编辑 /etc/nftables.conf
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
# 创建一个动态集合,用于存放被封禁的IPv4和IPv6地址
# 被封禁的地址会在1小时后自动移除
set ssh_blocklist {
type ipv4_addr;
flags dynamic, timeout;
timeout 1h;
}
set ssh_blocklist_v6 {
type ipv6_addr;
flags dynamic, timeout;
timeout 1h;
}
chain input {
type filter hook input priority 0;
# 允许已建立和相关的连接
ct state established,related accept
# 丢弃无效的数据包
ct state invalid drop
# ---- SSH 防护规则开始 ----
# 针对IPv4的SSH防护
tcp dport 22 ct state new ip saddr @ssh_blocklist drop
tcp dport 22 ct state new limit rate over 5/minute add @ssh_blocklist { ip saddr } drop
# 针对IPv6的SSH防护
tcp dport 22 ct state new ip6 saddr @ssh_blocklist_v6 drop
tcp dport 22 ct state new limit rate over 5/minute add @ssh_blocklist_v6 { ip6 saddr } drop
}
}
systemctl enable nftables
systemctl start nftables
systemctl status nftables