nftables体验 

#!/usr/sbin/nft -f

# Flush all existing ruleset
flush ruleset

# Define the table and chain for IPv4
table inet my_filter {
    chain input_chain {
        type filter hook input priority 0; policy accept;

        # 允许已建立和相关的连接
        ct state {established, related} accept

        # 阻止所有内网私有地址段的连接
        ip saddr 192.168.31.0/16 drop

        # 允许所有来自本地的回环地址
        iifname "lo" accept
    }
}

sudo nft flush ruleset 清除内核所有规则

sudo systemctl start nftables 加载规则

sudo nft list ruleset 查看当前规则

posted @ 2025-08-15 08:47  狂客  阅读(8)  评论(0)    收藏  举报