Nftables

Da sia.
Vai alla navigazione Vai alla ricerca

Nftables

Maintenance

List ruleset, flush and reload again: 

   sudo /usr/sbin/nft list ruleset
   sudo /usr/sbin/nft flush ruleset
   sudo /usr/sbin/nft -f /etc/nftables.conf

Tables: 

   sudo nft list table inet filter

Sets: 

   sudo nft list sets

One shot emergency

Ban a given IP by command line: 

   sudo nft insert rule inet filter input tcp dport 443 ip saddr 155.185.3.38 drop

Verify rules: 

   sudo nft list table inet filter

Remove rules: 

   sudo nft -a list table inet filter # get handle
   sudo nft delete rule inet filter input handle 26 # delete rule with handle 26

blackhole

Define set: 

   sudo nft add set inet filter blackhole "{ type ipv4_addr; flags timeout; size 65536; }"

Add and list elements: 

   sudo nft add element filter blackhole "{10.2.3.4, 10.23.1.42 }"
   sudo nft list set inet filter blackhole

Tentative add rule: 

   sudo nft add rule inet filter input position 16 tcp flags syn tcp dport { 80, 443 } meter flood { ip saddr timeout 10s limit rate over 10/second} add @blackhole { ip saddr timeout 1m }
   sudo nft add rule inet filter input position 16 ip saddr @blackhole counter drop
Estratto da "https://wiki.unimore.it/index.php?title=Nftables&oldid=18540"