如何将 iptables 规则转换为 nftables 规则?

tag-icon tag-icon iptables firewall nftables
如何将 iptables 规则转换为 nftables 规则?

我试图弄清楚如何在 Ubuntu 系统上将 iptables 规则转换为 nftables 规则。

我尝试使用自动转换器将 iptables 转换为 nftables,但似乎不起作用。

PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; ip6tables -A FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -A INPUT -s 10.0.0.0/8 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT; ip6tables -A INPUT -s fd00:00:00::0/8 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE; iptables -D INPUT -s 10.0.0.0/8 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT; ip6tables -D INPUT -s fd00:00:00::0/8 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT

$ uname -r
5.4.0-1069-azure
$ nft -v
nftables v0.9.8 (E.D.S.)
$ iptables-translate -V
iptables-translate v1.8.7 (nf_tables)
$ ip6tables-translate -V
ip6tables-translate v1.8.7 (nf_tables)

翻译

iptables -A FORWARD -i wg0 -j ACCEPT
nft add rule ip filter FORWARD iifname "wg0" counter accept

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
nft add rule ip nat POSTROUTING oifname "eth0" counter masquerade

iptables -A INPUT -s 10.0.0.0/8 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
nft add rule ip filter INPUT ip saddr 10.0.0.0/8 udp dport 53 ct state new counter accept

ip6tables -A FORWARD -i wg0 -j ACCEPT
nft add rule ip6 filter FORWARD iifname "wg0" counter accept

ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
nft add rule ip6 nat POSTROUTING oifname "eth0" counter masquerade 

ip6tables -A INPUT -s fd00:00:00::0/8 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
nft add rule ip6 filter INPUT ip6 saddr fd00::/8 udp dport 53 ct state new counter accept

---

iptables -D FORWARD -i wg0 -j ACCEPT
$ iptables-translate -D FORWARD -i wg0 -j ACCEPT
Translation not implemented

iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
$ iptables-translate -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Translation not implemented

iptables -D INPUT -s 10.0.0.0/8 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
$ iptables-translate -D INPUT -s 10.0.0.0/8 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
Translation not implemented

ip6tables -D FORWARD -i wg0 -j ACCEPT
$ ip6tables-translate -D FORWARD -i wg0 -j ACCEPT
Translation not implemented

ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
$ ip6tables-translate -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Translation not implemented

ip6tables -D INPUT -s fd00:00:00::0/8 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
$ ip6tables-translate -D INPUT -s fd00:00:00::0/8 -p udp -m udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT
Translation not implemented

跑步

$ nft add rule ip filter FORWARD iifname "wg0" counter accept
Error: Could not process rule: No such file or directory
add rule ip filter FORWARD iifname wg0 counter accept
            ^^^^^^

如果您可以改进规则,那么请去做,我想指定端口,但我不擅长使用 iptables 或 nftables。

相关内容