# nftables 案例

### 最小安全服务器（推荐）

```nft
table inet filter {
    chain input {
        type filter hook input priority 0;
        policy drop;

        iif lo accept
        ct state established,related accept

        tcp dport 22 accept
#(可选)        tcp dport {80,443} accept
    }

    chain forward {
        policy drop;
    }

    chain output {
        policy accept;
    }
}
```

### SSH 防爆破（进阶）

```nft
table inet filter {
    chain input {
        type filter hook input priority 0;
        policy drop;

        ct state established,related accept
        iif lo accept

        tcp dport 22 ct state new limit rate 5/minute accept
    }
}
```

### 只允许指定 IP SSH（强安全

```nft
set ssh_whitelist {
    type ipv4_addr
    elements = { 1.1.1.1 }
}

tcp dport 22 ip saddr @ssh_whitelist accept
```

### 端口转发（反代）

```nft
table ip nat {
    chain prerouting {
        type nat hook prerouting priority -100;

        tcp dport 80 dnat to 127.0.0.1:8080
    }
}
```

### 与 CrowdSec 联动（强烈推荐）

如果你使用 CrowdSec：

- 自动封禁攻击 IP
- nftables 实时更新黑名单

检查：

```bash
cscli bouncers list
```

### 高级：动态黑名单

```nft
set blacklist {
    type ipv4_addr
    flags timeout
}
```

添加：

```bash
nft add element inet filter blacklist { 1.2.3.4 timeout 1h }
```