表达式
# 翻译 iptables 规则为 nftables
sudo iptables-save > legacy-rules.txt
iptables-restore-translate -f legacy-rules.txt
nft list ruleset # dump nftables 规则
nft -c -f rule.nft # check
nft -f rule.nft # load - 原子操作
- accept、drop、queue、continue、return、jump chain、goto chain
- masquerade - 源地址自动设置为出口地址
Table
- chain 容器
- 同一个 table 的 chain 不能有相同名字
- name
- 避免使用名称 inet, filter, nat, mangle
- 不同 family 可以有相同名字的 table
- family=ip, arp, ip6, bridge, inet, netdev
- 建议大多数时候只用
table inet作为 filter - 目前 NAT 相关规则主要支持 IPv4
- 因此 masquerade 相关可以放到单独的
table ip表 - 例如 chain prerouting, postrouting, forward
- 因此 masquerade 相关可以放到单独的
- 如果不考虑 IPv6 可以只用
table ip
地址类型
| family | desc |
|---|---|
| ip | IPv4 - 默认 |
| ip6 | IPv6 |
| inet | IPv4/IPv6 |
| arp | IPv4 ARP |
| bridge | 经过桥接设备的包 |
| netdev | 入口设备 |
nft list tables # [<family>]
# nft [-n] [-a] list table [<family>] <name>
# nft (add | delete | flush) table [<family>] <name>
单文件 reload
flush table ip wode
flush table inet wode
table ip wode {
}
table inet wode {
}
或者 replace 也是安全的
replace table ip mytable {
}
nft -f /etc/nftables/wode.nft
Chain
- rule 容器
- type=filter, route, nat
- filter - 过滤
- 支持 arp, bridge, ip, ip6, inet
- route
- 支持 ip, ip6
- nat
- 支持 ip, ip6
- filter - 过滤
- hook
- ip, ip6, inet 支持 prerouting, input, forward, output, postrouting
- arp 支持 input, output
- bridge
- netdev 支持 ingress, egress
- priority - 优先级
- policy - 默认规则
- accept, drop, queue, continue, return, jump chain, goto chain
- base chain
- 指的是直接与内核数据包处理钩子(hook)关联的链。
- 不是通过 jump 调用的链,而是内核在数据包进入网络栈时直接调用的入口点。
- input、output、forward、prerouting、postrouting
- 必须指定默认策略
# nft (add | create) chain [<family>] <table> <name> [ \{ type <type> hook <hook> [device <device>] priority <priority> \; [policy <policy> \;] \} ]
# nft (delete | list | flush) chain [<family>] <table> <name>
# nft rename chain [<family>] <table> <name> <newname>
hook
| hook | desc |
|---|---|
| prerouting | 所有进入系统的包,在路由之前处理,可用于过滤和修改属性 |
| input | 进入 本地 系统的包 |
| forward | 转发到其他 host 的包 |
| output | 本地 发出的包 |
| postrouting | 所有离开系统的包 |
| ingress | |
| egress |
- 地址 支持的 hook
- ip,ip6,inet,bridge - prerouting,input,forward,output,postrouting
- arp - input,output
- netdav - ingress
- https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks
priority
| PRI | name | def | desc |
|---|---|---|---|
| -400 | NF_IP_PRI_CONNTRACK_DEFRAG | priority of defragmentation | |
| -300 | raw | NF_IP_PRI_RAW | traditional priority of the raw table placed before connection tracking operation |
| -225 | NF_IP_PRI_SELINUX_FIRST | SELinux operations | |
| -200 | NF_IP_PRI_CONNTRACK | Connection tracking operations | |
| -150 | mangle | NF_IP_PRI_MANGLE | mangle operation |
| -100 | dstnat | NF_IP_PRI_NAT_DST | DNAT |
| 0 | filter | NF_IP_PRI_FILTER | filtering operation, the filter table |
| 50 | security | NF_IP_PRI_SECURITY | Place of security table where secmark can be set for example |
| 100 | srcnat | NF_IP_PRI_NAT_SRC | SNAT |
| 225 | NF_IP_PRI_SELINUX_LAST | SELinux at packet exit | |
| 300 | NF_IP_PRI_CONNTRACK_HELPER | connection tracking at exit |
bridge priority
| Name | Value | Hooks |
|---|---|---|
| dstnat | -300 | prerouting |
| filter | -200 | all |
| out | 100 | output |
| srcnat | 300 | postrouting |
Rule
- 定义 action
- handle - 内部标识, 序号
# nft add rule [<family>] <table> <chain> <matches> <statements>
# nft insert rule [<family>] <table> <chain> [position <handle>] <matches> <statements>
# nft replace rule [<family>] <table> <chain> [handle <handle>] <matches> <statements>
# nft delete rule [<family>] <table> <chain> [handle <handle>]
匹配
- meta (元属性,如接口)
- oif、iif、oifname、iifname
- icmp (ICMP 协议)
- type
- icmpv6 (ICMPv6 协议)
- type
- ip (IP 协议)
- protocol
- daddr
- saddr
- ip6 (IPv6 协议)
- daddr
- saddr
- tcp (TCP 协议)
- dport
- sport
- udp (UDP 协议)
- dport
- sport
- sctp (SCTP 协议)
- dport
- sport
- ct (链接跟踪)
- state new | established | related | invalid
# 查看端口
nft describe tcp dport
nft
\续行#注释- 标识符
^[a-zA-Z][a-zA-Z0-9/\_.]*- 可使用双引号避免冲突
- nft.8
# 引入文件
# -I/--includepath
# 忽略 . 开头文件
include filename
# 定义变量
define variable = expr
# 使用变量
$variable
nft cli
# 描述信息
nft describe tcp flags
nft describe ct_state
nft describe icmp type
主要操作对象
- rulset - 所有的 table 和 chain
{list | flush} ruleset [family]
- table
- chain 容器
- 通过 地址类型和名字标识
{add | create} table [family] table [{ flags flags ; }]
{delete | list | flush} table [family] table
list tables [family]
delete table [family] handle handle
- chain
- rule 容器
- 区分 base chian 和 regular chain
