1. 简单的防火墙 2. Typical workstation (separate IPv4 and IPv6) 3. 编辑规则 4. 停用iptables及ip6tables, 启动nftables. 5. 更多链接
Arch Linux默认启用IPv6, 所以防火墙也要启用ip6.
iptables: (iptables, ip6tables); nftables: (nft的ip及ip6地址族或inet地址族).
一个同时支持nftable和iptables的图形化前端是firewalld
https://wiki.archlinux.org/title/Firewalld
一个同时支持nftable和iptables的图形化前端是firewalld
https://wiki.archlinux.org/title/Firewalld
1. 简单的防火墙
nftables带有存储在/etc/nftables.conf文件中的简单安全的防火墙配置。
启动nftables.service时候会从该文件中加载规则。
当前规则集可以使用以下命令打印:
$ sudo nft list ruleset
查看文件, 一个inet(IPv4/IPv6)类型的filter表, 包含3个规则链, input链包含6条规则...
$ cat /etc/nftables.conf
table inet filter {
chain input {
1 允许 已连接及相关数据包通过
2 丢弃 失效包
3 允许 lo环路
4 允许 icmp
5 允许 ssh
6 驳回 其他情况 }
chain forward { 丢弃 转发 }
chain output { 放行 }}
启动nftables.service时候会从该文件中加载规则。
当前规则集可以使用以下命令打印:
$ sudo nft list ruleset
查看文件, 一个inet(IPv4/IPv6)类型的filter表, 包含3个规则链, input链包含6条规则...
$ cat /etc/nftables.conf
table inet filter {
chain input {
1 允许 已连接及相关数据包通过
2 丢弃 失效包
3 允许 lo环路
4 允许 icmp
5 允许 ssh
6 驳回 其他情况 }
chain forward { 丢弃 转发 }
chain output { 放行 }}
2. Typical workstation (separate IPv4 and IPv6)
https://wiki.gentoo.org/wiki/Nftables/Examples#Typical_workstation_.28separate_IPv4_and_IPv6.29
/etc/nftables.rules
#!/bin/nft -f
flush ruleset
# ----- IPv4 -----
table ip filter {
chain input {
type filter hook input priority 0; policy drop;
ct state invalid counter drop comment "early drop of invalid packets"
ct state {established, related} counter accept comment "accept all connections related to connections made by us"
iif lo accept comment "accept loopback"
iif != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback"
ip protocol icmp counter accept comment "accept all ICMP types"
tcp dport 22 counter accept comment "accept SSH"
counter comment "count dropped packets"
}
chain forward {
type filter hook forward priority 0; policy drop;
counter comment "count dropped packets"
}
# If you're not counting packets, this chain can be omitted.
chain output {
type filter hook output priority 0; policy accept;
counter comment "count accepted packets"
}
}
# ----- IPv6 -----
table ip6 filter {
chain input {
type filter hook input priority 0; policy drop;
ct state invalid counter drop comment "early drop of invalid packets"
ct state {established, related} counter accept comment "accept all connections related to connections made by us"
iif lo accept comment "accept loopback"
iif != lo ip6 daddr ::1/128 counter drop comment "drop connections to loopback not coming from loopback"
ip6 nexthdr icmpv6 counter accept comment "accept all ICMP types"
tcp dport 22 counter accept comment "accept SSH"
counter comment "count dropped packets"
}
chain forward {
type filter hook forward priority 0; policy drop;
counter comment "count dropped packets"
}
# If you're not counting packets, this chain can be omitted.
chain output {
type filter hook output priority 0; policy accept;
counter comment "count accepted packets"
}
}
与安装nftables自带的增加了一条规则: drop connections to loopback not coming from loopback
另外包含计数器; IPv4和IPv6分别设置. 可以分别看到各自过滤的数据包.
要使用这个, 可以直接将内容复制到配置文件: /etc/nftables.conf; 然后重启nftables.service服务即可加载新的配置.
$ sudo nft list ruleset
合并的inet表
https://wiki.gentoo.org/wiki/Nftables/Examples#Typical_workstation_.28combined_IPv4_and_IPv6.29
另外包含计数器; IPv4和IPv6分别设置. 可以分别看到各自过滤的数据包.
要使用这个, 可以直接将内容复制到配置文件: /etc/nftables.conf; 然后重启nftables.service服务即可加载新的配置.
