Port
為什麼不能用 nftables 關閉 80 埠?
我想關閉 localhost 中的 80 埠。
sudo nft add rule inet filter input tcp dport 80 drop使用 nmap 檢查:
sudo nmap -p 80 127.0.0.1 Starting Nmap 7.70 ( https://nmap.org ) at 2021-05-02 05:16 EDT Nmap scan report for localhost (127.0.0.1) Host is up (0.00010s latency). PORT STATE SERVICE 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds為什麼不能關閉80埠?
sudo nft list ruleset table inet filter { chain input { type filter hook input priority 0; policy accept; iif "lo" accept comment "Accept any localhost traffic" iif != "lo" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 drop comment "drop connections to loopback not coming from loopback" tcp dport { http } ct state established,new drop tcp dport http drop } chain forward { type filter hook forward priority 0; policy accept; } chain output { type filter hook output priority 0; policy accept; } }現在插入它:
sudo nft insert rule inet filter input tcp dport 80 drop sudo nmap -p 80 127.0.0.1 Starting Nmap 7.70 ( https://nmap.org ) at 2021-05-02 08:29 EDT Nmap scan report for localhost (127.0.0.1) Host is up. PORT STATE SERVICE 80/tcp filtered http Nmap done: 1 IP address (1 host up) scanned in 2.12 seconds
規則的順序很重要:如果一個較早的規則匹配一個數據包並說它應該被接受,那麼後面的規則不能覆蓋該決定。您必須注意在任何將接受它的規則之前插入阻止流量的規則,或者**刪除目前正在接受流量的先前規則(如果適用)。
預設情況下,
nft add會將新規則添加到指定規則鏈的尾部,除非您明確指定要在特定現有規則之後插入該規則。要將規則添加到鏈的開頭,在任何現有規則之前,您需要改為使用nft insert。