https://wiki.ixheim.de/index.php?action=history&feed=atom&title=Nftables-cheat-sheet 2026-05-15T02:09:10Z Versionsgeschichte dieser Seite in Xinux Wiki MediaWiki 1.35.1 https://wiki.ixheim.de/index.php?title=Nftables-cheat-sheet&diff=61757&oldid=prev 2025-04-15T05:01:59Z

<p>Die Seite wurde neu angelegt: „== nftables Cheat Sheet == == Allgemeines == *nftables ersetzt iptables, ip6tables, arptables, ebtables *Einheitliches Framework für IPv4/IPv6/ARP/Bridge *Re…“</p> <p><b>Neue Seite</b></p><div>== nftables Cheat Sheet ==<br /> <br /> == Allgemeines ==<br /> *nftables ersetzt iptables, ip6tables, arptables, ebtables<br /> *Einheitliches Framework für IPv4/IPv6/ARP/Bridge<br /> *Regeln werden in Tabellen, Chains und Sets verwaltet<br /> <br /> == Dienstverwaltung ==<br /> *systemctl enable nftables<br /> *systemctl start nftables<br /> *systemctl restart nftables<br /> *systemctl status nftables<br /> <br /> == Regeln anzeigen ==<br /> *nft list ruleset<br /> *nft list tables<br /> *nft list chains<br /> *nft list chain inet filter input<br /> <br /> == Tabelle erstellen ==<br /> *nft add table inet filter<br /> <br /> == Chain hinzufügen ==<br /> *nft add chain inet filter input { type filter hook input priority 0; policy drop; }<br /> <br /> == Beispiel-Regeln hinzufügen ==<br /> *nft add rule inet filter input ct state established,related accept<br /> *nft add rule inet filter input iif lo accept<br /> *nft add rule inet filter input ip protocol icmp accept<br /> *nft add rule inet filter input tcp dport 22 accept<br /> *nft add rule inet filter input counter drop<br /> <br /> == Flush &amp; Entfernen ==<br /> *nft flush ruleset<br /> *nft delete table inet filter<br /> *nft delete chain inet filter input<br /> <br /> == NAT Kommandos ==<br /> *nft add table inet nat<br /> *nft add chain inet nat prerouting { type nat hook prerouting priority dstnat; policy accept; }<br /> *nft add chain inet nat postrouting { type nat hook postrouting priority srcnat; policy accept; }<br /> *nft add rule inet nat prerouting dnat ip prefix to ip daddr map { 10.82.88.0/24 : 192.168.5.0/24 }<br /> *nft add rule inet nat postrouting snat ip prefix to ip saddr map { 192.168.5.0/24 : 10.82.88.0/24 }<br /> <br /> == Masquerade ==<br /> *nft add rule ip nat postrouting oif &quot;eth0&quot; masquerade<br /> <br /> == Counter &amp; Logging ==<br /> *nft add rule inet filter input counter<br /> *nft add rule inet filter input log prefix &quot;nftables: &quot; flags all<br /> <br /> == Monitor &amp; Debugging ==<br /> *nft monitor trace<br /> *nft list ruleset<br /> *nft list chain inet filter input<br /> <br /> == Paketmarkierung (Mangle-ähnlich) ==<br /> *nft add table inet mangle<br /> *nft add chain inet mangle prerouting { type filter hook prerouting priority -150; policy accept; }<br /> *nft add rule inet mangle prerouting ip saddr 192.168.1.0/24 meta mark set 0x10<br /> <br /> == Wichtiges zu Prioritäten ==<br /> *Kleinere Priority-Zahl = frühere Ausführung<br /> *Beispiele:<br /> **priority -150 → Mangle (früh)<br /> **priority 0 → Standard (Filter)<br /> **priority 100 → SNAT (spät)</div>

Thomas.will