Nftables on boboboker~ https://mxtaooo.github.io/blog/tags/nftables/ Recent content in Nftables on boboboker~ Hugo -- gohugo.io zh-cn all rights reserved. Mon, 22 Dec 2025 16:00:00 +0800 nftables网络配置 https://mxtaooo.github.io/blog/posts/snippet/nftables-config/ Wed, 10 Dec 2025 00:00:00 +0800 https://mxtaooo.github.io/blog/posts/snippet/nftables-config/ <p>Debian某些版本默认的网络/防火墙规则管理组件,此处简要记录配置操作。</p> <p>规则配置文件一般位于<code>/etc/nftables.conf</code>,样例如下:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span><span class="lnt">32 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">#!/usr/sbin/nft -f </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"># 清空现有规则 </span></span><span class="line"><span class="cl">flush ruleset </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">table inet filter { </span></span><span class="line"><span class="cl"> chain input { </span></span><span class="line"><span class="cl"> type filter hook input priority filter; </span></span><span class="line"><span class="cl"> # 允许本机连接 </span></span><span class="line"><span class="cl"> iifname lo accept </span></span><span class="line"><span class="cl"> # 允许已建立和关联的入站连接 </span></span><span class="line"><span class="cl"> ct state established,related accept </span></span><span class="line"><span class="cl"> # 允许ICMP协议请求入站,频率上限每秒一次 </span></span><span class="line"><span class="cl"> ip protocol icmp limit rate 1/second accept </span></span><span class="line"><span class="cl"> # 允许指定端口入站 </span></span><span class="line"><span class="cl"> tcp dport {22,80,443} accept </span></span><span class="line"><span class="cl"> # 允许指定协议入站 </span></span><span class="line"><span class="cl"> tcp dport {ssh,http,https} accept </span></span><span class="line"><span class="cl"> # 丢弃其他入站 </span></span><span class="line"><span class="cl"> drop </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl"> chain forward { </span></span><span class="line"><span class="cl"> type filter hook forward priority filter; </span></span><span class="line"><span class="cl"> # 丢弃转发流量 </span></span><span class="line"><span class="cl"> drop </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl"> chain output { </span></span><span class="line"><span class="cl"> type filter hook output priority filter; </span></span><span class="line"><span class="cl"> # 放行出站连接 </span></span><span class="line"><span class="cl"> accept </span></span><span class="line"><span class="cl"> } </span></span><span class="line"><span class="cl">} </span></span></code></pre></td></tr></table> </div> </div><p>相关操作命令</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 校验配置文件</span> </span></span><span class="line"><span class="cl">sudo nft -c -f /etc/nftables.conf </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 加载配置文件</span> </span></span><span class="line"><span class="cl">sudo nft -f /etc/nftables.conf </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 检查规则生效情况</span> </span></span><span class="line"><span class="cl">sudo nft list ruleset </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 服务启动&amp;配置自启</span> </span></span><span class="line"><span class="cl">sudo systemctl start nftables </span></span><span class="line"><span class="cl">sudo systemctl <span class="nb">enable</span> nftables </span></span></code></pre></td></tr></table> </div> </div>