• With iptables, you need to write two
rules, one for drop and one for logging:
# iptables -A FORWARD -p tcp --dport
22 -j LOG
# iptables -A FORWARD -p tcp --dport
22 -j DROP
• With nftables, you can combined both
targets:
# nft add rule filter forward tcp dport
22 log drop
• With iptables in order to allow packets
for different ports and allow different icmpv6 types, you would need to do the following:
# ip6tables -A INPUT -p tcp -m
multiport --dports 23,80,443 -j ACCEPT
# ip6tables -A INPUT -p icmpv6 --icmpv6-type
neighbor-solicitation -j ACCEPT
# ip6tables -A INPUT -p icmpv6 --icmpv6-type
echo-request -j ACCEPT
# ip6tables -A INPUT -p icmpv6 --icmpv6-type
router-advertisement -j ACCEPT
# ip6tables -A INPUT -p icmpv6 --icmpv6-type
neighbor-advertisement -j ACCEPT
• With nftables, sets can be used on any
element in a rule:
# nft add rule ip6 filter input tcp
dport {telnet, http, https} accept
# nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit, echo-request, nd-router-advert, nd-neighbor-advert } accept
No comments:
Post a Comment