Grammar in a bash script

Grammar in a bash script

[Mario V Guenzi]

[-- Attachment #1.1: Type: text/plain, Size: 1734 bytes --]

Goodmorning everyone,
Does it make sense to use this kind of grammar in a bash script?

$NFT add table inet firewall
$NFT add table inet nat
$NFT add table netdev noddos

$NFT add chain inet firewall INPUT { type filter hook input priority 0 \;  }
$NFT add chain inet firewall OUTPUT { type filter hook output priority 0
\; }
$NFT add chain inet firewall FORWARD { type filter hook forward priority
0 \; }
$NFT add chain inet firewall IPS { type filter hook forward priority 10 \; }
$NFT add chain inet firewall POSTROUTING { type filter hook postrouting
priority 0 \; }
$NFT add chain inet firewall SYN-FLOOD { type filter hook input priority
0 \; }
$NFT -- add chain inet  nat PREROUTING { type nat hook prerouting
priority -100 \; }
$NFT add chain inet nat OUTPUT { type nat hook output priority 0 \; }
$NFT add chain inet nat POSTROUTING { type nat hook postrouting priority
100 \; }
$NFT -- add chain netdev noddos ingress { type filter hook ingress
device $EXTIF priority -500 \; }

my rules
my rules
my rules
.
.
.
$NFT add chain inet firewall INPUT { type filter hook input priority 0
\; policy drop \; }
$NFT add chain inet firewall OUTPUT { type filter hook output priority 0
\; policy drop \; }
$NFT add chain inet firewall FORWARD { type filter hook forward priority
0 \; policy drop \; }
$NFT -- add chain inet  nat PREROUTING { type nat hook prerouting
priority -100 \; policy drop \;  }
$NFT add chain inet nat OUTPUT { type nat hook output priority 0
\;policy drop \;  }

The reasoning that I have done and of which I ask for confirmation is,
after having given permission to what I need, I deny everything as a policy

Thanks in advance to those who want to answer me.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

Re: Grammar in a bash script

[Pablo Neira Ayuso]

Hi,

On Mon, Aug 17, 2020 at 07:55:32AM +0200, Mario V Guenzi wrote:
> Goodmorning everyone,
> Does it make sense to use this kind of grammar in a bash script?

Please, don't do bash scripting, use native scripting instead for
nftables. Bash scripting breaks atomicity when applying the ruleset.

You have to remove $NFT from your example below and use 'nft -f ruleset.nft'

> $NFT add table inet firewall
> $NFT add table inet nat
> $NFT add table netdev noddos
> 
> $NFT add chain inet firewall INPUT { type filter hook input priority 0 \;  }
> $NFT add chain inet firewall OUTPUT { type filter hook output priority 0
> \; }
> $NFT add chain inet firewall FORWARD { type filter hook forward priority
> 0 \; }
> $NFT add chain inet firewall IPS { type filter hook forward priority 10 \; }
> $NFT add chain inet firewall POSTROUTING { type filter hook postrouting
> priority 0 \; }
> $NFT add chain inet firewall SYN-FLOOD { type filter hook input priority
> 0 \; }
> $NFT -- add chain inet  nat PREROUTING { type nat hook prerouting
> priority -100 \; }
> $NFT add chain inet nat OUTPUT { type nat hook output priority 0 \; }
> $NFT add chain inet nat POSTROUTING { type nat hook postrouting priority
> 100 \; }
> $NFT -- add chain netdev noddos ingress { type filter hook ingress
> device $EXTIF priority -500 \; }
> 
> my rules
> my rules
> my rules
> .
> .
> .
> $NFT add chain inet firewall INPUT { type filter hook input priority 0
> \; policy drop \; }
> $NFT add chain inet firewall OUTPUT { type filter hook output priority 0
> \; policy drop \; }
> $NFT add chain inet firewall FORWARD { type filter hook forward priority
> 0 \; policy drop \; }
> $NFT -- add chain inet  nat PREROUTING { type nat hook prerouting
> priority -100 \; policy drop \;  }
> $NFT add chain inet nat OUTPUT { type nat hook output priority 0
> \;policy drop \;  }
> 
> The reasoning that I have done and of which I ask for confirmation is,
> after having given permission to what I need, I deny everything as a policy

You can set default policy to drop wehn defining the chain (in the
same go), no need to call it twice, my suggestion for your ruleset is
to place this in ruleset.nft:

add table inet firewall
add table inet nat
add table netdev noddos

add chain inet firewall INPUT { type filter hook input priority 0; policy drop; }
add chain inet firewall OUTPUT { type filter hook output priority 0; policy drop; }
add chain inet firewall FORWARD { type filter hook forward priority 0; policy drop; }
...

