本文档风哥主要介绍nftables新一代防火墙配置,包括nftables的概念、nftables与iptables的区别、nftables架构、nftables在生产环境的规划、nftables最佳实践、nftables安全配置建议、nftables基础操作详解、nftables高级使用技巧、nftables规则集管理、Web服务器防火墙配置实战案例、NAT配置实战案例、nftables故障排查与解决等内容,参考Red Hat Enterprise Linux 10官方文档,适合Linux运维人员在学习和测试中使用,如果要应用于生产环境则需要自行确认。
Part01-基础概念与理论知识
1.1 nftables的概念
nftables是Linux内核的新一代防火墙框架,旨在替代iptables、ip6tables、arptables和ebtables。nftables提供了更简洁的语法、更好的性能和更灵活的配置方式。nftables使用单一的框架来处理IPv4、IPv6、ARP和网桥流量,简化了防火墙管理。更多视频教程www.fgedu.net.cn
- 统一的框架处理多种协议
- 更简洁的语法
- 更好的性能
- 增量更新支持
- 内置集合和映射支持
1.2 nftables与iptables的区别
nftables与iptables的区别:
- 语法:nftables语法更简洁,iptables语法较复杂
- 性能:nftables性能更好,支持增量更新
- 协议支持:nftables统一支持IPv4/IPv6,iptables需要单独配置
- 配置方式:nftables使用规则集,iptables使用命令链
- 兼容性:nftables可以通过iptables-nft兼容iptables
1.3 nftables架构
nftables架构:
- 表(table):容器,包含链、规则和集合
- 链(chain):规则的容器,绑定到钩子点
- 规则(rule):匹配条件和动作
- 集合(set):匹配元素的集合
- 映射(map):键值对的映射
Part02-生产环境规划与建议
2.1 nftables在生产环境的规划
nftables在生产环境的规划要点:
– 设计合理的表和链结构
– 配置必要的规则和集合
– 配置NAT和端口转发
– 定期备份规则集
– 测试规则集
# nftables注意事项
– 了解nftables架构
– 配置正确的规则
– 测试防火墙规则
– 记录防火墙配置
– 备份防火墙配置
2.2 nftables最佳实践
nftables最佳实践:
- 默认拒绝:默认拒绝所有传入连接
- 最小权限:只开放必要的端口
- 集合使用:使用集合简化规则
- 规则组织:合理组织规则和链
- 备份配置:备份规则集
2.3 nftables安全配置建议
nftables安全配置建议:
- 默认策略:设置默认拒绝策略
- 连接跟踪:启用连接跟踪
- 速率限制:配置速率限制
- 日志记录:启用日志记录
- 规则审查:定期审查规则
Part03-生产环境项目实施方案
3.1 nftables基础操作详解
3.1.1 查看nftables状态
# nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy accept;
}
chain forward {
type filter hook forward priority 0; policy accept;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
# 查看所有表
# nft list tables
table inet filter
# 查看特定表
# nft list table inet filter
table inet filter {
chain input {
type filter hook input priority 0; policy accept;
}
chain forward {
type filter hook forward priority 0; policy accept;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
# 查看特定链
# nft list chain inet filter input
table inet filter {
chain input {
type filter hook input priority 0; policy accept;
}
}
# 查看规则集(简洁格式)
# nft -a list ruleset
table inet filter { # handle 1
chain input { # handle 1
type filter hook input priority 0; policy accept;
}
chain forward { # handle 2
type filter hook forward priority 0; policy accept;
}
chain output { # handle 3
type filter hook output priority 0; policy accept;
}
}
3.1.2 创建表和链
# nft add table inet filter
# 创建链
# nft add chain inet filter input { type filter hook input priority 0 \; policy drop \; }
# nft add chain inet filter forward { type filter hook forward priority 0 \; policy drop \; }
# nft add chain inet filter output { type filter hook output priority 0 \; policy accept \; }
# 验证创建
# nft list table inet filter
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
# 删除链
# nft delete chain inet filter input
# 删除表
# nft delete table inet filter
3.1.3 添加规则
# nft add rule inet filter input iif lo accept
# 允许已建立的连接
# nft add rule inet filter input ct state established,related accept
# 允许SSH
# nft add rule inet filter input tcp dport 22 accept
# 允许HTTP和HTTPS
# nft add rule inet filter input tcp dport { 80, 443 } accept
# 允许特定IP访问SSH
# nft add rule inet filter input ip saddr 192.168.1.100 tcp dport 22 accept
# 允许ping
# nft add rule inet filter input icmp type echo-request accept
# nft add rule inet filter input icmpv6 type echo-request accept
# 记录并丢弃其他流量
# nft add rule inet filter input log prefix “NFT-DROP: ” drop
# 查看规则
# nft list chain inet filter input
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif “lo” accept
ct state established,related accept
tcp dport 22 accept