$ sudo nft list ruleset
合并的inet表
https://wiki.gentoo.org/wiki/Nftables/Examples#Typical_workstation_.28combined_IPv4_and_IPv6.29
/etc/nftables.rules
#!/bin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
ct state invalid counter drop comment "early drop of invalid packets"
ct state {established, related} counter accept comment "accept all connections related to connections made by us"
iif lo accept comment "accept loopback"
iif != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback"
iif != lo ip6 daddr ::1/128 counter drop comment "drop connections to loopback not coming from loopback"
ip protocol icmp counter accept comment "accept all ICMP types"
ip6 nexthdr icmpv6 counter accept comment "accept all ICMP types"
tcp dport 22 counter accept comment "accept SSH"
counter comment "count dropped packets"
}
chain forward {
type filter hook forward priority 0; policy drop;
counter comment "count dropped packets"
}
# If you're not counting packets, this chain can be omitted.
chain output {
type filter hook output priority 0; policy accept;
counter comment "count accepted packets"
}
}
3. 编辑规则
普通用户若不需要ssh, 可以删除相关行. 若需要增加开放端口, 也可以参照添加行, 修改好文件保存后, 重启服务.
或者使用nft命令编辑规则...
新增规则
$ sudo nft add rule family_typetable_namechain_name handle handle_valuestatement
规则附加在处handle_value,这是可选的。如果未指定,则规则将附加到链的末尾。
插入规则
$ sudo nft insert rule family_type table_name chain_name handle handle_value statement
如果handle_value未指定,则规则在链之前。
删除
单个规则只能通过其句柄删除。该nft --handle list命令必须用于确定规则句柄。注意该--handle开关,该开关nft在其输出中告知要列出的手柄。
以下内容确定规则的句柄,然后将其删除。该--numeric参数对于查看某些数字输出(如未解析的IP地址)很有用。
$ sudo nft --handle --numeric list ruleset
$ sudo nft delete rule inet my_table my_input handle 10
Atomic reloading
Flush the current ruleset:
$ sudo echo "flush ruleset" > /tmp/nftables
Dump the current ruleset:
$ sudo nft -s list ruleset >> /tmp/nftables
Now you can edit /tmp/nftables and apply your changes with:
$ sudo nft -f /tmp/nftables
ADDRESS FAMILIES: (family_type)
简单防火墙只需使用地址家族的前3个(ip和ip6 或者 inet).
或者使用nft命令编辑规则...
新增规则
$ sudo nft add rule family_typetable_namechain_name handle handle_valuestatement
规则附加在处handle_value,这是可选的。如果未指定,则规则将附加到链的末尾。
插入规则
$ sudo nft insert rule family_type table_name chain_name handle handle_value statement
如果handle_value未指定,则规则在链之前。
删除
单个规则只能通过其句柄删除。该nft --handle list命令必须用于确定规则句柄。注意该--handle开关,该开关nft在其输出中告知要列出的手柄。
以下内容确定规则的句柄,然后将其删除。该--numeric参数对于查看某些数字输出(如未解析的IP地址)很有用。
$ sudo nft --handle --numeric list ruleset
$ sudo nft delete rule inet my_table my_input handle 10
Atomic reloading
Flush the current ruleset:
$ sudo echo "flush ruleset" > /tmp/nftables
Dump the current ruleset:
$ sudo nft -s list ruleset >> /tmp/nftables
Now you can edit /tmp/nftables and apply your changes with:
$ sudo nft -f /tmp/nftables
ADDRESS FAMILIES: (family_type)
简单防火墙只需使用地址家族的前3个(ip和ip6 或者 inet).
- ipIPv4 address family. 是默认系列,如果未指定系列,则将使用该系列。
- ip6IPv6 address family.
- inetInternet (IPv4/IPv6) address family.
- arp ARP address family, handling IPv4 ARP packets.
- bridge Bridge address family, handling packets which traverse a bridge device.
- netdev Netdev address family, handling packets from ingress.
4. 停用iptables及ip6tables, 启动nftables.
$ sudo systemctl disable iptables.service
Removed /etc/systemd/system/multi-user.target.wants/iptables.service.
$ sudo systemctl disable ip6tables.service
Removed /etc/systemd/system/multi-user.target.wants/ip6tables.service.
$ sudo systemctl enable nftables.service
Created symlink /etc/systemd/system/multi-user.target.wants/nftables.service → /usr/lib/systemd/system/nftables.service.
Removed /etc/systemd/system/multi-user.target.wants/iptables.service.
$ sudo systemctl disable ip6tables.service
Removed /etc/systemd/system/multi-user.target.wants/ip6tables.service.
$ sudo systemctl enable nftables.service
Created symlink /etc/systemd/system/multi-user.target.wants/nftables.service → /usr/lib/systemd/system/nftables.service.
5. 更多链接
https://wiki.archlinux.org/title/Nftables
https://wiki.gentoo.org/wiki/Nftables
https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes
https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes#Simple_IP.2FIPv6_Firewall
https://szosoft.blogspot.com/2019/05/linux-nftables.html
https://www.cnblogs.com/sztom/p/10947111.html
https://wiki.archlinux.org/title/Nftables#Simple_firewall
https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables
https://kernelnewbies.org/nftables_examples
https://wiki.gentoo.org/wiki/Nftables/Examples
sztom
osoft@qq.com
CC-BY-NC-SA