安全:nftables的常用命令(查看规则)

一，nftables的地址簇和相应的iptables命令行工具

inet 同时适用于 IPv4 和 IPv6 的数据包，即统一了 ip 和 ip6 簇，可以更容易地定义规则，
通常我们在配置防火墙时都采用 inet 簇。

二，查看nftables的版本/帮助

1,查看版本

[root@blog ~]# nft --version
nftables v1.0.9 (Old Doc Yak #3)

2，查看nft命令的帮助:

[root@blog ~]# nft --help
Usage: nft [ options ] [ cmds... ]

Options (general):
  -h, --help                      Show this help
  -v, --version                   Show version information
  -V                              Show extended version information

Options (ruleset input handling):
  -f, --file <filename>           Read input from <filename>
  -D, --define <name=value>       Define variable, e.g. --define foo=1.2.3.4
  -i, --interactive               Read input from interactive CLI
  -I, --includepath <directory>   Add <directory> to the paths searched for include files. Default is: /etc
  -c, --check                     Check commands validity without actually applying the changes.
  -o, --optimize                  Optimize ruleset

Options (ruleset list formatting):
  -a, --handle                    Output rule handle.
  -s, --stateless                 Omit stateful information of ruleset.
  -t, --terse                     Omit contents of sets.
  -S, --service                   Translate ports to service names as described in /etc/services.
  -N, --reversedns                Translate IP addresses to names.
  -u, --guid                      Print UID/GID as defined in /etc/passwd and /etc/group.
  -n, --numeric                   Print fully numerical output.
  -y, --numeric-priority          Print chain priority numerically.
  -p, --numeric-protocol          Print layer 4 protocols numerically.
  -T, --numeric-time              Print time values numerically.

Options (command output formatting):
  -e, --echo                      Echo what has been added, inserted or replaced.
  -j, --json                      Format output in JSON
  -d, --debug <level [,level...]> Specify debugging level (scanner, parser, eval, netlink, mnl, proto-ctx, segtree, all)

三，把iptables命令翻译成nftables命令:

[root@blog ~]# iptables-translate -A INPUT -p icmp -d 192.168.21.132 -j DROP
nft 'add rule ip filter INPUT ip protocol icmp ip daddr 192.168.21.132 counter drop'

四，列出所有的规则集合:

[root@blog ~]# nft list ruleset 

五，清除所有规则:

nft flush ruleset

六，列出所有的表:

[root@blog ~]# nft list tables
table ip filter
table inet firewalld

七，列出所有的链

相比列出所有规则，没有详细的规则

[root@blog ~]# nft list chains 
table ip filter {
}
table inet firewalld {
        chain mangle_PREROUTING {
                type filter hook prerouting priority mangle + 10; policy accept;
        } 
...

八，列出指定表/链下的规则:

列出指定表下的规则

[root@blog ~]# nft list table inet firewalld 

列出指定链下的规则

[root@blog ~]# nft list chain inet firewalld mangle_PREROUTING
table inet firewalld {
        chain mangle_PREROUTING {
                type filter hook prerouting priority mangle + 10; policy accept;
                jump mangle_PREROUTING_ZONES
        }
}