tcp dport { 80, 443 } accept
ip saddr 192.168.1.100 tcp dport 22 accept
icmp type echo-request accept
icmpv6 type echo-request accept
log prefix “NFT-DROP: ” drop
}
}
3.2 nftables高级使用技巧
3.2.1 使用集合
# nft add set inet filter allowed_ports { type inet_service \; flags interval \; }
# 添加元素到集合
# nft add element inet filter allowed_ports { 22, 80, 443, 8080 }
# 使用集合
# nft add rule inet filter input tcp dport @allowed_ports accept
# 创建IP集合
# nft add set inet filter allowed_ips { type ipv4_addr \; flags interval \; }
# 添加IP到集合
# nft add element inet filter allowed_ips { 192.168.1.0/24, 10.0.0.0/8 }
# 使用IP集合
# nft add rule inet filter input ip saddr @allowed_ips accept
# 查看集合
# nft list set inet filter allowed_ports
table inet filter {
set allowed_ports {
type inet_service
flags interval
elements = { 22, 80, 443, 8080 }
}
}
# nft list set inet filter allowed_ips
table inet filter {
set allowed_ips {
type ipv4_addr
flags interval
elements = { 10.0.0.0/8, 192.168.1.0/24 }
}
}
3.2.2 使用映射
# nft add map inet filter port_to_service { type inet_service : verdict \; }
# 添加映射
# nft add element inet filter port_to_service { 22 : accept, 80 : accept, 443 : accept }
# 使用映射
# nft add rule inet filter input tcp dport vmap @port_to_service
# 创建IP到动作的映射
# nft add map inet filter ip_to_action { type ipv4_addr : verdict \; }
# 添加映射
# nft add element inet filter ip_to_action { 192.168.1.100 : accept, 192.168.1.200 : drop }
# 使用映射
# nft add rule inet filter input ip saddr vmap @ip_to_action
# 查看映射
# nft list map inet filter port_to_service
table inet filter {
map port_to_service {
type inet_service : verdict
elements = { 22 : accept, 80 : accept, 443 : accept }
}
}
3.2.3 配置NAT
# nft add table ip nat
# 创建POSTROUTING链
# nft add chain ip nat postrouting { type nat hook postrouting priority 100 \; }
# 配置SNAT
# nft add rule ip nat postrouting oif eth0 masquerade
# 或者配置特定的SNAT
# nft add rule ip nat postrouting oif eth0 snat to 203.0.113.1
# 创建PREROUTING链
# nft add chain ip nat prerouting { type nat hook prerouting priority -100 \; }
# 配置DNAT
# nft add rule ip nat prerouting iif eth0 tcp dport 8080 dnat to 192.168.1.10:80
# 查看NAT规则
# nft list table ip nat
table ip nat {
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oif “eth0” masquerade
}
chain prerouting {
type nat hook prerouting priority -100; policy accept;
iif “eth0” tcp dport 8080 dnat to 192.168.1.10:80
}
}
3.3 nftables规则集管理
3.3.1 保存和加载规则集
# nft list ruleset > /etc/nftables.conf
# 查看保存的文件
# cat /etc/nftables.conf
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif “lo” accept
ct state established,related accept
tcp dport 22 accept
tcp dport { 80, 443 } accept
ip saddr 192.168.1.100 tcp dport 22 accept
icmp type echo-request accept
icmpv6 type echo-request accept
log prefix “NFT-DROP: ” drop
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
# 加载规则集
# nft -f /etc/nftables.conf
# 或者使用systemd服务加载
# systemctl enable nftables
# systemctl start nftables
# 验证规则集已加载
# nft list ruleset
3.3.2 完整的防火墙配置
# cat > /etc/nftables.conf << 'EOF' #!