|
|
Debian 11 已自带 nftables,为 iptables 原团队研发的新一代 netfilter 解释器/命令行,性能更高效,命令行更直观,建议代替 iptables 使用。
官方Wiki:https://wiki.nftables.org
简单记录一下我习惯启用基本 nftables 的步骤:
1. mkdir /etc/nftables
2. vim /etc/nftables/default.nft
#!/usr/sbin/nft -f
flush ruleset
table ip default {
chain input {
type filter hook input priority 0; policy drop;
iif lo accept
ct state established, related accept
# ping
icmp type echo-request limit rate 500/second accept
# SSH
tcp dport 22 accept
# Nginx
#tcp dport { 80, 443 } accept
}
chain forward {
type filter hook forward priority 0; policy drop;
ct status dnat accept
}
}
table ip6 default {
chain input {
type filter hook input priority 0; policy drop;
iif lo accept
ct state established, related accept
icmpv6 type { nd-nei**or-solicit, nd-router-advert, nd-nei**or-advert } accept
# ping
icmpv6 type echo-request limit rate 500/second accept
}
chain forward {
type filter hook forward priority 0; policy drop;
ct status dnat accept
}
}
3. vim /etc/nftables.conf
include "/etc/nftables/default.nft"
4. systemctl start nftables
5. systemctl enable nftables
6. systemctl restart nftables
7. 如有报错 systemctl status nftables 检查错误报告
8. 端口转发示例
table ip default {
chain input {
type filter hook input priority 0; policy drop;
iif lo accept
ct state established, related accept
# ping
icmp type echo-request limit rate 500/second accept
# SSH
tcp dport 22 accept
}
chain forward {
type filter hook forward priority 0; policy drop;
ct status dnat accept
}
chain prerouting {
type nat hook prerouting priority -100; policy accept;
iif eth0 tcp dport 443 dnat to ip 目的地:port 端口
}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
masquerade
}
}
完。 |
|
