对于嵌入式应用程序,我希望动态配置防火墙。我的想法是为每项服务制作一张单独的桌子。因此,我可以使用"nft-flush inet-table"来清除表的规则集并重新设置它。所以我为snmp、www、ssh等制作了表格。到目前为止,一切都很好,但我如何才能阻止其余的端口呢?我已经创建了另一个具有"type filter hook input priority 0;政策下降;'。但无论优先级如何,之后所有端口都会被阻塞。我在使用nftabeles的第一步中做错了什么?感谢您的帮助
我的配置:
table inet firewall {
chain input {
type filter hook input priority 0; policy accept;
ct state invalid drop
ct state established,related accept
iifname "lo" counter packets 0 bytes 0 accept
iifname "lo" ip saddr != 127.0.0.0/8 drop
iifname "lo" ip6 saddr != ::1 drop
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
ct state established accept
oifname "lo" counter packets 0 bytes 0 accept
oifname "lo" ip daddr != 127.0.0.0/8 drop
oifname "lo" ip6 daddr != ::1 drop
}
}
table inet web {
chain input {
type filter hook input priority 0; policy accept;
tcp dport 80 accept
tcp dport 443 accept
}
chain output {
type filter hook output priority 0; policy accept;
}
}
table inet snmp {
chain input {
type filter hook input priority 0; policy accept;
udp dport 161 accept
}
chain output {
type filter hook output priority 0; policy accept;
udp dport 162 drop
}
}
table inet opc {
chain input {
type filter hook input priority 0; policy accept;
tcp dport 4840 drop
udp dport 4840 drop
}
找到了!'仅在同一个表上工作时,"策略删除"效果良好。额外的管理必须通过"链"完成,这些"链"作为"常规链"添加到表中。在"基本链"中,用"jump xyz"调用各个规则集。