/usr/sbin/nft -f flush ruleset table inet filter { # 定义集合 set allowed_ports { type inet_service flags interval elements = { 22, 80, 443 } } set allowed_ips { type ipv4_addr flags interval elements = { 192.168.1.0/24, 10.0.0.0/8 } } # 输入链 chain input { type filter hook input priority 0; policy drop; # 允许本地回环 iif "lo" accept # 允许已建立的连接 ct state established,related accept # 允许特定IP访问SSH ip saddr @allowed_ips tcp dport 22 accept # 允许HTTP和HTTPS tcp dport @allowed_ports accept # 允许ping icmp type echo-request accept icmpv6 type echo-request accept # 记录并丢弃其他流量 log prefix "NFT-DROP: " drop } # 转发链 chain forward { type filter hook forward priority 0; policy drop; # 允许已建立的连接 ct state established,related accept } # 输出链 chain output { type filter hook output priority 0; policy accept; } } table ip nat { chain postrouting { type nat hook postrouting priority 100; policy accept; oif "eth0" masquerade } chain prerouting { type nat hook prerouting priority -100; policy accept; iif "eth0" tcp dport 8080 dnat to 192.168.1.10:80 } } EOF # 加载配置 # nft -f /etc/nftables.conf # 验证配置 # nft list ruleset # 启用nftables服务 # systemctl enable nftables Created symlink /etc/systemd/system/sysinit.target.wants/nftables.service → /usr/lib/systemd/system/nftables.service. # 启动nftables服务 # systemctl start nftables # 验证服务状态 # systemctl status nftables ● nftables.service - Netfilter Tables Loaded: loaded (/usr/lib/systemd/system/nftables.service; enabled; vendor preset: disabled) Active: active (exited) since Thu 2026-03-31 10:00:00 CST; 5s ago Process: 1234 ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf (code=exited, status=0/SUCCESS) Main PID: 1234 (code=exited, status=0/SUCCESS) Mar 31 10:00:00 localhost systemd[1]: Starting Netfilter Tables... Mar 31 10:00:00 localhost nft[1234]: /etc/sysconfig/nftables.conf:1:1-2: Error: Could not open file "/etc/sysconfig/nftables.conf": No such file or directory Mar 31 10:00:00 localhost systemd[1]: Started Netfilter Tables.
Part04-生产案例与实战讲解
4.1 Web服务器防火墙配置实战案例
4.1.1 完整配置流程
# cat > /etc/nftables.conf << 'EOF' #!/usr/sbin/nft -f flush ruleset table inet filter { # 定义集合 set allowed_ports { type inet_service flags interval elements = { 22, 80, 443 } } set admin_ips { type ipv4_addr flags interval elements = { 192.168.1.100, 10.0.0.100 } } set internal_ips { type ipv4_addr flags interval elements = { 192.168.0.0/16, 10.0.0.0/8 } } # 输入链 chain input { type filter hook input priority 0; policy drop; # 允许本地回环 iif "lo" accept # 允许已建立的连接 ct state established,related accept # 允许管理员IP访问SSH ip saddr @admin_ips tcp dport 22 accept # 允许HTTP和HTTPS tcp dport @allowed_ports accept # 允许内网访问MySQL ip saddr @internal_ips tcp dport 3306 accept # 允许ping icmp type echo-request accept icmpv6 type echo-request accept # 记录并丢弃其他流量 log prefix "NFT-DROP: " drop } # 转发链 chain forward { type filter hook forward priority 0; policy drop; # 允许已建立的连接 ct state established,related accept } # 输出链 chain output { type filter hook output priority 0; policy accept; } } EOF # 2. 加载配置 # nft -f /etc/nftables.conf # 3. 验证配置 # nft list ruleset #!/usr/sbin/nft -f table inet filter { set allowed_ports { type inet_service flags interval elements = { 22, 80, 443 } } set admin_ips { type ipv4_addr flags interval elements = { 10.0.0.100, 192.168.1.100 } } set internal_ips { type ipv4_addr flags interval elements = { 10.0.0.0/8, 192.168.0.0/16 } } chain input { type filter hook input priority 0; policy drop; iif "lo" accept ct state established,related accept ip saddr @admin_ips tcp dport 22 accept tcp dport @allowed_ports accept ip saddr @internal_ips tcp dport 3306 accept icmp type echo-request accept icmpv6 type echo-request accept log prefix "NFT-DROP: " drop } chain forward { type filter hook forward priority 0; policy drop; ct state established,related accept } chain output { type filter hook output priority 0; policy accept; } } # 4. 测试防火墙规则 # 从管理员IP访问SSH(应该成功) # ssh root@192.168.1.10 # 从非管理员IP访问SSH(应该失败) # ssh root@192.168.1.10 ssh: connect to host 192.168.1.10 port 22: Connection refused # 访问HTTP(应该成功) # curl http://192.168.1.10 # 从内网访问MySQL(应该成功) # mysql -h 192.168.1.10 -u appuser -p # 从外网访问MySQL(应该失败) # mysql -h 192.168.1.10 -u appuser -p ERROR 2003 (HY000): Can't connect to MySQL server on '192.168.1.10' (111) # 5. 启用nftables服务 # systemctl enable nftables # systemctl start nftables
4.2 NAT配置实战案例
