search
HomeOperation and MaintenanceNginxWhat is nftables? How is it different from iptables?

什么是 nftables ? 它与 iptables 的区别是什么?

#What is nftables? What is the difference between it and iptables?

Almost every Linux administrator has used iptables, which is a firewall for Linux systems. But you may not be familiar with nftables, a new firewall that provides us with some necessary upgrades and may replace iptables.

Why use nftables?

Nftables was developed by the Netfilter organization, which currently maintains iptables. Nftables is designed to solve the performance and scalability problems of iptables.

nftables functions almost identically to iptables except for some upgrades and changed syntax. Another reason why nftables was introduced is because the iptables framework has become a bit complicated. iptables, ip6tables, arptables and ebtables all have different but similar functions.

For example, it is very inefficient to create IPv4 rules in iptables and IPv6 rules in ip6tables and keep the two in sync. Nftables aims to replace all of these and become a centralized solution.

Although nftables has been included in the Linux kernel since 2014, it has become increasingly popular recently as adoption expands. Change is slow in the Linux world, and it often takes a few years or more for outdated utilities to be phased out and replaced by upgraded ones.

Today we will briefly introduce the differences between nftables and iptables, and show examples of configuring firewall rules in the new nftables syntax.

Chains and rules in nftables

In iptables, there are three default chains: input , output and forwarding. These three "chains" (as well as other chains) contain "rules" and iptables works by matching network traffic to a list of rules in the chain. When the traffic being inspected does not match any rules, the chain's default policy (such as ACCEPT or DROP) will be applied to the traffic.

Nftables works similarly, with "chains" and "rules". However, it starts without any underlying chain, which makes the configuration more flexible.

One of the inefficiencies of iptables is that all network data must traverse one or more of the above chains, even if the traffic does not match any rules. Even if you don't configure the link, iptables will still inspect your network data and process it.

Installing nftables in Linux

nftables is available in all major Linux distributions, you can use the distribution version of the package manager to install.

In Ubuntu or Debian-based systems, you can use the following command:

sudo apt install nftables

Set nftables to start automatically when the system restarts, executable Do as follows:

sudo systemctl enable nftables.service

The syntax difference between iptables and nftables

The syntax of nftables compared to iptables It's simpler, but the syntax in iptables can also be used in nftables.

You can use the iptables-translate tool, which accepts iptables commands and translates them into equivalent nftables commands. This is an easy way to understand the difference between the two syntaxes.

Install iptables-translate on Ubuntu and Debian-based distributions using the following command:

sudo apt install iptables-nftables-compat

After installation, you can convert iptables-translate to Passed to the iptables-translate command, it returns the nftables equivalent command.

Let’s look at some specific syntax examples below.

Block incoming connections

The following command will block incoming connections from the IP address 192.168.2.1:

$ iptables-translate -A INPUT -s 192.168.2.1 -j DROPnft add rule ip filter INPUT ip saddr 192.168.2.1 counter drop

Allow incoming SSH connections##Release ssh connection permissions:

$ iptables-translate -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPTnft add rule ip filter INPUT tcp dport 22 ct state new,established counter accept
Allow incoming SSH connections from specific IP ranges

If you only want to allow incoming SSH connections from 192.168.1.0/24:

$ iptables-translate -A INPUT -p tcp -s 192.168.1.0/24 --dport 22 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPTnft add rule ip filter INPUT ip saddr 192.168.1.0/24 tcp dport 22 ct state new,established counter accept

允许MySQL连接到eth0网络接口

$ iptables-translate -A INPUT -i eth0 -p tcp --dport 3306 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPTnft add rule ip filter INPUT iifname eth0 tcp dport 3306ct state new,established counter accept

允许传入HTTP和HTTPS流量

为了允许特定类型的流量,以下是这两个命令的语法:

$ iptables-translate -A INPUT -p tcp -m multiport --dports 80,443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPTnft add rule ip filter INPUT ip protocol tcp tcp dport { 80,443} ct state new,established counter accept

从这些例子中可以看出,nftables 语法与 iptables 非常相似,但命令更直观一些。

nftables 日志

上述nft命令示例中的“counter”选项告诉nftables统计规则被触碰的次数,就像默认情况下使用的iptables一样。

在nftables中,需要指定:

nft add rule ip filter INPUT ip saddr 192.168.2.1 counter accept

nftables内置了用于导出配置的选项。它目前支持XML和JSON。

nft export xml

The above is the detailed content of What is nftables? How is it different from iptables?. For more information, please follow other related articles on the PHP Chinese website!

Statement
This article is reproduced at:51CTO.COM. If there is any infringement, please contact admin@php.cn delete
如何在 Alpine Linux 上启用或禁用防火墙?如何在 Alpine Linux 上启用或禁用防火墙?Feb 21, 2024 pm 12:45 PM

在AlpineLinux上,你可以使用iptables工具来配置和管理防火墙规则。以下是在AlpineLinux上启用或禁用防火墙的基本步骤:检查防火墙状态:sudoiptables-L如果输出结果中显示有规则(例如,有一些INPUT、OUTPUT或FORWARD规则),则表示防火墙已启用。如果输出结果为空,则表示防火墙当前处于禁用状态。启用防火墙:sudoiptables-PINPUTACCEPTsudoiptables-POUTPUTACCEPTsudoiptables-PFORWARDAC

