これは私の/etc/nftables.confです。
#!/usr/sbin/nft -f
flush ruleset
define wan = { eth0 }
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# allow everything from loopback interface
iif lo accept comment "Accept any localhost traffic"
# drop invalid connection attempts
ct state invalid drop comment "Drop all invalid connection attempts"
# allow established and related connections
ct state established,related accept comment "Accept all traffic initiated by us"
# allow explicitly allowed services/ports/protocols
iif $wan tcp dport 22 accept comment "wan"
# Apply extra (manual configured) rules
# reject everything that has not been accepted before
reject with icmpx type admin-prohibited comment "Drop everything, which is not explicitly allowed"
}
chain forward {
type filter hook forward priority 0; policy drop;
# allow everything from loopback interface
iif lo accept comment "Accept any localhost traffic"
# drop invalid connection attempts
ct state invalid drop comment "Drop all invalid connection attempts"
# Apply extra (manual configured) rules
# reject everything that has not been accepted before
reject with icmpx type admin-prohibited comment "Drop everything, which is not explicitly allowed"
}
chain output {
type filter hook output priority 0; policy accept;
# Apply extra (manual configured) rules
}
}
journalctl -u nftables.service
これは実行後に得られた結果ですsystemctl restart nftables.service
。
Feb 01 18:54:40 mydomain.net systemd[1]: Starting nftables...
Feb 01 18:54:40 mydomain.net nft[1682]: /etc/nftables.conf:14:13-33: Error: Could not process rule: No such file or directory
Feb 01 18:54:40 mydomain.net nft[1682]: ct state invalid drop comment "Drop all invalid connection attempts"
Feb 01 18:54:40 mydomain.net nft[1682]: ^^^^^^^^^^^^^^^^^^^^^
Feb 01 18:54:40 mydomain.net nft[1682]: /etc/nftables.conf:16:13-47: Error: Could not process rule: No such file or directory
Feb 01 18:54:40 mydomain.net nft[1682]: ct state established,related accept comment "Accept all traffic initiated by us"
Feb 01 18:54:40 mydomain.net nft[1682]: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 01 18:54:40 mydomain.net nft[1682]: /etc/nftables.conf:21:13-51: Error: Could not process rule: No such file or directory
Feb 01 18:54:40 mydomain.net nft[1682]: reject with icmpx type admin-prohibited comment "Drop everything, which is not explicitly allowed"
Feb 01 18:54:40 mydomain.net nft[1682]: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 01 18:54:40 mydomain.net nft[1682]: /etc/nftables.conf:29:13-33: Error: Could not process rule: No such file or directory
Feb 01 18:54:40 mydomain.net nft[1682]: ct state invalid drop comment "Drop all invalid connection attempts"
Feb 01 18:54:40 mydomain.net nft[1682]: ^^^^^^^^^^^^^^^^^^^^^
Feb 01 18:54:40 mydomain.net nft[1682]: /etc/nftables.conf:32:13-51: Error: Could not process rule: No such file or directory
Feb 01 18:54:40 mydomain.net nft[1682]: reject with icmpx type admin-prohibited comment "Drop everything, which is not explicitly allowed"
Feb 01 18:54:40 mydomain.net nft[1682]: ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Feb 01 18:54:40 mydomain.net systemd[1]: nftables.service: Main process exited, code=exited, status=1/FAILURE
Feb 01 18:54:40 mydomain.net systemd[1]: nftables.service: Failed with result 'exit-code'.
Feb 01 18:54:40 mydomain.net systemd[1]: Failed to start nftables.
「ct state」で始まるルールをコメントアウトすると、サービスはエラーなしで開始されます。ここで何の問題がありますか?同じルールセットが他のシステムでもうまく機能します。
システムメッセージ:
オペレーティングシステム:Debian 10
カーネル: 4.19.0-14-amd64
答え1
この問題が発生した他の人のために。確実にする:
- 直接またはモジュールにコンパイルされた「netfilter」(および対応する)カーネルオプション(grep -i netfilter /proc/config*またはgrep -i netfilter /boot/config*)
- このオプションをモジュールにコンパイルする場合は、sysctlオプションkernel.modules_disabledが1に設定されていないことを確認してください。 (/etc/sysctl.conf 編集)