安全:nftables常用命令之三
一,模块的变化:
centos6:
[lhdop@base2 ~]$ lsmod | grep table
iptable_filter 2793 1
ip_tables 17831 1 iptable_filterfedora40
[liuhongdi@fedora ~]$ lsmod | grep table
nf_tables 372736 333 nft_ct,nft_reject_inet,nft_fib_ipv6,nft_fib_ipv4,nft_chain_nat,nft_reject,nft_fib,nft_fib_inet
nfnetlink 20480 4 nf_tables,ip_set可以看到默认加载的模块中,iptables已被nftables替换
二,表、链、规则
1, 表:
table是chains、sets和有状态对象的容器。
可以有多个table,每个table包含多个chain,table的主要参数为协议栈(nftables families)和名称
2,链:
hain是rules的容器。一个table包含多个chain,
3,规则:
chain分基础链(base chain)和规则链(regular chain)
基础链的主要参数有: type、hook、priority和policy,其中除了policy缺省为accept,其他均为强制要求
三,列出一个链下的所有规则:
1,
# inet :地址族
# firewalld: 表名
# filter_IN_FedoraWorkstation_allow: 链名
root@fedora:/etc/firewalld/zones# nft list chain inet firewalld filter_IN_FedoraWorkstation_allow
table inet firewalld {
chain filter_IN_FedoraWorkstation_allow {
ip6 daddr fe80::/64 udp dport 546 accept
tcp dport 22 accept
udp dport 137 ct helper set "helper-netbios-ns-udp"
udp dport 137 accept
udp dport 138 accept
ip daddr 224.0.0.251 udp dport 5353 accept
ip6 daddr ff02::fb udp dport 5353 accept
udp dport 1025-65535 accept
tcp dport 1025-65535 accept
}
}2,显示handle
root@fedora:/etc/firewalld/zones# nft -a list chain inet firewalld filter_IN_FedoraWorkstation_allow
table inet firewalld {
chain filter_IN_FedoraWorkstation_allow { # handle 153
ip6 daddr fe80::/64 udp dport 546 accept # handle 157
tcp dport 22 accept # handle 158
udp dport 137 ct helper set "helper-netbios-ns-udp" # handle 160
udp dport 137 accept # handle 161
udp dport 138 accept # handle 162
ip daddr 224.0.0.251 udp dport 5353 accept # handle 163
ip6 daddr ff02::fb udp dport 5353 accept # handle 164
udp dport 1025-65535 accept # handle 165
tcp dport 1025-65535 accept # handle 166
}
}
四,用handle操作规则
1, 用handle删除一条规则
# inet :地址族
# firewalld: 表名
# filter_IN_FedoraWorkstation_allow: 链名
root@fedora:/etc/firewalld/zones# nft delete rule inet firewalld filter_IN_FedoraWorkstation_allow handle 158删除后查看规则:
# inet :地址族
# firewalld: 表名
# filter_IN_FedoraWorkstation_allow: 链名
root@fedora:/etc/firewalld/zones# nft -a list chain inet firewalld filter_IN_FedoraWorkstation_allow
table inet firewalld {
chain filter_IN_FedoraWorkstation_allow { # handle 153
ip6 daddr fe80::/64 udp dport 546 accept # handle 157
udp dport 137 ct helper set "helper-netbios-ns-udp" # handle 160
udp dport 137 accept # handle 161
udp dport 138 accept # handle 162
ip daddr 224.0.0.251 udp dport 5353 accept # handle 163
ip6 daddr ff02::fb udp dport 5353 accept # handle 164
udp dport 1025-65535 accept # handle 165
tcp dport 1025-65535 accept # handle 166
}
}2, 用handle指定position添加一条规则
未添加前查看规则
[root@fedora ~]# nft -a list chain inet firewalld filter_IN_FedoraWorkstation_allow
table inet firewalld {
chain filter_IN_FedoraWorkstation_allow { # handle 52
ip6 daddr fe80::/64 udp dport 546 accept # handle 56
tcp dport 22 accept # handle 57
udp dport 137 ct helper set "helper-netbios-ns-udp" # handle 59
udp dport 137 accept # handle 60
udp dport 138 accept # handle 61
ip daddr 224.0.0.251 udp dport 5353 accept # handle 62
ip6 daddr ff02::fb udp dport 5353 accept # handle 63
udp dport 1025-65535 accept # handle 64
tcp dport 1025-65535 accept # handle 65
}
}添加规则:
# position 61: 指定在handle 61下添加此规则
[root@fedora ~]# nft add rule inet firewalld filter_IN_FedoraWorkstation_allow position 61 tcp dport 8080 accept添加后查看
[root@fedora ~]# nft -a list chain inet firewalld filter_IN_FedoraWorkstation_allow
table inet firewalld {
chain filter_IN_FedoraWorkstation_allow { # handle 52
ip6 daddr fe80::/64 udp dport 546 accept # handle 56
tcp dport 22 accept # handle 57
udp dport 137 ct helper set "helper-netbios-ns-udp" # handle 59
udp dport 137 accept # handle 60
udp dport 138 accept # handle 61
tcp dport 8080 accept # handle 337
ip daddr 224.0.0.251 udp dport 5353 accept # handle 62
ip6 daddr ff02::fb udp dport 5353 accept # handle 63
udp dport 1025-65535 accept # handle 64
tcp dport 1025-65535 accept # handle 65
}
}3,替换规则
未替换之前:
[root@fedora ~]# nft -a list chain inet firewalld filter_IN_FedoraWorkstation_allow
table inet firewalld {
chain filter_IN_FedoraWorkstation_allow { # handle 52
ip6 daddr fe80::/64 udp dport 546 accept # handle 56
tcp dport 22 accept # handle 57
udp dport 137 ct helper set "helper-netbios-ns-udp" # handle 59
udp dport 137 accept # handle 60
udp dport 138 accept # handle 61
tcp dport 8080 accept # handle 337
ip daddr 224.0.0.251 udp dport 5353 accept # handle 62
ip6 daddr ff02::fb udp dport 5353 accept # handle 63
udp dport 1025-65535 accept # handle 64
tcp dport 1025-65535 accept # handle 65
}
}替换:
# handle 337: 替换handle 337的规则为当前规则
[root@fedora ~]# nft replace rule inet firewalld filter_IN_FedoraWorkstation_allow handle 337 tcp dport 8081 accept替换之后:
[root@fedora ~]# nft -a list chain inet firewalld filter_IN_FedoraWorkstation_allow
table inet firewalld {
chain filter_IN_FedoraWorkstation_allow { # handle 52
ip6 daddr fe80::/64 udp dport 546 accept # handle 56
tcp dport 22 accept # handle 57
udp dport 137 ct helper set "helper-netbios-ns-udp" # handle 59
udp dport 137 accept # handle 60
udp dport 138 accept # handle 61
tcp dport 8081 accept # handle 337
ip daddr 224.0.0.251 udp dport 5353 accept # handle 62
ip6 daddr ff02::fb udp dport 5353 accept # handle 63
udp dport 1025-65535 accept # handle 64
tcp dport 1025-65535 accept # handle 65
}
}
