Nftables-cheat-sheet

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen

nftables Cheat Sheet

Allgemeines

  • nftables ersetzt iptables, ip6tables, arptables, ebtables
  • Einheitliches Framework für IPv4/IPv6/ARP/Bridge
  • Regeln werden in Tabellen, Chains und Sets verwaltet

Dienstverwaltung

  • systemctl enable nftables
  • systemctl start nftables
  • systemctl restart nftables
  • systemctl status nftables

Regeln anzeigen

  • nft list ruleset
  • nft list tables
  • nft list chains
  • nft list chain inet filter input

Tabelle erstellen

  • nft add table inet filter

Chain hinzufügen

  • nft add chain inet filter input { type filter hook input priority 0; policy drop; }

Beispiel-Regeln hinzufügen

  • nft add rule inet filter input ct state established,related accept
  • nft add rule inet filter input iif lo accept
  • nft add rule inet filter input ip protocol icmp accept
  • nft add rule inet filter input tcp dport 22 accept
  • nft add rule inet filter input counter drop

Flush & Entfernen

  • nft flush ruleset
  • nft delete table inet filter
  • nft delete chain inet filter input

NAT Kommandos

  • nft add table inet nat
  • nft add chain inet nat prerouting { type nat hook prerouting priority dstnat; policy accept; }
  • nft add chain inet nat postrouting { type nat hook postrouting priority srcnat; policy accept; }
  • nft add rule inet nat prerouting dnat ip prefix to ip daddr map { 10.82.88.0/24 : 192.168.5.0/24 }
  • nft add rule inet nat postrouting snat ip prefix to ip saddr map { 192.168.5.0/24 : 10.82.88.0/24 }

Masquerade

  • nft add rule ip nat postrouting oif "eth0" masquerade

Counter & Logging

  • nft add rule inet filter input counter
  • nft add rule inet filter input log prefix "nftables: " flags all

Monitor & Debugging

  • nft monitor trace
  • nft list ruleset
  • nft list chain inet filter input

Paketmarkierung (Mangle-ähnlich)

  • nft add table inet mangle
  • nft add chain inet mangle prerouting { type filter hook prerouting priority -150; policy accept; }
  • nft add rule inet mangle prerouting ip saddr 192.168.1.0/24 meta mark set 0x10

Wichtiges zu Prioritäten

  • Kleinere Priority-Zahl = frühere Ausführung
  • Beispiele:
    • priority -150 → Mangle (früh)
    • priority 0 → Standard (Filter)
    • priority 100 → SNAT (spät)
Abgerufen von „http://wiki.ixheim.de/index.php?title=Nftables-cheat-sheet&oldid=61757