我想关闭本地主机中的 80 端口。
sudo nft add rule inet filter input tcp dport 80 drop
使用 nmap 检查:
sudo nmap -p 80 127.0.0.1
Starting Nmap 7.70 ( https://nmap.org ) at 2021-05-02 05:16 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00010s latency).
PORT STATE SERVICE
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds
为什么80端口无法关闭?
sudo nft list ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy accept;
iif "lo" accept comment "Accept any localhost traffic"
iif != "lo" ip daddr 127.0.0.0/8 counter packets 0 bytes 0 drop comment "drop connections to loopback not coming from loopback"
tcp dport { http } ct state established,new drop
tcp dport http drop
}
chain forward {
type filter hook forward priority 0; policy accept;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
现在将其插入:
sudo nft insert rule inet filter input tcp dport 80 drop
sudo nmap -p 80 127.0.0.1
Starting Nmap 7.70 ( https://nmap.org ) at 2021-05-02 08:29 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up.
PORT STATE SERVICE
80/tcp filtered http
Nmap done: 1 IP address (1 host up) scanned in 2.12 seconds
答案1
规则的顺序很重要:如果较早的规则与数据包匹配并表示应该接受该数据包,则较晚的规则不能覆盖该决定。您必须小心插入阻止流量的规则前任何接受它的规则,或者删除当前正在接受流量的先前规则(如果适用)。
默认情况下,nft add将添加一条新规则尾部指定规则链的一部分,除非您明确指定该规则将插入到特定的现有规则之后。添加规则到开始在任何现有规则之前,您需要使用链的nft insert。