最後更新: 2022-01-12

前言

在 Rocky8 上執行 "iptables -nL" 看不到 rule 輸出 ?!

原因: firewalld 轉用了 nftables backend (以前係用 iptables 的)

所以想看 rule 的話就要行

nft list ruleset

Why replace iptables?

1. 在 iptables 年代, kernel 係唔以 rule 為單位去加減及修改的, 每次都係整套 rules 重灌

   (連統計資料都係重灌進去的 @@|| )

2. Atomic rules updates.

Install

dnf install nftables

Service

systemctl start nftables

systemctl enable nftables

Basic CLI

nft 用於 filtering and classification

nft -v

nftables v1.0.2 (Lester Gooch)

nft list ruleset

table inet filter {
        chain input {
                type filter hook input priority filter; policy accept;
        }

        chain forward {
                type filter hook forward priority filter; policy accept;
        }

        chain output {
                type filter hook output priority filter; policy accept;
        }
}

nft list chain ip filter INPUT             # iptables -L INPUT

nft list chain ip nat PREROUTING    # iptables -t nat -L PREROUTING

Scripts

/etc/nftables/example_firewall.nft

#!/usr/sbin/nft -f
...

Variables

define INET_DEV = enp1s0

Include

include "/etc/nftables/rulesets/*.nft"