nftables
跳转到导航
跳转到搜索
示例
IP限时屏蔽
通过读取访问日志,对特定的 IP 进行屏蔽;如果该 IP 两天内不再访问,则屏蔽解除。规则如下:
destroy table inet blocker
table inet blocker {
set spam_ips {
type ipv4_addr
timeout 2d
flags timeout, dynamic
}
set spam_ips6 {
type ipv6_addr
timeout 2d
flags timeout, dynamic
}
chain input {
type filter hook input priority 0; policy accept;
ct state established,related accept
ip saddr @spam_ips tcp dport { 80, 443 } update @spam_ips { ip saddr timeout 2d } drop
ip6 saddr @spam_ips6 tcp dport { 80, 443 } update @spam_ips6 { ip6 saddr timeout 2d } drop
}
}
使用以下命令来添加 IP:
nft add element inet blocker spam_ips '{ ipv4_addr }'
nft add element inet blocker spam_ips6 '{ ipv6_addr }'