- base - entry point for packets from the networking stack
- 支持 policy - 默认 accept
- regular - may be used as jump target and is used for better rule organization
- chain type
| type | families | hooks |
|---|---|---|
| filter | all | all |
| nat | ip, ip6, inet | prerouting, input, output, postrouting |
| route | ip, ip6 | output |
- nat 通过做 NAT 处理,只处理第一个包 - 用于 created conntrack entry
{add | create} chain [family] table chain [{ type type hook hook [device device] priority priority ; [policy policy ;] }]
{delete | list | flush} chain [family] table chain
list chains [family]
delete chain [family] table handle handle
rename chain [family] table chain newname
- rule
- 实际操作规则
{add | insert} rule [family] table chain [handle handle | index index] statement ... [comment comment]
replace rule [family] table chain handle handle statement ... [comment comment]
delete rule [family] table chain handle handle
- set -
{80,443}- 区分匿名集合和有名字的集合
- 用于辅助定义
- 用过
@set_name引用
add set [family] table set { type type | typeof expression ; [flags flags ;] [timeout timeout ;] [gc-interval gc-interval ;] [elements = { element[, ...] } ;] [size size ;] [policy policy ;] [auto-merge ;] }
{delete | list | flush} set [family] table set
list sets [family]
delete set [family] table handle handle
{add | delete} element [family] table set { element[, ...] }
- map
- element
- flowtable
- accelerate packet forwarding in software
- layer 3/4
- 状态对象
- counter
- quota
- ct helper
- 定义 connection tracking helper
- 用于 ct helper set
- ct timeout
- update connection tracking timeout
- ct expectation
- create connection expectations
- 用于 ct expectation set
- counter
- quota
默认规则
# 清空
flush ruleset
# 基础 IPv4/IPv6 有状态的防火墙 - 用户服务器或工作站
table inet filter {
chain input {
# 默认 drop input
type filter hook input priority 0; policy drop;
# 允许本地流量
iifname lo accept \
comment "Accept any localhost traffic"
# 允许出去的流量
ct state { established, related } accept \
comment "Accept traffic originated from us"
# 丢弃无效连接
ct state invalid drop \
comment "Drop invalid connections"
# 113 端口返回端口不可达
# https://en.wikipedia.org/wiki/Ident_protocol
# https://github.com/janikrabe/oidentd
# apk add oidentd
tcp dport 113 reject with icmpx type port-unreachable \
comment "Reject AUTH to make it fail fast"
# ICMPv4
# 接受指定类型的 icmp 类型
ip protocol icmp icmp type {
echo-reply, # type 0
destination-unreachable, # type 3
time-exceeded, # type 11
parameter-problem, # type 12
} accept \
comment "Accept ICMP"
# 限制 ping 速率
ip protocol icmp icmp type echo-request limit rate 1/second accept \
comment "Accept max 1 ping per second"
# ICMPv6
ip6 nexthdr icmpv6 icmpv6 type {
destination-unreachable, # type 1
packet-too-big, # type 2
time-exceeded, # type 3
parameter-problem, # type 4
echo-reply, # type 129
} accept \
comment "Accept basic IPv6 functionality"
ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate 1/second accept \
comment "Accept max 1 ping per second"
# IPv6 SLAAC 协议
ip6 nexthdr icmpv6 icmpv6 type {
nd-router-solicit, # type 133
nd-router-advert, # type 134
nd-neighbor-solicit, # type 135
nd-neighbor-advert, # type 136
} ip6 hoplimit 255 accept \
comment "Allow IPv6 SLAAC"
# IPv6 多播链路发现
ip6 nexthdr icmpv6 icmpv6 type {
mld-listener-query, # type 130
mld-listener-report, # type 131
mld-listener-reduction, # type 132
mld2-listener-report, # type 143
} ip6 saddr fe80::/10 accept \
comment "Allow IPv6 multicast listener discovery on link-local"
}
chain forward {
# 默认不允许转发
type filter hook forward priority 0; policy drop;
}
chain output {
# 默认允许 output
type filter hook output priority 0; policy accept;
}
}
# 包含自定义规则
include "/etc/nftables.d/*.nft"
masquerade
table ip nat {
chain prerouting {
type nat hook prerouting priority 0;
}
chain postrouting {
type nat hook postrouting priority 100;
# 源地址自动设置为出口地址
oifname "enp0s2" masquerade
}
}
允许常用端口
table inet filter {
chain input {
type filter hook input priority 0;
# allow ssh,http
tcp dport {ssh,http,https} accept
# http3 use udp
udp dport {https} accept
}
}
限定来源地址
define ALLOWED_NETS = {
192.168.0.0/16,
1.2.3.4
}
table inet firewall {
chain inbound {
type filter hook input priority 0; policy drop;
# 限定来源访问
tcp dport { http, https } ip saddr $ALLOWED_NETS accept
udp dport { http, https } ip saddr $ALLOWED_NETS accept
}
}
所有端口重定向到 22
table ip nat {
chain prerouting {
type nat hook prerouting priority 0;
tcp dport != 22 redirect to 22
}
chain postrouting {
type nat hook postrouting priority 0;
}
}