从iptables过渡到nftables

精彩文章免费看

从iptables迁移到nftables

cloudFans

简书作者
2022-06-16 10:12IP属地: 吉林

基于iptables-save 为文件,然后导入即可


% iptables-save  > iptables.txt
% iptables-nft-restore < iptables.txt



% iptables-nft-save 
# Generated by xtables-save v1.6.0 (nf_tables) on Sat Dec 24 14:51:41 2016
*filter
:INPUT ACCEPT [19:1283]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [18:2487]
-A FORWARD -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
COMMIT
# Completed on Sat Dec 24 14:51:41 2016

% nft list ruleset
table ip filter {
    chain INPUT {
        type filter hook input priority 0; policy accept;
    }

    chain FORWARD {
        type filter hook forward priority 0; policy accept;
        ip protocol tcp tcp dport 22 ct state new counter packets 0 bytes 0 accept
    }

    chain OUTPUT {
        type filter hook output priority 0; policy accept;
    }
}
 

==> iptables-mangle <==
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N SSTP_OUTPUT
-N SSTP_PREROUTING
-N SSTP_QUIC
-A PREROUTING -j SSTP_PREROUTING
-A OUTPUT -j SSTP_OUTPUT
-A SSTP_OUTPUT -p udp -m udp --dport 443 -m conntrack --ctdir ORIGINAL -m addrtype ! --dst-type LOCAL -m owner ! --gid-owner 1001 -j SSTP_QUIC
-A SSTP_PREROUTING -p udp -m udp --dport 443 -m conntrack --ctdir ORIGINAL -m addrtype ! --dst-type LOCAL -j SSTP_QUIC
-A SSTP_QUIC -m set --match-set sstp_white dst -m set ! --match-set sstp_black dst -j RETURN
-A SSTP_QUIC -j DROP

==> iptables-nat <==
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N SSTP_OUTPUT
-N SSTP_POSTROUTING
-N SSTP_PREROUTING
-N SSTP_RULE
-A PREROUTING -j SSTP_PREROUTING
-A OUTPUT -j SSTP_OUTPUT
-A POSTROUTING -j SSTP_POSTROUTING
-A SSTP_OUTPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m addrtype ! --dst-type LOCAL -m owner ! --gid-owner 1001 -j SSTP_RULE
-A SSTP_OUTPUT -p udp -m udp --dport 53 -m conntrack --ctstate NEW -m owner ! --gid-owner 1001 -m owner ! --gid-owner 1002 -j REDIRECT --to-ports 60053
-A SSTP_POSTROUTING ! -s 127.0.0.1/32 -d 127.0.0.1/32 -j SNAT --to-source 127.0.0.1
-A SSTP_PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m addrtype ! --src-type LOCAL ! --dst-type LOCAL -j SSTP_RULE
-A SSTP_PREROUTING -p udp -m udp --dport 53 -m conntrack --ctstate NEW -m addrtype ! --src-type LOCAL -j REDIRECT --to-ports 60053
-A SSTP_RULE -m set --match-set sstp_white dst -m set ! --match-set sstp_black dst -j RETURN
-A SSTP_RULE -p tcp -j DNAT --to-destination 127.0.0.1:60080

参考: https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables

© 著作权归作者所有,转载或内容合作请联系作者
 

点赞赚钻最高日赚数百

 
赞 (0)
cloudFans
小礼物走一走,来简书关注我
下载简书,随时随地看好文
 
暂无评论
智慧如你,不想  咩~
 
 
 
创作你的创作,接受世界的赞赏
||热门文章
 
 
posted @ 2024-02-02 20:29  技术颜良  阅读(296)  评论(0)    收藏  举报