By

Contents

https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes
apt-get install nftables 安装
systemctl enable nftables 自动启动
应该开始习惯利用nftable来作为系统防火墙,从主机防护开始

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
cat nftables.conf 
#!/usr/sbin/nft -f

flush ruleset

define sh_gateway = 2.2.2.2
define test = 1.1.1.1
define allowips={$sh_gateway, $test}

table firewall {
    chain input {
        type filter hook input priority 0; policy drop;
        iif lo accept
        ct state established,related accept
        icmp type echo-request accept
        tcp dport {22,443} accept
        ip saddr $allowips accept
        counter drop
    }
}

table ip6 firewall {
    chain input {
        type filter hook input priority 0; policy drop;
        iif lo accept
        ct state established, related accept
        ct state invalid drop
        iifname lo accept
		ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit,  nd-router-advert, nd-neighbor-advert } accept
        tcp dport {ssh} accept
        counter drop
    }
}
Contents