS --set-mss 1304
ip6tables -t nat -I POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o apn0 -j TCPMSS --set-mss 1304
nft 'add rule ip nat prerouting iifname "apn0" tcp flags syn / syn,rst counter tcp option maxseg size set 1304'
nft 'insert rule ip nat postrouting oifname "apn0" tcp flags syn / syn,rst counter tcp option maxseg size set 1304'
nft 'add rule ip6 nat prerouting iifname "apn0" tcp flags syn / syn,rst counter tcp option maxseg size set 1304'
nft 'insert rule ip6 nat postrouting oifname "apn0" tcp flags syn / syn,rst counter tcp option maxseg size set 1304'
----
==== Further Reading

4
doc/manuals/chapters/running.adoc
View File

@@ -43,14 +43,14 @@ To manually enable IPv4 forwarding and masquerading ad-hoc, you can do:
----
sh -c "echo 1 > /proc/sys/net/ipv4/ip_forward"
iptables -t nat -A POSTROUTING -o '*' -j MASQUERADE
nft 'add rule ip nat postrouting oifname "\*" counter masquerade'
----
(You may want to replace `*` with the network device name, like `-o eth0`)
There are various ways to enable these settings persistently, please refer to
your distribution's documentation -- e.g. look for @net.ipv4.ip_forward=1@ in
@/etc/sysctl.d/@, and https://wiki.debian.org/iptables for masquerading.
@/etc/sysctl.d/@, and https://wiki.debian.org/nftables for masquerading.
include::{srcdir}/chapters/mtu.adoc[]