使用nftables

Contents

https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes
apt-get install nftables 安装
systemctl enable nftables 自动启动
应该开始习惯利用nftable来作为系统防火墙，从主机防护开始

cat nftables.conf 
#!/usr/sbin/nft -f

flush ruleset

define sh_gateway = 2.2.2.2
define test = 1.1.1.1
define allowips={$sh_gateway, $test}

table firewall {
    chain input {
        type filter hook input priority 0; policy drop;
        iif lo accept
        ct state established,related accept
        icmp type echo-request accept
        tcp dport {22,443} accept
        ip saddr $allowips accept
        counter drop
    }
}

table ip6 firewall {
    chain input {
        type filter hook input priority 0; policy drop;
        iif lo accept
        ct state established, related accept
        ct state invalid drop
        iifname lo accept
		ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit,  nd-router-advert, nd-neighbor-advert } accept
        tcp dport {ssh} accept
        counter drop
    }
}

记

每一天都是新的开始

使用nftables