https://www.cnblogs.com/dirgo/p/17628983.html
apt-get install nftables
systemctl restart nftables
systemctl enable nftables
systemctl status nftables
#查看规则
nft list ruleset
nft flush ruleset #清空nftables规则集
nftables簇 | iptables命令行工具 |
---|---|
ip | iptables |
ip6 | ip6tables |
inet | iptables和ip6tables |
arp | arptables |
bridge | ebtables |
inet 同时适用于 IPv4 和 IPv6 的数据包,即统一了 ip 和 ip6 簇,可以更容易地定义规则,下文的示例都将采用 inet 簇
#保存规则
nft list ruleset > /etc/nftables.conf
#/etc/nftables.conf中有默认的表和链()
systemctl restart nftables
#创建默认的策略
nft add rule inet filter input tcp dport ssh accept
nft add rule inet filter input tcp dport 9022 accept
nft add rule ip filter input ip protocol icmp accept #允许协议
nft add rule ip filter input ip saddr 127.0.0.1 accept #允许ip
nft add rule ip filter input ct state related,established accept #允许服务
#先创建一个新的默认表
#nft add table inet filter
创建一个链来保存规则
#创建常规链(默认链接)
nft add chain inet filter input
nft add chain inet filter forward
nft add chain inet filter output
#创建默认的策略
nft add rule inet filter my_table_chain tcp dport ssh accept
nft add rule inet filter my_table_chain tcp dport 80 accept
nft add rule inet filter my_table_chain tcp dport 443 accept
nft add rule inet filter my_table_chain tcp dport 9022 accept
插入
nft insert rule inet my_table my_table_chain tcp dport ssh accept
#删除规则
nft --handle list ruleset #列出句柄
使用句柄删除规则
nft delete rule inet my_table my_table_chain handle 8
添加规则
nft add rule filter input tcp dport 22 accept
插入规则
nft insert rule filter input tcp dport 22 accept
替换规则集中的规则
nft replace rule filter input tcp dport 22 accept
删除规则
nft delete rule filter input tcp dport 22 accept
nft monitor 实时监视nftables规则集的更改
nft list table filter 列出指定的nftables表中的规则
nft list chain filter input 列出指定的nftables链中的规则
apt update
apt install iptables-nft
# iptables -A INPUT -p tcp --dport 22 -j ACCEPT