什么是 nftables ? 它与 iptables 的区别是什么?什么是 nftables ? 它与 iptables 的区别是什么?Jun 09, 2023 pm 09:34 PM

什么是nftables?它与iptables的区别是什么?几乎每个Linux管理员都使用过iptables,它是一个Linux系统的防火墙。但是你可能还不太熟悉nftables,这是一个新的防火墙,可为我们提供一些必需的升级,还有可能会取代iptables。为什么要使用nftables呢?nftables是由Netfilter开发的,该组织目前维护iptables。nftables的创建是为了解决iptables的一些性能和扩展问题。除了新的语法和一些升级以外,nftables的功能与iptab

Debian下的iptables安装与配置指南Debian下的iptables安装与配置指南Feb 15, 2024 am 08:30 AM

在Linux系统中,iptables是用于配置和管理网络数据包过滤规则的工具,它允许用户根据预设的规则对进入和离开网络的数据包进行过滤,从而实现网络访问控制、数据包转发等网络功能,在Debian系统中,iptables是默认安装的,但如果没有安装,则需要手动安装,本文将介绍如何在Debian下安装iptables,并配置相关的规则。安装iptables1.打开终端,以root用户身份登录。2.运行以下命令安装iptables:```shellsudoapt-getupdatesudoapt-ge

Linux系统iptables与Firewalld防火墙区别?Linux系统iptables与Firewalld防火墙区别?Feb 19, 2024 pm 05:18 PM

Linux系统中的iptables和Firewalld都是用于配置防火墙规则的工具,它们在功能和使用方式上有一些区别:iptables:iptables是Linux系统中最经典和传统的防火墙工具,早期版本的Linux默认使用iptables作为防火墙配置工具。iptables基于内核空间的netfilter框架,通过直接操作内核中的iptables规则表来过滤和处理网络数据包。iptables使用规则链(rulechains)和表(tables)的概念来组织和管理防火墙规则,例如常见的filte

不会用 Linux 防火墙软件 IPtables!你算啥运维人!不会用 Linux 防火墙软件 IPtables!你算啥运维人!Aug 01, 2023 pm 05:36 PM

连接跟踪是许多网络应用的基础。例如,Kubernetes Service、ServiceMesh sidecar、 软件四层负载均衡器 LVS/IPVS、Docker network、OVS、iptables 主机防火墙等等,都依赖连接跟踪功能。

Linux 防火墙配置(iptables和firewalld)详细教程。Linux 防火墙配置(iptables和firewalld)详细教程。Feb 19, 2024 pm 12:36 PM

下面是一个简要的Linux防火墙配置教程,涵盖了iptables和firewalld两种常用的防火墙工具。iptables是Linux上最常用的防火墙工具之一,而firewalld是CentOS7及其衍生版本中默认使用的防火墙管理工具。iptables防火墙配置:查看当前防火墙规则:iptables-L-n清空当前的防火墙规则:iptables-F允许特定端口的入站连接:iptables-AINPUT-p--dport-jACCEPT例如,允许TCP协议的80端口

深度解析CentOS下的iptables使用方法深度解析CentOS下的iptables使用方法Jan 11, 2024 pm 05:27 PM

一:前言防火墙,其实说白了讲,就是用于实现Linux下访问控制的功能的,它分为硬件的或者软件的防火墙两种。无论是在哪个网络中,防火墙工作的地方一定是在网络的边缘。而我们的任务就是需要去定义到底防火墙如何工作,这就是防火墙的策略,规则,以达到让它对出入网络的IP、数据进行检测。目前市面上比较常见的有3、4层的防火墙,叫网络层的防火墙,还有7层的防火墙,其实是代理层的网关。对于TCP/IP的七层模型来讲,我们知道第三层是网络层,三层的防火墙会在这层对源地址和目标地址进行检测。但是对于七层的防火墙,不

Kubernetes集群如何用Ipvs替换IptablesKubernetes集群如何用Ipvs替换IptablesMar 02, 2024 am 11:58 AM

大家都了解在Kubernetes中,kube-proxy是一个网络代理,它的主要职责是为集群中的服务提供负载均衡和服务发现功能。kube-proxy有不同的运行模式,其中iptables模式和ipvs模式是两种常见的模式。在iptables模式下,kube-proxy通过iptables规则来实现负载均衡和服务发现,而ipvs模式则利用Linux内核中的IPVS(IPVirtualServer)技术来实现更高效的负载均衡。选择适合的模式取决于集群的需求和性能要求。iptables模式适用于小型集

See all articles

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

AI Hentai Generator

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)
3 weeks agoBy尊渡假赌尊渡假赌尊渡假赌
R.E.P.O. Best Graphic Settings
3 weeks agoBy尊渡假赌尊渡假赌尊渡假赌
R.E.P.O. How to Fix Audio if You Can't Hear Anyone
3 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

Hot Tools

SecLists

SecLists

SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.

EditPlus Chinese cracked version

EditPlus Chinese cracked version

Small size, syntax highlighting, does not support code prompt function

SAP NetWeaver Server Adapter for Eclipse

SAP NetWeaver Server Adapter for Eclipse

Integrate Eclipse with SAP NetWeaver application server.

Atom editor mac version download

Atom editor mac version download

The most popular open source editor

PhpStorm Mac version

PhpStorm Mac version

The latest (2018.2.1) professional PHP integrated development tool