my rules
my rules
my rules

Re: Grammar in a bash script

[Mario V Guenzi]

[-- Attachment #1.1: Type: text/plain, Size: 972 bytes --]

Il 17/08/20 10:56, Pablo Neira Ayuso ha scritto:
> Hi,

> You can set default policy to drop wehn defining the chain (in the
> same go), no need to call it twice, my suggestion for your ruleset is
> to place this in ruleset.nft:
> 
> add table inet firewall
> add table inet nat
> add table netdev noddos
> 
> add chain inet firewall INPUT { type filter hook input priority 0; policy drop; }
> add chain inet firewall OUTPUT { type filter hook output priority 0; policy drop; }
> add chain inet firewall FORWARD { type filter hook forward priority 0; policy drop; }
> ...
> 
> my rules
> my rules
> my rules
> 

At first many thanks.
another question given your kindness,
I can use bash only to define my variables eg
EXTIF = "eth0"
LAN = "192.168.2.0/24"
etc
use the variables defined in writing the rules.nft file as per your
example and then write
nft -f /path/rules.nft in my bash script?
as usual I apologize for my terrible English.


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

Re: Grammar in a bash script

[A L]

Hi,

I'm not using nft yet myself, but I do use bash scripting with iptables. What I to is that the bash script generates a iptables-save file which it submits at the end. This way I think it is atomic. Shouldn't it be possible to do the same with nft? 

Regards

---- From: Mario V Guenzi <jclark@tiscali.it> -- Sent: 2020-08-18 - 07:12 ----

> Il 17/08/20 10:56, Pablo Neira Ayuso ha scritto:
>> Hi,
> 
>> You can set default policy to drop wehn defining the chain (in the
>> same go), no need to call it twice, my suggestion for your ruleset is
>> to place this in ruleset.nft:
>> 
>> add table inet firewall
>> add table inet nat
>> add table netdev noddos
>> 
>> add chain inet firewall INPUT { type filter hook input priority 0; policy drop; }
>> add chain inet firewall OUTPUT { type filter hook output priority 0; policy drop; }
>> add chain inet firewall FORWARD { type filter hook forward priority 0; policy drop; }
>> ...
>> 
>> my rules
>> my rules
>> my rules
>> 
> 
> At first many thanks.
> another question given your kindness,
> I can use bash only to define my variables eg
> EXTIF = "eth0"
> LAN = "192.168.2.0/24"
> etc
> use the variables defined in writing the rules.nft file as per your
> example and then write
> nft -f /path/rules.nft in my bash script?
> as usual I apologize for my terrible English.
> 

Re: Grammar in a bash script

[Pablo Neira Ayuso]

On Tue, Aug 18, 2020 at 07:12:38AM +0200, Mario V Guenzi wrote:
> Il 17/08/20 10:56, Pablo Neira Ayuso ha scritto:
> > Hi,
> 
> > You can set default policy to drop wehn defining the chain (in the
> > same go), no need to call it twice, my suggestion for your ruleset is
> > to place this in ruleset.nft:
> > 
> > add table inet firewall
> > add table inet nat
> > add table netdev noddos
> > 
> > add chain inet firewall INPUT { type filter hook input priority 0; policy drop; }
> > add chain inet firewall OUTPUT { type filter hook output priority 0; policy drop; }
> > add chain inet firewall FORWARD { type filter hook forward priority 0; policy drop; }
> > ...
> > 
> > my rules
> > my rules
> > my rules
> > 
> 
> At first many thanks.
> another question given your kindness,
> I can use bash only to define my variables eg
> EXTIF = "eth0"
> LAN = "192.168.2.0/24"
> etc
> use the variables defined in writing the rules.nft file as per your
> example and then write
> nft -f /path/rules.nft in my bash script?

You can define variables in nftables, e.g.

  define EXTIF = "eth0"

  add rule inet firewall INPUT iifname $EXTIF accept

Re: Grammar in a bash script

[Mario Vittorio Guenzi]

[-- Attachment #1.1: Type: text/plain, Size: 2342 bytes --]



