install
apt install iptables;
Setting up nftables (0.9.0-2) ...
Setting up iptables (1.8.2-4) ...
update-alternatives: using /usr/sbin/iptables-legacy to provide /usr/sbin/iptables (iptables) in auto mode
update-alternatives: using /usr/sbin/ip6tables-legacy to provide /usr/sbin/ip6tables (ip6tables) in auto mode
update-alternatives: using /usr/sbin/iptables-nft to provide /usr/sbin/iptables (iptables) in auto mode
update-alternatives: using /usr/sbin/ip6tables-nft to provide /usr/sbin/ip6tables (ip6tables) in auto mode
update-alternatives: using /usr/sbin/arptables-nft to provide /usr/sbin/arptables (arptables) in auto mode
update-alternatives: using /usr/sbin/ebtables-nft to provide /usr/sbin/ebtables (ebtables) in auto mode
root@3acf839a54d4:/# ls -l /sbin/iptables
lrwxrwxrwx 1 root root 18 Oct 28 00:05 /sbin/iptables -> /usr/sbin/iptables
root@3acf839a54d4:/# ls -l /usr/sbin/iptables
lrwxrwxrwx 1 root root 26 Oct 28 00:05 /usr/sbin/iptables -> /etc/alternatives/iptables
root@3acf839a54d4:/# ls -l /etc/alternatives/iptables
lrwxrwxrwx 1 root root 22 Oct 28 00:05 /etc/alternatives/iptables -> /usr/sbin/iptables-nft
The default starting with Debian Buster:
# update-alternatives --set iptables /usr/sbin/iptables-nft
# update-alternatives --set ip6tables /usr/sbin/ip6tables-nft
# update-alternatives --set arptables /usr/sbin/arptables-nft
# update-alternatives --set ebtables /usr/sbin/ebtables-nft
Switching to the legacy version:
# update-alternatives --set iptables /usr/sbin/iptables-legacy
# update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy
# update-alternatives --set arptables /usr/sbin/arptables-legacy
# update-alternatives --set ebtables /usr/sbin/ebtables-legacy
iptables -Ln
iptables v1.8.2 (nf_tables): CHAIN_ADD failed (No such file or directory): chain INPUT
# 查看内核模块
lsmod |grep -i -E "ip_tables|iptable_filter|ip6_tables|ip6table_filter"
ip6table_filter 16384 1
ip6_tables 28672 14 ip6table_filter,ip6table_raw,ip6table_nat,ip6table_mangle
iptable_filter 16384 2
ip_tables 28672 8 iptable_filter,iptable_raw,iptable_nat,iptable_mangle
nftables替换了Netfilter的旧版iptables部分。与iptables相比,nftables的优势包括更少的代码重复和更易于扩展到新协议。
# 查看nftables模块
lsmod |grep -i -E "nf"
nf_tables 139264 0
nf_nat_ipv6 16384 1 ip6table_nat
nf_conntrack_netlink 49152 0
nfnetlink 16384 4 nf_conntrack_netlink,nf_tables,ip_set
nf_nat_ipv4 16384 2 ipt_MASQUERADE,iptable_nat
nf_nat 36864 3 nf_nat_ipv6,nf_nat_ipv4,xt_nat
nf_conntrack 163840 9 xt_conntrack,nf_nat,xt_state,nf_nat_ipv6,ipt_MASQUERADE,nf_nat_ipv4,xt_nat,nf_conntrack_netlink,ip_vs
nf_defrag_ipv6 20480 2 nf_conntrack,ip_vs
nf_defrag_ipv4 16384 1 nf_conntrack
libcrc32c 16384 4 nf_conntrack,nf_nat,xfs,ip_vs
ref
- https://wiki.debian.org/iptables
- https://wiki.debian.org/nftables
- https://wiki.archlinux.org/index.php/Nftables
- https://linux.die.net/man/8/iptables