为了研究一下nftables流量统计,花一天把nftables撸了一遍,复杂的目前没需求,简单的咱不能不会。
直接上干货,句句精炼。
这是快速入门网页:
https://farkasity.gitbooks.io/nftables-howto-zh
https://www.cnblogs.com/ryanyangcs/p/11611730.html
https://wiki.nftables.org/wiki-n … ables_in_10_minutes
这是简要说明:
type refers to the kind of chain to be created. Possible types are:
filter: Supported by arp, bridge, ip, ip6 and inet table families.
route: Mark packets (like mangle for the output hook, for other hooks use the type filter instead), supported by ip and ip6.
nat: In order to perform Network Address Translation, supported by ip and ip6.
hook refers to an specific stage of the packet while it’s being processed through the kernel. More info in Netfilter hooks.
The hooks for ip, ip6 and inet families are: prerouting, input, forward, output, postrouting.
The hooks for arp family are: input, output.
The bridge family handles ethernet packets traversing bridge devices.
The hook for netdev is: ingress.
priority refers to a number used to order the chains or to set them between some Netfilter operations. Possible values are: NF_IP_PRI_CONNTRACK_DEFRAG (-400), NF_IP_PRI_RAW (-300), NF_IP_PRI_SELINUX_FIRST (-225), NF_IP_PRI_CONNTRACK (-200), NF_IP_PRI_MANGLE (-150), NF_IP_PRI_NAT_DST (-100), NF_IP_PRI_FILTER (0), NF_IP_PRI_SECURITY (50), NF_IP_PRI_NAT_SRC (100), NF_IP_PRI_SELINUX_LAST (225), NF_IP_PRI_CONNTRACK_HELPER (300).
policy is the default verdict statement to control the flow in the base chain. Possible values are: accept (default) and drop. Warning: Setting the policy to drop discards all packets that have not been accepted by the ruleset.
Verdict statements
The verdict statement alters control flow in the ruleset and issues policy decisions for packets. The valid verdict statements are:
accept: Accept the packet and stop the remain rules evaluation.
drop: Drop the packet and stop the remain rules evaluation.
queue: Queue the packet to userspace and stop the remain rules evaluation.
continue: Continue the ruleset evaluation with the next rule.
return: Return from the current chain and continue at the next rule of the last chain. In a base chain it is equivalent to accept
jump : Continue at the first rule of . It will continue at the next rule after a return statement is issued
goto : Similar to jump, but after the new chain the evaluation will continue at the last chain instead of the one containing the goto statement
这是实操干货,可以直接使用:
# 匹配可使用正则表达式:
# ne:不等于,也可以用 !=
# lt:小于,也可以用 < ( <、>、; 须加转义符\ ,以下同)
# gt:大于,也可以用 >
# le:小于等于,也可以用 <=
# ge:大于等于,也可以用 >=
table=customtable
chain=custom_control
target=drop
ip=8.8.8.8
ip6=2402:4e00::0
mac=00:00:01:02:03:04
# nft (add | insert | delete | flush) [<family>] (table | [<chain>]) $table [<$chain>] 条件匹配 $target
#创建ip, ip6 table
nft add table inet $table
#创建ip, ip6 chain
nft add chain inet $table $chain { type filter hook forward priority 0\; }
#匹配IP地址,可使用IP范围 192.168.0.1-192.168.0.250 或集合{ 192.168.5.1, 192.168.5.2, 192.168.5.3 }
nft add rule inet $table $chain ip saddr $ip $target #upload
nft add rule inet $table $chain ip daddr $ip $target #download
#匹配IP6地址
nft add rule inet $table $chain ip6 saddr $ip6 $target #upload
nft add rule inet $table $chain ip6 daddr $ip6 $target #download
#匹配MAC地址
nft add rule inet $table $chain ether saddr $mac $target #upload
nft add rule inet $table $chain ether daddr $mac $target #download
#匹配接口
nft add rule inet $table $chain iif eth3 $target #input of an interface
nft add rule inet $table $chain oif eth3 $target #output of an interface
#匹配端口
nft add rule inet $table $chain { tcp, udp } dport 22 $target
nft add rule inet $table $chain tcp dport \>= 1024 $target #大于等于1024所有端口,或:ge
#set mark 后 return
nft add rule inet $table $chain tcp dport 22 mark set 147 return
#统计流量后 return
nft add rule inet $table $chain ip saddr $ip counter return #upload
nft add rule inet $table $chain ip daddr $ip counter return #download
#同时匹配ip与mac
nft add rule inet $table $chain ip saddr $ip ether saddr $mac $target #upload
nft add rule inet $table $chain ip daddr $ip ether daddr $mac $target #download
#DNAT
nft add rule inet $table $chain ip daddr $ip dnat to 192.168.1.22
#SNAT
nft add rule inet $table $chain ip saddr $ip snat to 192.168.1.22
#限速规则,unit:留空(为“包个数”)、mbytes、kbytes、packets 等,时间: second、minute、hour、day、week,(burst 1000 $unit)可选
rate=10 ; unit=mbytes
nft add rule inet $table $chain ether daddr $mac limit rate over $rate $unit/second drop #download
nft add rule inet $table $chain ether saddr $mac limit rate over $rate $unit/second drop #upload
#查看chain规则详细信息
nft -a list chain inet $table $chain
#查看chain规则(如有counter可查看流量)
nft list chain inet $table $chain
#删除一条规则,目前仅能根据handle删除
handle=`nft -a list chain inet $table $chain |grep "daddr $ip " |grep -o 'handle [0-9]*' |cut -d ' ' -f2`
[ -n "$handle" ] && nft delete rule inet $table $chain handle $handle
#清除chain中所有规则
nft flush chain inet $table $chain
#销毁chain(无须事先清除其下规则)
nft delete chain inet $table $chain
#销毁table(无须事先清除其下规则)
nft delete table inet $table
实操案例一:
禁止一些MAC主机联网
table=customtable
chain=custom_control
target=drop
mac=00:00:01:02:03:04
#创建ip, ip6 table
nft add table inet $table
#创建ip, ip6 chain
nft add chain inet $table $chain { type filter hook forward priority 0\; }
#匹配MAC地址
nft add rule inet $table $chain ether saddr $mac $target #upload
实操案例二:
统计一个ip流量
table=customtable
chain=custom_counter
target=drop
ip=192.168.18.251
#创建ip, ip6 table
nft add table inet $table
#创建ip, ip6 chain
nft add chain inet $table $chain { type filter hook forward priority 0\; }
#统计流量后 return
#之所以用return,是为了避免其下如有很多统计规则时逐条匹配浪费资源
nft add rule inet $table $chain ip saddr $ip counter return #upload
nft add rule inet $table $chain ip daddr $ip counter return #download
#查看流量
nft list chain inet $table $chain
7631
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