Il 18/08/20 12:11, Pablo Neira Ayuso ha scritto:
> On Tue, Aug 18, 2020 at 07:12:38AM +0200, Mario V Guenzi wrote:
>> Il 17/08/20 10:56, Pablo Neira Ayuso ha scritto:
>>> Hi,
>>
>>> You can set default policy to drop wehn defining the chain (in the
>>> same go), no need to call it twice, my suggestion for your ruleset is
>>> to place this in ruleset.nft:
>>>
>>> add table inet firewall
>>> add table inet nat
>>> add table netdev noddos
>>>
>>> add chain inet firewall INPUT { type filter hook input priority 0; policy drop; }
>>> add chain inet firewall OUTPUT { type filter hook output priority 0; policy drop; }
>>> add chain inet firewall FORWARD { type filter hook forward priority 0; policy drop; }
>>> ...
>>>
>>> my rules
>>> my rules
>>> my rules
>>>
>>
>> At first many thanks.
>> another question given your kindness,
>> I can use bash only to define my variables eg
>> EXTIF = "eth0"
>> LAN = "192.168.2.0/24"
>> etc
>> use the variables defined in writing the rules.nft file as per your
>> example and then write
>> nft -f /path/rules.nft in my bash script?
> 
> You can define variables in nftables, e.g.
> 
>   define EXTIF = "eth0"
> 
>   add rule inet firewall INPUT iifname $EXTIF accept
> 
Again Thank You.
Yes I have read about, but for my convenience I do take the IPs with
command and do not believe that nft can execute it.
This are my variables You can see how take IP from eth

NFT="`whereis -b nft | cut -d \" \" -f 2`"
EXTIF="eth0"  ## word interface
INTIF="eth1" ## lan interface
VPNIF="eth0:0"
LO="lo"
LO_IP="127.0.0.1"
LAN="192.168.2.0/23" #our lan
BCAST="192.168.3.255"
EXTIP=`ifconfig $EXTIF | awk '$1 == "inet" { print $2 }'`
INTIP=`ifconfig $INTIF | awk '$1 == "inet" { print $2 }'`
VPNIP=`ifconfig $VPNIF | awk '$1 == "inet" { print $2 }'`
CHIMERA="192.168.2.224"
GRECALE="192.168.2.251"
PERSEO="192.168.2.240"
STROMBOLI="192.168.2.232"
RESERVED_NET="0.0.0.0/8, 1.0.0.0/8, 2.0.0.0/8, 10.0.0.0/8,
100.64.0.0/10, 127.0.0.0/16, 169.254.0.0/16, 172.16.0.0/12, \
192.0.0.0/24, 192.0.2.0/24, 192.168.0.0/16, 198.18.0.0/15,
198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/4, 240.0.0.0/5"
GOOD_BOYS="2.233.119.3, 88.149.179.177, 81.208.25.146, 82.85.80.100"



-- 

Mario Vittorio Guenzi
E-mail jclark@tiscali.it
Si vis pacem, para bellum


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

Re: Grammar in a bash script

[Reindl Harald]

Am 18.08.20 um 07:12 schrieb Mario V Guenzi:
> At first many thanks.
> another question given your kindness,
> I can use bash only to define my variables eg
> EXTIF = "eth0"
> LAN = "192.168.2.0/24"
> etc
> use the variables defined in writing the rules.nft file as per your
> example and then write
> nft -f /path/rules.nft in my bash script?

surely

how would nft know if you have written "rules.nft" by hand or from a
script? doing the same with generated bash scripts for years

Re: Grammar in a bash script

[Mario Vittorio Guenzi]

[-- Attachment #1.1: Type: text/plain, Size: 301 bytes --]



Il 18/08/20 12:32, Reindl Harald ha scritto:
> surely
> 
> how would nft know if you have written "rules.nft" by hand or from a
> script? doing the same with generated bash scripts for years
OK Many thanks
-- 

Mario Vittorio Guenzi
E-mail jclark@tiscali.it
Si vis pacem, para bellum


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

Re: Grammar in a bash script

[Pablo Neira Ayuso]

