- 列出所有规则
nft list ruleset -
列出指定的chain
nft list chain filter INPUT -
列出所有的chain
nft list chains -
列出指定的table
nft list table filter -
列出所有的table
nft list tables -
添加table
添加任何链之前需要先添加table
add table test
不指定family时默认为ip family
nft add table inet test
指定family为inet,即同时支持ipv4和ipv6 -
添加链
add chain inet test test {type filter hook output priority 0;} add chain inet test test - 添加规则
nft add rule inet test test ip daddr 8.8.8.8 counter -
删除规则
先用nft -a参数查看规则的handle编号,然后
nft delete rule inet test test handle 3 nft delete rule filter FORWARD handle 88 - 配置nat
- SNAT
nft add chain nat POSTROUTING { type nat hook postrouting priority srcnat; policy accept; } nft add rule nat POSTROUTING iifname wg2 oifname eth0 counter snat to 172.31.25.80或者
nft add rule nat POSTROUTING iifname wg2 oifname eth0 counter masqueradesnat比masquerade性能要好
- DNAT
nft add rule inet nat prerouting tcp dport 443 counter redirect to :8006 nft add table inet nat nft add chain inet nat prerouting { type nat hook prerouting priority dstnat\; policy accept\; }
nft不指定表类型时默认为ip,即ipv4表,如果要同时支持ipv6要指定inet表类型