Các lệnh quản lý firewall trên Linux với NFT

STT Lệnh Công dụng Out put Ghi chú

1 nft -v Kiểm tra phiên bản của NFT nftables v1.0.6 (Lester Gooch #5)  

2 apt install nftables cài đặt nftables    

3 nft flush ruleset Xóa hết các rules    

4 systemctl start nftables Bật nft    

5 systemctl status nftables Kiểm tra tình trạng firewall nft ● nftables.service – nftables
     Loaded: loaded (/lib/systemd/system/nftables.service; enabled; preset: enabled)
     Active: active (exited) since Wed 2024-04-10 21:17:02 +07; 32min ago
       Docs: man:nft(8)
             http://wiki.nftables.org
   Main PID: 252 (code=exited, status=0/SUCCESS)
        CPU: 207ms

Apr 10 21:17:02 uptime59 systemd[1]: Finished nftables.service – nftables.
Notice: journal has been rotated since unit was started, output may be incomplete.  

6 sudo cat /etc/nftables.conf Kiểm tra nội dung file cấu hình nft flush ruleset
table inet filter {
        chain input {
                type filter hook input priority filter; policy drop;
                ct state { established, related } accept
                ct state invalid drop
                iifname “lo” accept
                ip protocol icmp accept
                ip6 nexthdr ipv6-icmp accept
                tcp dport { 22, 80, 443 } accept
                udp dport {53, 67, 443, 1900, 5131, 5353} counter accept
    # accept syncthing
    # src: https://docs.syncthing.net/users/firewall.html
    tcp sport 22000 counter accept comment “accept syncthing”
    tcp dport 22000 counter accept comment “accept syncthing”
    udp sport {21027, 22000} counter accept comment “accept syncthing”
    udp dport {21027, 22000} counter accept comment “accept syncthing”

                reject with icmp port-unreachable
        }

        chain forward {
                type filter hook forward priority filter; policy accept;
        }

        chain output {
                type filter hook output priority filter; policy accept;
        }
}
table inet f2b-table {
        set addr-set-sshd {
                type ipv4_addr
                elements = { 24.128.147.10, 43.134.60.160,
                              218.92.0.56, 218.92.0.76 }
        }

        chain f2b-chain {
                type filter hook input priority filter – 1; policy accept;
                tcp dport 22 ip saddr @addr-set-sshd reject with icmp port-unreachable
        }
}  

7 nft anft add rule inet filter input tcp dport ssh accept Add permit port 22    

8 nft -f /etc/nftables.conf Apply file nftables    

9 journalctl –boot=-0 –unit=nftables.service Kiểm tra log file lần cuối khởi động nftables    

10 nft -s list ruleset | tee /etc/nftables.conf Save file cấu hình
Lưu ý thêm
#!/usr/sbin/nft -f

flush ruleset    

11 systemctl status nftables.service Kiểm tra tình trạng nftables service. Lưu ý service chỉ load file cấu hình chứ không chạy ở dạng deamon. Mặc định là apply luôn