On Tue, Aug 18, 2020 at 12:28:04PM +0200, Mario Vittorio Guenzi wrote:
> 
> 
> Il 18/08/20 12:11, Pablo Neira Ayuso ha scritto:
> > On Tue, Aug 18, 2020 at 07:12:38AM +0200, Mario V Guenzi wrote:
> >> Il 17/08/20 10:56, Pablo Neira Ayuso ha scritto:
> >>> Hi,
> >>
> >>> You can set default policy to drop wehn defining the chain (in the
> >>> same go), no need to call it twice, my suggestion for your ruleset is
> >>> to place this in ruleset.nft:
> >>>
> >>> add table inet firewall
> >>> add table inet nat
> >>> add table netdev noddos
> >>>
> >>> add chain inet firewall INPUT { type filter hook input priority 0; policy drop; }
> >>> add chain inet firewall OUTPUT { type filter hook output priority 0; policy drop; }
> >>> add chain inet firewall FORWARD { type filter hook forward priority 0; policy drop; }
> >>> ...
> >>>
> >>> my rules
> >>> my rules
> >>> my rules
> >>>
> >>
> >> At first many thanks.
> >> another question given your kindness,
> >> I can use bash only to define my variables eg
> >> EXTIF = "eth0"
> >> LAN = "192.168.2.0/24"
> >> etc
> >> use the variables defined in writing the rules.nft file as per your
> >> example and then write
> >> nft -f /path/rules.nft in my bash script?
> > 
> > You can define variables in nftables, e.g.
> > 
> >   define EXTIF = "eth0"
> > 
> >   add rule inet firewall INPUT iifname $EXTIF accept
> > 
> Again Thank You.
> Yes I have read about, but for my convenience I do take the IPs with
> command and do not believe that nft can execute it.
> This are my variables You can see how take IP from eth
> 
> NFT="`whereis -b nft | cut -d \" \" -f 2`"
> EXTIF="eth0"  ## word interface
> INTIF="eth1" ## lan interface
> VPNIF="eth0:0"
> LO="lo"
> LO_IP="127.0.0.1"
> LAN="192.168.2.0/23" #our lan
> BCAST="192.168.3.255"
> EXTIP=`ifconfig $EXTIF | awk '$1 == "inet" { print $2 }'`
> INTIP=`ifconfig $INTIF | awk '$1 == "inet" { print $2 }'`
> VPNIP=`ifconfig $VPNIF | awk '$1 == "inet" { print $2 }'`
> CHIMERA="192.168.2.224"
> GRECALE="192.168.2.251"
> PERSEO="192.168.2.240"
> STROMBOLI="192.168.2.232"
> RESERVED_NET="0.0.0.0/8, 1.0.0.0/8, 2.0.0.0/8, 10.0.0.0/8,
> 100.64.0.0/10, 127.0.0.0/16, 169.254.0.0/16, 172.16.0.0/12, \
> 192.0.0.0/24, 192.0.2.0/24, 192.168.0.0/16, 198.18.0.0/15,
> 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/4, 240.0.0.0/5"
> GOOD_BOYS="2.233.119.3, 88.149.179.177, 81.208.25.146, 82.85.80.100"

I suggest:

1) Add these variables to vars.nft, generate vars.nft via script as it
   was suggested.

2) From ruleset.nft, use:

        include "vars.nft"

to include your autogenerated variable definitions, so you can keep
your variables and your ruleset in separated files.

Re: Grammar in a bash script

[Mario Vittorio Guenzi]

[-- Attachment #1.1: Type: text/plain, Size: 412 bytes --]



Il 17/08/20 07:55, Mario V Guenzi ha scritto:
> Goodmorning everyone,
> Does it make sense to use this kind of grammar in a bash script?
> 


Thanks everyone for your invaluable help.
I solved it by doing as you suggested, and the bash script only serves
to launch external nftables files.
Thanks again





-- 

Mario Vittorio Guenzi
E-mail jclark@tiscali.it
Si vis pacem, para bellum


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

Re: Grammar in a bash script

[Reindl Harald]

Am 17.08.20 um 10:09 schrieb Mario V Guenzi:
> Il 17/08/20 09:58, david@hajes.org ha scritto:
>> Standard firewall strategy - policy DROP all and allow only what you really need.
> yes, but if I put drop as default policy it doesn't even let me access
> via ssh, that's why I was forced not to put policy and then drop with
> the rules, and for this, once finished I wanted to further close
> Sorry for my poor english

your script first set a default drop policy and then opens the ports
which should be open, including SSH

* deny policy
* est/related allow
* ports to allow

doing otherwise has a chance that there is a timewindow where you accept
unwanted connections which then land in conntrack and stay open because
packets belong to a existing connection

below how iptables scripts looking for decades and no, you don't lose
your ssh session when execute it because of how tcp works with re-transmits

---------------------------------

#!/bin/bash
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -F
iptables -X
iptables -A INPUT -p all -m conntrack --ctstate RELATED,ESTABLISHED -j
ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p all -j DROP

Re: Grammar in a bash script

[Mario V Guenzi]

[-- Attachment #1.1: Type: text/plain, Size: 371 bytes --]

Il 17/08/20 09:58, david@hajes.org ha scritto:
> Standard firewall strategy - policy DROP all and allow only what you really need.
yes, but if I put drop as default policy it doesn't even let me access
via ssh, that's why I was forced not to put policy and then drop with
the rules, and for this, once finished I wanted to further close
Sorry for my poor english


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 195 bytes --]