备份还原
规则都是临时的,要想永久生效,可以将规则备份,重启后自动加载恢复
查看service文件
[root@centos8 ~]#cat /lib/systemd/system/nftables.service
[Unit]
Description=Netfilter Tables
Documentation=man:nft(8)
Wants=network-pre.target
Before=network-pre.target
[Service]
Type=oneshot
ProtectSystem=full
ProtectHome=true
ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf
ExecReload=/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";'
ExecStop=/sbin/nft flush ruleset
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
备份配置并还原
#备份至文件中
[root@centos8 ~]#nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy accept;
}
chain forward {
type filter hook forward priority 0; policy accept;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
table inet test_table {
chain test_chain {
tcp dport mysql reject
tcp dport http reject
}
chain test_filter_input_chain {
type filter hook input priority 0; policy accept;
tcp dport mysql reject
tcp dport ftp reject
udp dport http-alt reject
tcp dport http reject
tcp dport 6379 reject
}
}
[root@centos8 ~]#nft list ruleset > /etc/sysconfig/nftables.conf
#删除所有规则
[root@centos8 ~]#nft flush ruleset
[root@centos8 ~]#nft list ruleset
#重新启动后全部还原
[root@centos8 ~]#systemctl restart nftables.service
[root@centos8 ~]#nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy accept;
}
chain forward {
type filter hook forward priority 0; policy accept;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
table inet test_table {
chain test_chain {
tcp dport mysql reject
tcp dport http reject
}
chain test_filter_input_chain {
type filter hook input priority 0; policy accept;
tcp dport mysql reject
tcp dport ftp reject
udp dport http-alt reject
tcp dport http reject
tcp dport 6379 reject
}
}
启用指定的配置文件
[root@centos8 ~]#cat nftables2.conf
table inet test2_table {
chain test2_filter_input_chain {
type filter hook input priority 0; policy accept;
ip saddr { 10.0.0.1, 10.0.0.10 } accept
tcp dport { http, nfs,ssh } reject
}
}
#-f 指定规则配置文件,如果已经有规则,是追加至现有规则后
[root@centos8 ~]#nft -f nftables2.conf
[root@centos8 ~]#nft list ruleset
table inet test2_table {
chain test2_filter_input_chain {
type filter hook input priority 0; policy accept;
ip saddr { 10.0.0.1, 10.0.0.10 } accept
tcp dport { ssh, http, nfs } reject
}
}
本文链接:http://www.yunweipai.com/35078.html
原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/tech/courses/52541.html