nftables

查询

nft list ruleset
nft -a list ruleset # -a显示handle编号
nft -a list chain inet filter input # 查看指定链的规则
nft -a list table inet filter # 查看指定表的规则

删除

nft delete rule inet filter input handle 4 # 删除filter表中input链的第四条handle规则
nft delete chain inet filter input # 删除整个链
nft delete table inet filter # 删除整个表
nft flush chain inet filter input # 清空链

创建

nft add rule inet filter input ip saddr 1.2.3.4 drop # 拒绝1.2.3.4的所有连接
nft add rule inet filter input ip saddr 1.2.3.4 tcp dport 22 drop # 拒绝1.2.3.4对本机的tcp22端口的连接
nft add rule inet filter input ip saddr 192.168.3.1 ip daddr 192.168.3.2 drop # 添加来源为192.168.3.1,目标为192.168.3.2的拒绝规则
nft add rule inet filter input icmp type echo-request drop # 禁ping
nft add rule inet filter input ip saddr 1.2.3.4 limit rate 400/minute accept # 限速400/min
nft add rule inet filter input ip saddr 1.2.3.4 limit rate over 2 mbytes/second counter drop # 限制1.2.3.4发往本机的流量速率为2Mb,counter计数,超出部分丢弃
nft add rule inet filter input ip saddr 1.2.3.4 tcp dport 12345 limit rate over 2 mbytes/second counter drop # 限制1.2.3.4发往本机的12345端口的流量速率为2Mb,counter计数,超出部分丢弃

进阶用法

   ip saddr 192.168.2.0/24
   ip saddr != 192.168.2.0/24
   ip saddr 192.168.3.1 ip daddr 192.168.3.100
   ip saddr != 1.1.1.1
   ip saddr 1.1.1.1
   ip saddr & 0xff == 1
   ip saddr & 0.0.0.255 < 0.0.0.127
   ip daddr 192.168.0.1-192.168.0.250
   ip daddr { 192.168.0.1-192.168.0.250 }
   ip daddr { 192.168.5.1, 192.168.5.2, 192.168.5.3 }

限速

    limit rate 400/minute
    limit rate 400/hour
    limit rate over 1023/second burst 10 packets
    limit rate 1025 kbytes/second
    limit rate 1023000 mbytes/second
    limit rate 1025 bytes/second burst 512 bytes
    limit rate 1025 kbytes/second burst 1023 kbytes
    limit rate 1025 mbytes/second burst 1025 kbytes
    limit rate 1025000 mbytes/second burst 1023 mbytes

菜单

分享

nftables基础使用

nftables

查询

删除

创建

进阶用法

限速

随手记

快速启动 QwQ-32b-awq

PentAGI 使用指南

hping3 和 slowhttptest 命令

软中断

Nginx禁止域名访问

大模型显存计算

vLLM 部署指南 - DeepSeek-R1-Distill-Qwen-7B

导入本地模型到ollama

网络调优