4.2.1 完整NAT配置流程
# cat > /etc/nftables-nat.conf << 'EOF' #!/usr/sbin/nft -f # 添加NAT表和链 add table ip nat add chain ip nat postrouting { type nat hook postrouting priority 100 \; } add chain ip nat prerouting { type nat hook prerouting priority -100 \; } # 配置SNAT(源地址转换) add rule ip nat postrouting oif eth0 masquerade # 配置DNAT(目的地址转换) # 将外部8080端口转发到内部80端口 add rule ip nat prerouting iif eth0 tcp dport 8080 dnat to 192.168.1.10:80 # 将外部2222端口转发到内部22端口 add rule ip nat prerouting iif eth0 tcp dport 2222 dnat to 192.168.1.10:22 # 将外部3306端口转发到内部MySQL add rule ip nat prerouting iif eth0 tcp dport 3306 dnat to 192.168.1.20:3306 EOF # 2. 加载NAT配置 # nft -f /etc/nftables-nat.conf # 3. 验证NAT配置 # nft list table ip nat table ip nat { chain postrouting { type nat hook postrouting priority 100; policy accept; oif "eth0" masquerade } chain prerouting { type nat hook prerouting priority -100; policy accept; iif "eth0" tcp dport 8080 dnat to 192.168.1.10:80 iif "eth0" tcp dport 2222 dnat to 192.168.1.10:22 iif "eth0" tcp dport 3306 dnat to 192.168.1.20:3306 } } # 4. 配置转发规则 # cat >> /etc/nftables.conf << 'EOF' table inet filter { chain forward { type filter hook forward priority 0; policy drop; # 允许已建立的连接 ct state established,related accept # 允许转发到内部服务器 ip daddr 192.168.1.0/24 tcp dport { 80, 22, 3306 } accept } } EOF # 5. 重新加载配置 # nft -f /etc/nftables.conf # 6. 启用IP转发 # echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
# sysctl -p
net.ipv4.ip_forward = 1
# 7. 测试NAT
# 从外部访问8080端口(应该转发到内部80端口)
# curl http://203.0.113.1:8080
# 从外部访问2222端口(应该转发到内部22端口)
# ssh -p 2222 root@203.0.113.1
# 从外部访问3306端口(应该转发到内部MySQL)
# mysql -h 203.0.113.1 -u appuser -p
# 8. 保存配置
# nft list ruleset > /etc/nftables.conf
4.3 nftables故障排查与解决
4.3.1 规则不生效
# 分析步骤:
# 1. 检查nftables状态
# systemctl status nftables
● nftables.service – Netfilter Tables
Loaded: loaded (/usr/lib/systemd/system/nftables.service; enabled; vendor preset: disabled)
Active: active (exited) since Thu 2026-03-31 10:00:00 CST; 1h 30min ago
# 2. 检查规则集
# nft list ruleset
#!/usr/sbin/nft -f
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif “lo” accept
ct state established,related accept
tcp dport 22 accept
}
}
# 3. 发现问题:HTTP和HTTPS端口未开放
# 4. 添加HTTP和HTTPS规则
# nft add rule inet filter input tcp dport { 80, 443 } accept
# 5. 验证规则已添加
# nft list chain inet filter input
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif “lo” accept
ct state established,related accept
tcp dport 22 accept
tcp dport { 80, 443 } accept
}
}
# 6. 测试访问
# curl http://192.168.1.10
It works!
# 7. 保存配置
# nft list ruleset > /etc/nftables.conf
# 8. 预防措施
# – 检查nftables状态
# – 检查规则集
# – 添加必要的规则
# – 测试防火墙规则
# – 保存配置
Part05-风哥经验总结与分享
5.1 nftables经验总结
nftables经验总结:
- 默认拒绝:默认拒绝所有传入连接
- 最小权限:只开放必要的端口
- 集合使用:使用集合简化规则
- 规则组织:合理组织规则和链
- 备份配置:备份规则集
5.2 nftables检查清单
nftables检查清单:
- 配置前:规划防火墙规则
- 配置时:检查配置语法
- 配置后:验证防火墙规则
- 使用时:定期检查防火墙状态
- 维护时:定期更新防火墙规则
- 故障排查:检查规则集、查看日志
5.3 nftables相关工具推荐
nftables相关工具推荐:
- nft:nftables命令行工具
- firewalld:防火墙管理工具(底层使用nftables)
- iptables-translate:iptables到nftables转换工具
- tcpdump:网络抓包工具
- wireshark:网络协议分析工具
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
联系我们
在线咨询:
微信号:itpux-com
工作日:9:30-18:30,节假日休息
