我的文档站
Docs
我的文档站

nftables 案例

最小安全服务器(推荐)

table inet filter {
    chain input {
        type filter hook input priority 0;
        policy drop;

        iif lo accept
        ct state established,related accept

        tcp dport 22 accept
#(可选)        tcp dport {80,443} accept
    }

    chain forward {
        policy drop;
    }

    chain output {
        policy accept;
    }
}

SSH 防爆破(进阶)

table inet filter {
    chain input {
        type filter hook input priority 0;
        policy drop;

        ct state established,related accept
        iif lo accept

        tcp dport 22 ct state new limit rate 5/minute accept
    }
}

只允许指定 IP SSH(强安全

set ssh_whitelist {
    type ipv4_addr
    elements = { 1.1.1.1 }
}

tcp dport 22 ip saddr @ssh_whitelist accept

端口转发(反代)

table ip nat {
    chain prerouting {
        type nat hook prerouting priority -100;

        tcp dport 80 dnat to 127.0.0.1:8080
    }
}

与 CrowdSec 联动(强烈推荐)

如果你使用 CrowdSec:

  • 自动封禁攻击 IP
  • nftables 实时更新黑名单

检查:

1

cscli bouncers list

高级:动态黑名单

set blacklist {
    type ipv4_addr
    flags timeout
}

添加:

1

nft add element inet filter blacklist { 1.2.3.4 timeout 1h }
nftables 安装
nftables 使用(增强版)