Nftables¶
- The nftables HOWTO documentation page https://wiki.nftables.org/wiki-nftables/index.php/Main_Page
- Debian - nftables https://wiki.debian.org/nftables
- Kernel Recipes 2013 - Nftables, what motivations and what solutions https://www.slideshare.net/ennael/2013-kernel-recipesnftables
- 第11回 カーネル/VM探検隊 nftables: the Next Generation Firewall in Linux https://www.slideshare.net/s1061123/nftables-the-next-generation-firewall-in-linux
Ubuntu 18.04 install¶
$ sudo -i
# apt update
# apt install -y nftables iptables-nftables-compat
# apt purge -y iptables
# nft -v
nftables v0.8.2 (Joe Btfsplk)
# reboot
Usage sample¶
テーブル確認
# nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy accept;
}
chain forward {
type filter hook forward priority 0; policy accept;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
# nft list table inet filter
table inet filter {
chain input {
type filter hook input priority 0; policy accept;
}
chain forward {
type filter hook forward priority 0; policy accept;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
# nft list chain inet filter input
table inet filter {
chain input {
type filter hook input priority 0; policy accept;
}
}
ブロックの例
# nft add rule inet filter output tcp dport 443 counter drop
# curl -v https://www.juniper.net/
* Trying 2001:f61:11:296::720...
* TCP_NODELAY set
* Trying 23.37.149.150...
* TCP_NODELAY set
^C
# nft list chain inet filter output
table inet filter {
chain output {
type filter hook output priority 0; policy accept;
tcp dport https counter packets 6 bytes 420 drop
}
}
iptablesからの移行¶
iptables-nftables-compatを使えば、iptablesでのコマンドをnftables用に変換できる。
# iptables-translate -F INPUT
nft flush chain ip filter INPUT
(*) nft flush chain inet filter input
# iptables-translate -L INPUT
nft list table ip filter
(*) nft list table inet filter
# iptables-translate -A INPUT -p tcp --sport 50001 --dport 60001 -j DROP
nft add rule ip filter INPUT tcp sport 50001 tcp dport 60001 counter drop
(*) nft add rule inet filter input tcp sport 50001 tcp dport 60001 counter drop
# iptables-translate -I INPUT 1 -p tcp --sport 50001 --dport 60001 -j DROP
nft insert rule ip filter INPUT tcp sport 50001 tcp dport 60001 counter drop
(*) nft insert rule inet filter input tcp sport 50001 tcp dport 60001 counter drop
でも inet
が ip
になっていたり、若干間違っていて (*)
でマークしてある方が正しいはず。
最終更新日: 2021-05-17 02:51:56