Debian 11 (bullseye) nftables 使用
Debian 11 (bullseye) 已经默认使用 iptables-nft 替代传统的版本 iptables, iptables实际上只是一个兼容工具最终会生成 nftables 规则来生效,这里直接卸载掉iptables直接用nftables作常规配置
卸载iptables
sudo systemctl stop iptables
sudo systemctl disable iptables
sudo systemctl stop iptables-persistent
sudo systemctl disable iptables-persistent
sudo apt remove --purge iptables iptables-persistent
sudo apt autoremove
安装nftables工具
sudo apt update
sudo apt install nftables
启用并启动 nftables
sudo systemctl enable --now nftables
简单配置nftables
允许所有流量通过
/etc/nftables.conf
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
}
chain forward {
type filter hook forward priority 0;
}
chain output {
type filter hook output priority 0;
}
}
作为网关(Gateway)
允许流量转发需要开启内核转发功能
/etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
/etc/nftables.conf
#!/usr/sbin/nft -f
table inet filter {
chain input {
type filter hook input priority 0;
policy drop;
# Allow established/related connections
ct state established,related accept
# Allow loopback traffic
iif lo accept
# Allow ICMP (IPv4) and ICMPv6 (IPv6)
ip protocol icmp accept
ip6 nexthdr icmpv6 accept
# Allow SSH
tcp dport 22 accept
# Allow traffic from LAN to the gateway
iif "vlan1" accept
}
chain forward {
type filter hook forward priority 0;
policy drop;
# Allow established/related connections
ct state established,related accept
# Allow traffic from LAN to WAN (IPv4)
iif "vlan1" oif "enp11s0" accept
# Allow traffic from LAN to WAN (IPv6)
iif "vlan1" oif "enp11s0" accept
}
chain output {
type filter hook output priority 0;
policy accept;
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority 0;
}
chain postrouting {
type nat hook postrouting priority 100;
oif "enp11s0" masquerade
}
}
table ip6 nat {
chain prerouting {
type nat hook prerouting priority 0;
}
chain postrouting {
type nat hook postrouting priority 100;
oif "enp11s0" masquerade
}
}
单臂路由
/etc/nftables.conf
#!/usr/sbin/nft -f
# Flush existing rules
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy accept;
iif "eth0" accept
}
chain forward {
type filter hook forward priority 0; policy accept;
iif "eth0" oif "eth0" accept
}
chain output {
type filter hook output priority 0; policy accept;
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority -100; policy accept;
}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oif "eth0" masquerade
}
}
作为防火墙
只允许特定服务端口(ssh, http, https等)
/etc/nftables.conf
#!/usr/sbin/nft -f
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# Accept established/related connections
ct state established,related accept
# Allow loopback traffic
iif lo accept
# Allow ICMP traffic
ip protocol icmp accept
ip6 nexthdr icmpv6 accept
# Allow SSH
tcp dport 22 accept
# Allow HTTP and HTTPS
tcp dport { 80, 443 } accept
# Allow custom TCP range 2400-2500
tcp dport 2400-2500 accept
# Allow Samba (NetBIOS and SMB)
ip protocol udp dport { 137, 138 } accept
ip protocol tcp dport { 139, 445 } accept
# Allow NFS
tcp dport { 2049 } accept
udp dport { 2049 } accept
# Allow DHCP
ip protocol udp dport { 67, 68 } accept
ip6 nexthdr udp dport { 546, 547 } accept
# Allow DNS
ip protocol udp dport 53 accept
ip protocol tcp dport 53 accept
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
常用命令
# 生效配置
nft -f /etc/nftables.conf
# 查看所有表/链/规则
nft list ruleset
# 查看所有集合
sudo nft list sets
# 查看所有表/链
nft list tables
nft list chains
# 清除所有规则和表
nft flush ruleset
# 显示指定表的内容
nft list table inet filter
# 显示指定链的内容
nft list chain inet filter input
# 显示指定规则的内容
nft list rule inet filter input
# 创建/删除表
nft add table ip filter
nft delete table ip filter
# 添加/删除/替换/插入规则
nft add rule ip filter input tcp dport 22 accept
nft delete rule ip filter input handle 1
nft replace rule ip filter input tcp dport 22 accept
nft add rule ip filter input tcp dport 80 accept position 1
# 保存规则
sudo nft list ruleset > /etc/nftables.conf