이것은 내 /etc/nftables.conf입니다.
#!/usr/sbin/nft -f
flush ruleset
define wan = { eth0 }
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# allow everything from loopback interface
iif lo accept comment "Accept any localhost traffic"
# drop invalid connection attempts
ct state invalid drop comment "Drop all invalid connection attempts"
# allow established and related connections
ct state established,related accept comment "Accept all traffic initiated by us"
# allow explicitly allowed services/ports/protocols
iif $wan tcp dport 22 accept comment "wan"
# Apply extra (manual configured) rules
# reject everything that has not been accepted before
reject with icmpx type admin-prohibited comment "Drop everything, which is not explicitly allowed"
}
chain forward {
type filter hook forward priority 0; policy drop;
# allow everything from loopback interface
iif lo accept comment "Accept any localhost traffic"
# drop invalid connection attempts
ct state invalid drop comment "Drop all invalid connection attempts"
# Apply extra (manual configured) rules
# reject everything that has not been accepted before
reject with icmpx type admin-prohibited comment "Drop everything, which is not explicitly allowed"
}
chain output {
type filter hook output priority 0; policy accept;
# Apply extra (manual configured) rules
}
}
journalctl -u nftables.service이것은 실행 후 얻은 결과입니다 systemctl restart nftables.service.
Feb 01 18:54:40 mydomain.net systemd[1]: Starting nftables...
Feb 01 18:54:40 mydomain.net nft[1682]: /etc/nftables.conf:14:13-33: Error: Could not process rule: No such file or directory
Feb 01 18:54:40 mydomain.net nft[1682]: ct state invalid drop comment "Drop all invalid connection attempts"
Feb 01 18:54:40 mydomain.net nft[1682]: ^^^^^^^^^^^^^^^^^^^^^
Feb 01 18:54:40 mydomain.net nft[1682]: /etc/nftables.conf:16:13-47: Error: Could not process rule: No such file or directory
Feb 01 18:54:40 mydomain.net nft[1682]: ct state established,related accept comment "Accept all traffic initiated by us"
Feb 01 18:54:40 mydomain.net nft[1682]: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 01 18:54:40 mydomain.net nft[1682]: /etc/nftables.conf:21:13-51: Error: Could not process rule: No such file or directory
Feb 01 18:54:40 mydomain.net nft[1682]: reject with icmpx type admin-prohibited comment "Drop everything, which is not explicitly allowed"
Feb 01 18:54:40 mydomain.net nft[1682]: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 01 18:54:40 mydomain.net nft[1682]: /etc/nftables.conf:29:13-33: Error: Could not process rule: No such file or directory
Feb 01 18:54:40 mydomain.net nft[1682]: ct state invalid drop comment "Drop all invalid connection attempts"
Feb 01 18:54:40 mydomain.net nft[1682]: ^^^^^^^^^^^^^^^^^^^^^
Feb 01 18:54:40 mydomain.net nft[1682]: /etc/nftables.conf:32:13-51: Error: Could not process rule: No such file or directory
Feb 01 18:54:40 mydomain.net nft[1682]: reject with icmpx type admin-prohibited comment "Drop everything, which is not explicitly allowed"
Feb 01 18:54:40 mydomain.net nft[1682]: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 01 18:54:40 mydomain.net systemd[1]: nftables.service: Main process exited, code=exited, status=1/FAILURE
Feb 01 18:54:40 mydomain.net systemd[1]: nftables.service: Failed with result 'exit-code'.
Feb 01 18:54:40 mydomain.net systemd[1]: Failed to start nftables.
"ct state"로 시작하는 규칙을 주석 처리하면 서비스가 오류 없이 시작됩니다. 여기서 무슨 문제가 있습니까? 동일한 규칙 세트가 다른 시스템에서도 잘 작동합니다.
시스템 메시지:
운영 체제: 데비안 10
커널: 4.19.0-14-amd64
답변1
이 문제가 발생한 다른 사람을 위해. 확실하게 하다:
- 직접 또는 모듈로 컴파일된 "netfilter"(및 해당) 커널 옵션(grep -i netfilter /proc/config* 또는 grep -i netfilter /boot/config*)
- 이 옵션을 모듈로 컴파일하는 경우 sysctl 옵션 kernel.modules_disabled가 1로 설정되지 않았는지 확인하세요. (/etc/sysctl.conf 편집)