nft实战-nft备份还原

[root@centos8 ~]#cat /lib/systemd/system/nftables.service 
[Unit]
Description=Netfilter Tables
Documentation=man:nft(8)
Wants=network-pre.target
Before=network-pre.target

[Service]
Type=oneshot
ProtectSystem=full
ProtectHome=true
ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf
ExecReload=/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";'
ExecStop=/sbin/nft flush ruleset
RemainAfterExit=yes

[Install]
WantedBy=multi-user.target

备份配置并还原

#备份至文件中
[root@centos8 ~]#nft list ruleset 
table inet filter {
    chain input {
        type filter hook input priority 0; policy accept;
    }

    chain forward {
        type filter hook forward priority 0; policy accept;
    }

    chain output {
        type filter hook output priority 0; policy accept;
    }
}
table inet test_table {
    chain test_chain {
        tcp dport mysql reject
        tcp dport http reject
    }

    chain test_filter_input_chain {
        type filter hook input priority 0; policy accept;
        tcp dport mysql reject
        tcp dport ftp reject
        udp dport http-alt reject
        tcp dport http reject
        tcp dport 6379 reject
    }
}

[root@centos8 ~]#nft list ruleset >  /etc/sysconfig/nftables.conf

#删除所有规则
[root@centos8 ~]#nft flush  ruleset 
[root@centos8 ~]#nft list ruleset

#重新启动后全部还原
[root@centos8 ~]#systemctl restart nftables.service 
[root@centos8 ~]#nft list ruleset 
table inet filter {
    chain input {
        type filter hook input priority 0; policy accept;
    }

    chain forward {
        type filter hook forward priority 0; policy accept;
    }

    chain output {
        type filter hook output priority 0; policy accept;
    }
}
table inet test_table {
    chain test_chain {
        tcp dport mysql reject
        tcp dport http reject
    }

    chain test_filter_input_chain {
        type filter hook input priority 0; policy accept;
        tcp dport mysql reject
        tcp dport ftp reject
        udp dport http-alt reject
        tcp dport http reject
        tcp dport 6379 reject
    }
}

启用指定的配置文件

[root@centos8 ~]#cat nftables2.conf
table inet test2_table {
    chain test2_filter_input_chain {
        type filter hook input priority 0; policy accept;
        ip saddr { 10.0.0.1, 10.0.0.10 } accept
        tcp dport { http, nfs,ssh }  reject
    }
}

#-f 指定规则配置文件，如果已经有规则，是追加至现有规则后
[root@centos8 ~]#nft -f nftables2.conf
[root@centos8 ~]#nft list ruleset
table inet test2_table {
    chain test2_filter_input_chain {
        type filter hook input priority 0; policy accept;
        ip saddr { 10.0.0.1, 10.0.0.10 } accept
        tcp dport { ssh, http, nfs } reject
    }
}

本文链接：https://www.yunweipai.com/35078.html

网友评论comments

发表回复取消回复

暂无评论

教程分类

备份还原

网友评论comments

发表回复 取消回复

发表回复取消回复