nftables规则屏蔽垃圾IP

使用新表名重新创建规则

# 创建表和链
nft add table inet blacklist
nft add chain inet blacklist input { type filter hook input priority 0 \; policy accept \; }

# IPv4 黑名单规则
nft add rule inet blacklist input ip saddr { \
    20.171.206.0/24, \
    52.230.152.0/24, \
    52.233.106.0/24, \
    66.220.144.0/20, \
    69.63.176.0/20, \
    103.218.243.0/24, \
    152.32.128.0/17, \
    162.142.125.0/24, \
    167.94.138.0/24, \
    167.94.145.0/24, \
    167.94.146.0/24, \
    167.248.133.0/24, \
    199.45.154.0/23, \
    206.168.34.0/24 \
} drop

# IPv6 黑名单规则
nft add rule inet blacklist input ip6 saddr { \
    2602:80d:1000:b0cc:e::/80, \
    2602:80d:1003::/112, \
    2602:80d:1004::/112, \
    2620:0:1c00::/40, \
    2620:96:e000:b0cc:e::/80, \
    2a03:2880::/32 \
} drop

保存生效

nft list ruleset > /etc/nftables.conf
sudo systemctl restart nftables
systemctl enable nftables

查看所有规则

nft list ruleset

查看特定表的规则

nft list table ip forward2jp
nft list table inet blacklist

删除现有的表

nft delete table ip forward2jp
nft delete table inet blacklist

iptables规则查询

# 查看所有规则（包含详细信息，如包计数器）
iptables -L -v -n

# 查看所有规则（包含行号）
iptables -L -n --line-numbers

# 按表查看规则
iptables -t filter -L
iptables -t nat -L
iptables -t mangle -L
iptables -t raw -L

# 查看特定链的规则
iptables -L INPUT
iptables -L OUTPUT
iptables -L FORWARD

# 以更易读的格式查看规则
iptables-save

# 查看 IPv6 规则
ip6tables -L -v -n
ip6tables-save