一,nftables的地址簇和相应的iptables命令行工具
nftables的地址簇 | iptables命令行工具 |
ip 仅匹配 IPv4 数据包。如果没有指定地址系列,这是默认设置 | iptables |
ip6 | ip6tables |
inet | iptables和ip6tables |
arp | arptables |
bridge | ebtables |
inet 同时适用于 IPv4 和 IPv6 的数据包,即统一了 ip 和 ip6 簇,可以更容易地定义规则,
通常我们在配置防火墙时都采用 inet 簇。
二,查看nftables的版本/帮助
1,查看版本
[root@blog ~]# nft --version
nftables v1.0.9 (Old Doc Yak #3)
2,查看nft命令的帮助:
[root@blog ~]# nft --help
Usage: nft [ options ] [ cmds... ]
Options (general):
-h, --help Show this help
-v, --version Show version information
-V Show extended version information
Options (ruleset input handling):
-f, --file <filename> Read input from <filename>
-D, --define <name=value> Define variable, e.g. --define foo=1.2.3.4
-i, --interactive Read input from interactive CLI
-I, --includepath <directory> Add <directory> to the paths searched for include files. Default is: /etc
-c, --check Check commands validity without actually applying the changes.
-o, --optimize Optimize ruleset
Options (ruleset list formatting):
-a, --handle Output rule handle.
-s, --stateless Omit stateful information of ruleset.
-t, --terse Omit contents of sets.
-S, --service Translate ports to service names as described in /etc/services.
-N, --reversedns Translate IP addresses to names.
-u, --guid Print UID/GID as defined in /etc/passwd and /etc/group.
-n, --numeric Print fully numerical output.
-y, --numeric-priority Print chain priority numerically.
-p, --numeric-protocol Print layer 4 protocols numerically.
-T, --numeric-time Print time values numerically.
Options (command output formatting):
-e, --echo Echo what has been added, inserted or replaced.
-j, --json Format output in JSON
-d, --debug <level [,level...]> Specify debugging level (scanner, parser, eval, netlink, mnl, proto-ctx, segtree, all)
三,把iptables命令翻译成nftables命令:
[root@blog ~]# iptables-translate -A INPUT -p icmp -d 192.168.21.132 -j DROP
nft 'add rule ip filter INPUT ip protocol icmp ip daddr 192.168.21.132 counter drop'
四,列出所有的规则集合:
[root@blog ~]# nft list ruleset
五,清除所有规则:
nft flush ruleset
六,列出所有的表:
[root@blog ~]# nft list tables
table ip filter
table inet firewalld
七,列出所有的链
相比列出所有规则,没有详细的规则
[root@blog ~]# nft list chains
table ip filter {
}
table inet firewalld {
chain mangle_PREROUTING {
type filter hook prerouting priority mangle + 10; policy accept;
}
...
八,列出指定表/链下的规则:
列出指定表下的规则
[root@blog ~]# nft list table inet firewalld
列出指定链下的规则
[root@blog ~]# nft list chain inet firewalld mangle_PREROUTING
table inet firewalld {
chain mangle_PREROUTING {
type filter hook prerouting priority mangle + 10; policy accept;
jump mangle_PREROUTING_ZONES
}
}
标签:查看,--,blog,nftables,inet,常用命令,root,nft From: https://www.cnblogs.com/architectforest/p/18390056