{"id":293,"date":"2026-05-11T02:11:08","date_gmt":"2026-05-10T18:11:08","guid":{"rendered":"https:\/\/tweakl.com\/?p=293"},"modified":"2026-05-11T02:12:27","modified_gmt":"2026-05-10T18:12:27","slug":"nftables%e8%bd%ac%e5%8f%91%e6%95%99%e7%a8%8b","status":"publish","type":"post","link":"https:\/\/tweakl.com\/index.php\/2026\/05\/11\/nftables%e8%bd%ac%e5%8f%91%e6%95%99%e7%a8%8b\/","title":{"rendered":"nftables\u8f6c\u53d1\u6559\u7a0b"},"content":{"rendered":"\n

\u5185\u6838\u5c42 DNAT\/SNAT<\/p>\n\n\n\n

\u628a\u6240\u6709 TCP\/UDP \u7aef\u53e3\u5185\u6838\u7ea7\u8f6c\u53d1<\/p>\n\n\n\n

\u4e00\u3001\u51c6\u5907\u4fe1\u606f<\/p>\n\n\n\n

\u5148\u67e5\u7f51\u5361\u540d\uff1a<\/p>\n\n\n\n

ip route get 8.8.8.8<\/code><\/pre>\n\n\n\n
\u770b\u5230\u7c7b\u4f3c\uff1a<\/p>\n\n\n\n
dev eth0<\/code><\/pre>\n\n\n\n
\u90a3\u7f51\u5361\u5c31\u662f eth0<\/code>\u3002<\/p>\n\n\n\n
\u4fe1\u606f\u4e3a<\/p>\n\n\n\n
\u516c\u7f51 IP\uff1a1.1.1.1\n\u7f51\u5361\uff1aeth0\nSSH \u7aef\u53e3\uff1a22\n\n\u76ee\u6807 IP\uff1a2.2.2.2<\/code><\/pre>\n\n\n\n
\u4e8c\u3001\u5b89\u88c5 nftables<\/p>\n\n\n\n
apt update\napt install -y nftables\nsystemctl enable --now nftables<\/code><\/pre>\n\n\n\n
\u4e00\u952e\u811a\u672c\u81ea\u5df1\u4fee\u6539ip\uff0c\u7f51\u5361<\/p>\n\n\n\n
cat > \/root\/nft_to_hk.sh <<'EOF'\n#!\/bin\/bash\nset -e\n\nHK_IP=\"xxx.xxx.xxx.x\"\nWAN_IF=\"eth0\"\nSSH_PORT=\"22\"\n\necho \"====================================\"\necho \" \u672c\u673a nftables \u5168\u7aef\u53e3\u8f6c\u53d1\u5230\u5165\u53e3\"\necho \" \u5165\u53e3 IP: $HK_IP\"\necho \" \u7f51\u5361: $WAN_IF\"\necho \" \u4fdd\u7559 SSH \u7aef\u53e3: $SSH_PORT\"\necho \"====================================\"\n\napt update\napt install -y nftables conntrack\n\necho \"[1\/5] \u5f00\u542f IPv4 \u8f6c\u53d1...\"\ncat > \/etc\/sysctl.d\/99-nft-hk-forward.conf <<SYSCTL\nnet.ipv4.ip_forward=1\nnet.ipv4.conf.all.rp_filter=0\nnet.ipv4.conf.default.rp_filter=0\nnet.netfilter.nf_conntrack_max=1048576\nSYSCTL\n\nsysctl --system\n\necho \"[2\/5] \u5907\u4efd\u539f nftables \u914d\u7f6e...\"\nif [ -f \/etc\/nftables.conf ]; then\n    cp \/etc\/nftables.conf \/etc\/nftables.conf.bak.$(date +%F-%H%M%S)\nfi\n\necho \"[3\/5] \u5199\u5165 nftables \u8f6c\u53d1\u89c4\u5219...\"\ncat > \/etc\/nftables.conf <<NFT\n#!\/usr\/sbin\/nft -f\n\nflush ruleset\n\ndefine WAN_IF = $WAN_IF\ndefine HK_IP = $HK_IP\ndefine SSH_PORT = $SSH_PORT\n\ntable ip nat {\n    chain prerouting {\n        type nat hook prerouting priority dstnat; policy accept;\n\n        # \u4fdd\u7559 SSH\uff0c\u9632\u6b62\u81ea\u5df1\u88ab\u9501\u5916\u9762\n        iifname \\$WAN_IF tcp dport \\$SSH_PORT accept\n\n        # TCP \u5168\u7aef\u53e3\u8f6c\u53d1\u5230\u5165\u53e3\n        iifname \\$WAN_IF ip protocol tcp dnat to \\$HK_IP\n\n        # UDP \u5168\u7aef\u53e3\u8f6c\u53d1\u5230\u5165\u53e3\n        iifname \\$WAN_IF