【Linux 防火墙】nftables 简单上手

官方 Wiki：https://wiki.nftables.org

简单记录一下我习惯启用基本 nftables 的步骤：

1. mkdir /etc/nftables
2. vim /etc/nftables/default.nft

#!/usr/sbin/nft -f

flush ruleset

table ip default {

  chain input {

    type filter hook input priority 0; policy drop;

    iif lo accept
    ct state established, related accept

    # ping
    icmp type echo-request limit rate 500/second accept

    # SSH
    tcp dport 22 accept

    # Nginx
    #tcp dport {80, 443} accept
  }

  chain forward {

    type filter hook forward priority 0; policy drop;

    ct status dnat accept
  }
}

table ip6 default {

  chain input {

    type filter hook input priority 0; policy drop;

    iif lo accept
    ct state established, related accept

    icmpv6 type {nd-nei**or-solicit, nd-router-advert, nd-nei**or-advert} accept

    # ping
    icmpv6 type echo-request limit rate 500/second accept
  }

  chain forward {

    type filter hook forward priority 0; policy drop;

    ct status dnat accept
  }
}

3. vim /etc/nftables.conf

include “/etc/nftables/default.nft”

4. systemctl start nftables
5. systemctl enable nftables
6. systemctl restart nftables
7. 如有报错 systemctl status nftables 检查错误报告

8. 端口转发示例

table ip default {

  chain input {

    type filter hook input priority 0; policy drop;

    iif lo accept
    ct state established, related accept

    # ping
    icmp type echo-request limit rate 500/second accept

    # SSH
    tcp dport 22 accept
  }

  chain forward {

    type filter hook forward priority 0; policy drop;

    ct status dnat accept
  }

  chain prerouting {

    type nat hook prerouting priority -100; policy accept;

    iif eth0 tcp dport 443 dnat to ip 目的地:port 端口
  }

  chain postrouting {

    type nat hook postrouting priority 100; policy accept;

    masquerade
  }
}

完。