KB Platform
kb.erickguedes.com
Linux Segurança: Hardening e Proteção

Firewall — nftables e iptables

Aula 3 de 6

nftables — O Sucessor

nftables substitui iptables, ip6tables, arptables e ebtables com uma única sintaxe unificada.

# Tabelas, chains e regras
nft add table inet filter
nft add chain inet filter input  { type filter hook input priority 0 \; }
nft add chain inet filter output { type filter hook output priority 0 \; }
nft add chain inet filter forward { type filter hook forward priority 0 \; }

# Regras de input
nft add rule inet filter input iif "lo" accept
nft add rule inet filter input ct state established,related accept
nft add rule inet filter input tcp dport 22 accept
nft add rule inet filter input tcp dport {80,443} accept
nft add rule inet filter input drop

Exemplo Completo

#!/usr/sbin/nft -f
flush ruleset

table inet firewall {
    chain input {
        type filter hook input priority 0; policy drop;

        # Loopback
        iif "lo" accept

        # Conexões estabelecidas
        ct state established,related accept

        # SSH
        tcp dport 22 accept

        # HTTP/HTTPS
        tcp dport {80, 443} accept

        # ICMP (ping)
        ip protocol icmp accept

        # Log rejeições
        log prefix "nft-drop: " drop
    }

    chain forward {
        type filter hook forward priority 0; policy drop;
    }

    chain output {
        type filter hook output priority 0; policy accept;
    }
}

Sets e Maps

# Set — lista de IPs
nft add set inet firewall blacklist { type ipv4_addr \; }
nft add rule inet firewall input ip saddr @blacklist drop
nft add element inet firewall blacklist { 1.2.3.4, 5.6.7.8 }

# Map — ações por porta
nft add map inet firewall porta_acao { type inet_service : verdict \; }
nft add rule inet firewall input tcp dport vmap @porta_acao
nft add element inet firewall porta_acao { 22 : accept, 80 : accept, 443 : accept }

iptables (Legado)

# Políticas padrão
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Regras
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
iptables -A INPUT -j LOG --log-prefix "DROP: "
iptables -A INPUT -j DROP

Fail2ban — Proteção Anti-Brute Force

# /etc/fail2ban/jail.local
[sshd]
enabled = true
port = 22
maxretry = 5
bantime = 3600
findtime = 600

# Comandos
fail2ban-client status
fail2ban-client status sshd
fail2ban-client set sshd banip 1.2.3.4

nftables é o futuro — mais performático e com sintaxe mais limpa. iptables ainda existe por compatibilidade. Use fail2ban para complementar.