内容简介:本文风哥教程参考Linux官方文档、Red Hat Enterprise Linux官方文档、Ansible Automation Platform官方文档、Docker官方文档、Kubernetes官方文档和Podman官方文档学习交流加群风哥QQ113257174等内容,详细介绍了相关技术的配置和使用方法。
本文档
风哥提示:
详细介绍nftables防火墙的配置和使用方法。
Part01-nftables基础
1.1 nftables概念
1. 统一的语法
2. 更好的性能
3. 更灵活的配置
4. 支持嵌套规则
# 查看nftables状态
$ sudo nft list ruleset
# 查看表
$ sudo nft list tables
# 查看指定表
$ sudo nft list table inet filter
# 安装nftables
$ sudo dnf install -y nftables
# 启动nftables
$ sudo systemctl start nftables
$ sudo systemctl enable nftables
Part02-表和链配置
2.1 创建表和链
$ sudo nft add table inet filter
# 创建链
$ sudo nft add chain inet filter input { type filter hook input priority 0 \; }
$ sudo nft add chain inet filter output { type filter hook output priority 0 \; }
$ sudo nft add chain inet filter forward { type filter hook forward priority 0 \; }
# 创建带策略的链
$ sudo nft add chain inet filter input { type filter hook input priority 0 \; policy drop \; }
# 查看链
$ sudo nft list chain inet filter input
# 删除链
$ sudo nft delete chain inet filter input
# 删除表
$ sudo nft delete table inet filter
Part03-规则配置
3.1 添加规则
$ sudo nft add rule inet filter input iif lo accept
# 允许已建立的连接
$ sudo nft add rule inet filter input ct state established,related accept
# 允许SSH
$ sudo nft add rule inet filter input tcp dport 22 accept
# 允许HTTP和HTTPS
$ sudo nft add rule inet filter input tcp dport { 80, 443 } accept
# 允许ICMP
$ sudo nft add rule inet filter input icmp type echo-request accept
# 拒绝其他所有输入
$ sudo nft add rule inet filter input drop
# 基于源IP
$ sudo nft add rule inet filter input ip saddr 192.168.1.0/24 accept
#from PG视频:www.itpux.com 基于目标IP
$ sudo nft add rule inet filter input ip daddr 192.168.1.100 accept
# 基于端口范围
$ sudo nft add rule inet filter input tcp dport 8000-9000 accept
# 限制连接速率
$ sudo nft add rule inet filter input tcp dport 22 limit rate 3/minute accept
# 记录日志
$ sudo nft add rule inet filter input log prefix “nftables: ” accept
# 查看规则
$ sudo nft list chain inet filter input
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif “lo” accept
ct state established,related accept
tcp dport 22 accept
tcp dport { 80, 443 } accept
drop
}
}
Part04-NAT配置
4.1 配置NAT
$ sudo nft add table ip nat
# 创建PREROUTING链
$ sudo nft add chain ip nat prerouting { type nat hook prerouting priority -100 \; }
# 创建POSTROUTING链
$ sudo nft add chain ip nat postrouting { type nat hook postrouting priority 100 \; }
# 配置SNAT
$ sudo nft add rule ip nat postrouting学习交流加群风哥微信: itpux-com oif eth0 snat to 192.168.1.100
# 配置MASQUERADE
$ sudo nft add rule ip nat postrouting oif eth0 masquerade
# 配置DNAT
$ sudo nft add rule ip nat prerouting iif eth0 tcp dport 80 dnat to 192.168.2.10:8080
# 配置端口转发
$ sudo nft add rule ip nat prerouting tcp dport 8080 redirect to :80
# 查看NAT规则
$ sudo nft list table ip nat
Part05-配置文件
5.1 配置文件示例
$ sudo tee /etc/nftables/main.nft << 'EOF' #!/usr/sbin/nft -f flush ruleset table inet filter { chain input { type filter hook input priority 0; policy drop; iif "lo" accept ct state established,related accept tcp dport 22 accept tcp dport { 80, 443 } accept icmp type echo-request accept log prefix "nftables-drop: " drop } chain forward { type filter hook forward priority 0; policy drop; } chain output { type filter hook output priority 0; policy accept; } } table ip nat { chain prerouting { type nat hook prerouting priority -100; policy accept; } chain postrouting { type nat hook postrouting priority 100; policy accept; oif "eth0" masquerade } } EOF # 应用配置 $ sudo nft -f /etc/nftables/main.nft # 启用nftables服务 $ sudo systemctl enable nftables # 从iptables迁移到nftables $ sudo iptables-restore-translate -f /etc/iptables/rules.v4 > /etc/nftables/rules.nft
$ sudo nft -f /etc/nftables/rules.nft
1. 使用统一的配置文件
2. 设置合理的默认策略
3. 允许必要的连接
4. 记录拒绝的连接
5. 定期审查规则
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
