配置了 nftables IPv6 防火墙, 打算是开放 22 和 1874 端口
发现更新配置后, 有时候配置不起效, 改成完全开放端口, 再改回去, 端口限制才会起效
也有时候起效了, 但只能持续一段时间, 过一段时间之后就无法访问
现在关闭 IPV6 防火墙之后是完全可以正常访问的
求助这里是有什么问题吗?
这里是整张配置表, 也顺便配置了路由
flush ruleset
define DEV_WORLD = enp0
define DEV_LAN = enp1
define DEV_WLAN = wlp
define DEV_COM = podman0
define NET_PRIVATE = 192.168.1.0/22
define NET_COM = 10.88.0.0/16
table ip global {
chain inbound_world {
icmp type echo-request limit rate 5/second accept
ip protocol . th dport vmap { udp . 53 : accept, tcp . 53 : accept, udp . 67 : accept }
}
chain inbound_private_lan {
icmp type echo-request limit rate 5/second accept
ip protocol . th dport vmap { tcp . 22 : accept, udp . 53 : accept, tcp . 53 : accept, udp . 67 : accept, tcp . 1874 : accept }
}
chain inbound_private_wlan {
icmp type echo-request limit rate 5/second accept
ip protocol . th dport vmap { tcp . 22 : accept, udp . 53 : accept, tcp . 53 : accept, udp . 67 : accept, tcp . 1874 : accept}
}
chain inbound {
type filter hook input priority 0; policy drop;
ct state vmap { established : accept, related : accept, invalid : drop }
iifname vmap { lo : accept, $DEV_WORLD : jump inbound_world, $DEV_LAN : jump inbound_private_lan, $DEV_WLAN : jump inbound_private_wlan }
}
chain forward {
type filter hook forward priority 0; policy drop;
ct state vmap { established : accept, related : accept, invalid : drop }
meta iifname . meta oifname { $DEV_LAN . $DEV_WORLD, $DEV_WLAN . $DEV_WORLD, $DEV_WORLD . $DEV_LAN, $DEV_WORLD . $DEV_WLAN, $DEV_LAN . $DEV_WLAN, $DEV_WLAN . $DEV_LAN, $DEV_COM . $DEV_WORLD, $DEV_WORLD . $DEV_COM} accept
}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
ip saddr $NET_PRIVATE meta oifname $DEV_WORLD counter masquerade
ip saddr $NET_COM meta oifname $DEV_WORLD counter masquerade
}
}
table ip6 ip6global {
chain inbound_world {
icmpv6 type { echo-request, nd-neighbor-solicit } limit rate 5/second accept
tcp dport { 22, 1874 } accept #生效后, 一段时间后失效
}
chain inbound {
type filter hook input priority 0; policy drop;
ct state vmap { established : accept, related : accept, invalid : drop }
iifname vmap { lo : accept, $DEV_WORLD : jump inbound_world }
}
}
1 条回复 • 2024-04-17 22:03:07 +08:00
 |
1
yjzll 12 天前
limit rate 5/second 加个重新计数的参数试试
|
Select Language