1. 简单的防火墙
2. Typical workstation (separate IPv4 and IPv6)
3. 编辑规则
4. 停用iptables及ip6tables, 启动nftables. 
5. 更多链接
Arch Linux默认启用IPv6, 所以防火墙也要启用ip6.
iptables: (iptables, ip6tables); nftables: (nft的ip及ip6地址族或inet地址族).

1. 简单的防火墙

$ sudo nft list ruleset
查看文件, 一个inet(IPv4/IPv6)类型的filter表, 包含3个规则链, input链包含6条规则...
$ cat /etc/nftables.conf
table inet filter {
  chain input {
1 允许 已连接及相关数据包通过
2 丢弃 失效包
3 允许 lo环路
4 允许 icmp
5 允许 ssh
6 驳回 其他情况  }
  chain forward { 丢弃 转发 }
  chain output { 放行 }}

2. Typical workstation (separate IPv4 and IPv6)


#!/bin/nft -f

flush ruleset

# ----- IPv4 -----
table ip filter {
	chain input {
		type filter hook input priority 0; policy drop;
		ct state invalid counter drop comment "early drop of invalid packets"
		ct state {established, related} counter accept comment "accept all connections related to connections made by us"
		iif lo accept comment "accept loopback"
		iif != lo ip daddr counter drop comment "drop connections to loopback not coming from loopback"
		ip protocol icmp counter accept comment "accept all ICMP types"
		tcp dport 22 counter accept comment "accept SSH"
		counter comment "count dropped packets"

	chain forward {
		type filter hook forward priority 0; policy drop;
		counter comment "count dropped packets"

	# If you're not counting packets, this chain can be omitted.
	chain output {
		type filter hook output priority 0; policy accept;
		counter comment "count accepted packets"

# ----- IPv6 -----
table ip6 filter {
	chain input {
		type filter hook input priority 0; policy drop;
		ct state invalid counter drop comment "early drop of invalid packets"
		ct state {established, related} counter accept comment "accept all connections related to connections made by us"
		iif lo accept comment "accept loopback"
		iif != lo ip6 daddr ::1/128 counter drop comment "drop connections to loopback not coming from loopback"
		ip6 nexthdr icmpv6 counter accept comment "accept all ICMP types"
		tcp dport 22 counter accept comment "accept SSH"
		counter comment "count dropped packets"

	chain forward {
		type filter hook forward priority 0; policy drop;
		counter comment "count dropped packets"

	# If you're not counting packets, this chain can be omitted.
	chain output {
		type filter hook output priority 0; policy accept;
		counter comment "count accepted packets"
与安装nftables自带的增加了一条规则: drop connections to loopback not coming from loopback
另外包含计数器; IPv4和IPv6分别设置. 可以分别看到各自过滤的数据包.
要使用这个, 可以直接将内容复制到配置文件: /etc/nftables.conf; 然后重启nftables.service服务即可加载新的配置.
$ sudo nft list ruleset 

#!/bin/nft -f

flush ruleset

table inet filter {
	chain input {
		type filter hook input priority 0; policy drop;
		ct state invalid counter drop comment "early drop of invalid packets"
		ct state {established, related} counter accept comment "accept all connections related to connections made by us"
		iif lo accept comment "accept loopback"
		iif != lo ip daddr counter drop comment "drop connections to loopback not coming from loopback"
		iif != lo ip6 daddr ::1/128 counter drop comment "drop connections to loopback not coming from loopback"
		ip protocol icmp counter accept comment "accept all ICMP types"
		ip6 nexthdr icmpv6 counter accept comment "accept all ICMP types"
		tcp dport 22 counter accept comment "accept SSH"
		counter comment "count dropped packets"

	chain forward {
		type filter hook forward priority 0; policy drop;
		counter comment "count dropped packets"

	# If you're not counting packets, this chain can be omitted.
	chain output {
		type filter hook output priority 0; policy accept;
		counter comment "count accepted packets"

3. 编辑规则

普通用户若不需要ssh, 可以删除相关行. 若需要增加开放端口, 也可以参照添加行, 修改好文件保存后, 重启服务. 

$ sudo nft add rule family_typetable_namechain_name handle handle_valuestatement
$ sudo nft insert rule family_type table_name chain_name handle handle_value statement
单个规则只能通过其句柄删除。该nft --handle list命令必须用于确定规则句柄。注意该--handle开关,该开关nft在其输出中告知要列出的手柄。
$ sudo nft --handle --numeric list ruleset
$ sudo nft delete rule inet my_table my_input handle 10

Atomic reloading
Flush the current ruleset:
$ sudo echo "flush ruleset" > /tmp/nftables 
Dump the current ruleset:
$ sudo nft -s list ruleset >> /tmp/nftables
Now you can edit /tmp/nftables and apply your changes with:
$ sudo nft -f /tmp/nftables

ADDRESS FAMILIES: (family_type)
简单防火墙只需使用地址家族的前3个(ip和ip6 或者 inet).
  • ipIPv4 address family. 是默认系列,如果未指定系列,则将使用该系列。
  • ip6IPv6 address family.
  • inetInternet (IPv4/IPv6) address family.
  • arp      ARP address family, handling IPv4 ARP packets.
  • bridge   Bridge address family, handling packets which traverse a bridge device.
  • netdev   Netdev address family, handling packets from ingress.

4. 停用iptables及ip6tables, 启动nftables.

$ sudo systemctl disable iptables.service
Removed /etc/systemd/system/multi-user.target.wants/iptables.service.
$ sudo systemctl disable ip6tables.service
Removed /etc/systemd/system/multi-user.target.wants/ip6tables.service.
$ sudo systemctl enable nftables.service
Created symlink /etc/systemd/system/multi-user.target.wants/nftables.service → /usr/lib/systemd/system/nftables.service.

5. 更多链接
