nftables: настройка самого простого межсетевого экрана
May 05, 2024
Конфигурация по умолчанию
Конфигурация nftables по умолчанию.
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
}
chain forward {
type filter hook forward priority 0;
}
chain output {
type filter hook output priority 0;
}
}
Список наборов правил.
$ sudo nft list ruleset
table inet filter {
chain input {
type filter hook input priority filter; policy accept;
}
chain forward {
type filter hook forward priority filter; policy accept;
}
chain output {
type filter hook output priority filter; policy accept;
}
}
Самый простой межсетевой экран
#!/usr/sbin/nft -f
flush ruleset
table ip filter {
chain INPUT {
type filter hook input priority filter; policy drop;
iifname "lo" accept comment "Accept loopback interface"
ct state established,related counter accept comment "Accept established or related packets"
ct state invalid counter drop comment "Drop invalid packets"
icmp type echo-request counter accept comment "Accept incoming ICMP"
tcp dport 22 counter accept comment "Accept incoming SSH"
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
}
}
Список наборов правил.
$ sudo nft list ruleset
table ip filter {
chain INPUT {
type filter hook input priority filter; policy drop;
iifname "lo" accept comment "Accept loopback interface"
ct state established,related counter packets 1652 bytes 374440 accept comment "Accept established or related packets"
ct state invalid counter packets 16 bytes 1366 drop comment "Drop invalid packets"
icmp type echo-request counter packets 4 bytes 336 accept comment "Accept incoming ICMP"
tcp dport 22 counter packets 3 bytes 180 accept comment "Accept incoming SSH"
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
}
}
Самое простое решение со счетчиками
#!/usr/sbin/nft -f
flush ruleset
table ip filter {
chain INPUT {
type filter hook input priority filter;
iifname "lo" accept comment "Accept loopback interface"
ct state established,related counter accept comment "Accept established or related packets"
ct state invalid counter drop comment "Drop invalid packets"
icmp type echo-request counter accept comment "Accept incoming ICMP"
tcp dport 22 counter accept comment "Accept incoming SSH"
counter drop
}
chain FORWARD {
type filter hook forward priority filter;
counter drop
}
chain OUTPUT {
type filter hook output priority filter;
counter accept
}
}
Список наборов правил.
$ sudo nft list ruleset
table ip filter {
chain INPUT {
type filter hook input priority filter; policy accept;
iifname "lo" accept comment "Accept loopback interface"
ct state established,related counter packets 8 bytes 944 accept comment "Accept established or related packets"
ct state invalid counter packets 0 bytes 0 drop comment "Drop invalid packets"
icmp type echo-request counter packets 0 bytes 0 accept comment "Accept incoming ICMP"
tcp dport 22 counter packets 0 bytes 0 accept comment "Accept incoming SSH"
counter packets 0 bytes 0 drop
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
counter packets 0 bytes 0 drop
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
counter packets 11 bytes 944 accept
}
}