LoginSignup
3

More than 5 years have passed since last update.

iptablesをnftablesに変換してみた

Posted at

iptablesで作ったパケットフィルタリングルールをnftablesに変換してみた。
以下はよくある入力は特定ポートしか受け付けなくするiptablesのスクリプト

#!/bin/sh
iptables -F
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT

iptables -A INPUT -p tcp -m tcp --dport ssh -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport smtp -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport domain -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport http -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport https -j ACCEPT
iptables -A INPUT -p udp -m udp --dport domain -j ACCEPT

iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT

これをnftablesでやると以下にようになる。

#!/usr/sbin/nft -f
flush table filter

table filter {
        chain input {
                type filter hook input priority 0; policy accept;
                ct state established accept
                ct state related accept
                iif lo accept
                tcp dport {ssh,smtp,domain,http,https} accept
                udp dport domain accept
                ip protocol icmp accept
                counter drop
        }

        chain output {
                type filter hook output priority 0; policy accept;
        }
}

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
3