ip protocol udp dnat to \\$HK_IP\n    }\n\n    chain postrouting {\n        type nat hook postrouting priority srcnat; policy accept;\n\n        # \u5f3a\u5236\u56de\u7a0b\u7ecf\u8fc7\u524d\u7f6e\uff0c\u4fdd\u8bc1\u8fde\u63a5\u7a33\u5b9a\n        ip daddr \\$HK_IP masquerade\n    }\n}\n\ntable inet filter {\n    chain forward {\n        type filter hook forward priority filter; policy accept;\n    }\n}\nNFT\n\necho \"[4\/5] \u68c0\u67e5 nftables \u914d\u7f6e...\"\nnft -c -f \/etc\/nftables.conf\n\necho \"[5\/5] \u542f\u52a8 nftables...\"\nsystemctl enable nftables\nsystemctl restart nftables\n\necho\necho \"====================================\"\necho \"\u5b8c\u6210\uff1a\u5df2\u5168\u7aef\u53e3\u8f6c\u53d1\u5230\u5165\u53e3 $HK_IP\"\necho \"SSH \u7aef\u53e3 $SSH_PORT \u5df2\u4fdd\u7559\uff0c\u4e0d\u4f1a\u88ab\u8f6c\u53d1\"\necho \"====================================\"\necho\necho \"\u5f53\u524d\u89c4\u5219\uff1a\"\nnft list ruleset\nEOF<\/code><\/pre>\n\n\n\n
\u542f\u52a8\u670d\u52a1<\/p>\n\n\n\n
chmod +x \/root\/nft_to_hk.sh\nbash \/root\/nft_to_hk.sh<\/code><\/pre>\n\n\n\n
\u6d4b\u8bd5\u8f6c\u53d1\u6709\u6ca1\u6709\u751f\u6548\uff1a<\/p>\n\n\n\n
tcpdump -ni eth0 host xxx.xxx.xxx.x<\/code><\/pre>\n\n\n\n
\u67e5\u770b\u8fde\u63a5\uff1a<\/p>\n\n\n\n
conntrack -L | grep xxx.xxx.xxx.x<\/code><\/pre>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
\u5185\u6838\u5c42 DNAT\/SNAT \u628a\u6240\u6709 TCP\/UDP \u7aef\u53e3\u5185\u6838\u7ea7\u8f6c\u53d1 \u4e00\u3001\u51c6\u5907\u4fe1\u606f \u5148\u67e5\u7f51\u5361\u540d\uff1a \u770b\u5230\u7c7b\u4f3c\uff1a \u90a3 […]<\/p>\n","protected":false},"author":1,"featured_media":294,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-293","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-vps"],"_links":{"self":[{"href":"https:\/\/tweakl.com\/index.php\/wp-json\/wp\/v2\/posts\/293","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tweakl.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tweakl.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tweakl.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tweakl.com\/index.php\/wp-json\/wp\/v2\/comments?post=293"}],"version-history":[{"count":2,"href":"https:\/\/tweakl.com\/index.php\/wp-json\/wp\/v2\/posts\/293\/revisions"}],"predecessor-version":[{"id":296,"href":"https:\/\/tweakl.com\/index.php\/wp-json\/wp\/v2\/posts\/293\/revisions\/296"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/tweakl.com\/index.php\/wp-json\/wp\/v2\/media\/294"}],"wp:attachment":[{"href":"https:\/\/tweakl.com\/index.php\/wp-json\/wp\/v2\/media?parent=293"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tweakl.com\/index.php\/wp-json\/wp\/v2\/categories?post=293"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tweakl.com\/index.php\/wp-json\/wp\/v2\/tags?post=293"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}