nft实战-nft备份还原

备份还原

规则都是临时的,要想永久生效,可以将规则备份,重启后自动加载恢复

查看service文件

[root@centos8 ~]#cat /lib/systemd/system/nftables.service 
[Unit]
Description=Netfilter Tables
Documentation=man:nft(8)
Wants=network-pre.target
Before=network-pre.target

[Service]
Type=oneshot
ProtectSystem=full
ProtectHome=true
ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf
ExecReload=/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";'
ExecStop=/sbin/nft flush ruleset
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

备份配置并还原

#备份至文件中
[root@centos8 ~]#nft list ruleset 
table inet filter {
    chain input {
        type filter hook input priority 0; policy accept;
    }

    chain forward {
        type filter hook forward priority 0; policy accept;
    }

    chain output {
        type filter hook output priority 0; policy accept;
    }
}
table inet test_table {
    chain test_chain {
        tcp dport mysql reject
        tcp dport http reject
    }

    chain test_filter_input_chain {
        type filter hook input priority 0; policy accept;
        tcp dport mysql reject
        tcp dport ftp reject
        udp dport http-alt reject
        tcp dport http reject
        tcp dport 6379 reject
    }
}

[root@centos8 ~]#nft list ruleset >  /etc/sysconfig/nftables.conf

#删除所有规则
[root@centos8 ~]#nft flush  ruleset 
[root@centos8 ~]#nft list ruleset

#重新启动后全部还原
[root@centos8 ~]#systemctl restart nftables.service 
[root@centos8 ~]#nft list ruleset 
table inet filter {
    chain input {
        type filter hook input priority 0; policy accept;
    }

    chain forward {
        type filter hook forward priority 0; policy accept;
    }

    chain output {
        type filter hook output priority 0; policy accept;
    }
}
table inet test_table {
    chain test_chain {
        tcp dport mysql reject
        tcp dport http reject
    }

    chain test_filter_input_chain {
        type filter hook input priority 0; policy accept;
        tcp dport mysql reject
        tcp dport ftp reject
        udp dport http-alt reject
        tcp dport http reject
        tcp dport 6379 reject
    }
}

启用指定的配置文件

[root@centos8 ~]#cat nftables2.conf
table inet test2_table {
    chain test2_filter_input_chain {
        type filter hook input priority 0; policy accept;
        ip saddr { 10.0.0.1, 10.0.0.10 } accept
        tcp dport { http, nfs,ssh }  reject
    }
}

#-f 指定规则配置文件,如果已经有规则,是追加至现有规则后
[root@centos8 ~]#nft -f nftables2.conf
[root@centos8 ~]#nft list ruleset
table inet test2_table {
    chain test2_filter_input_chain {
        type filter hook input priority 0; policy accept;
        ip saddr { 10.0.0.1, 10.0.0.10 } accept
        tcp dport { ssh, http, nfs } reject
    }
}

本文链接:http://www.yunweipai.com/35078.html

原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/tech/courses/52541.html

(0)
上一篇 2021年8月6日 16:24
下一篇 2021年8月6日 16:24

相关推荐

发表回复

登录后才能评论