From 8145299c32ce4ceb9a866fe4b12ab30d686ba6f6 Mon Sep 17 00:00:00 2001 From: Samson-W Date: Thu, 18 Jul 2019 16:54:56 +0800 Subject: [PATCH] Add doc how_to_persistent_nft_rules_with_debian_10.mkd --- ...to_persistent_nft_rules_with_debian_10.mkd | 53 +++++++++++++++++++ docs/configurations/nftables.conf | 1 + 2 files changed, 54 insertions(+) create mode 100644 docs/configurations/manual-operation-docs/how_to_persistent_nft_rules_with_debian_10.mkd diff --git a/docs/configurations/manual-operation-docs/how_to_persistent_nft_rules_with_debian_10.mkd b/docs/configurations/manual-operation-docs/how_to_persistent_nft_rules_with_debian_10.mkd new file mode 100644 index 0000000..a631539 --- /dev/null +++ b/docs/configurations/manual-operation-docs/how_to_persistent_nft_rules_with_debian_10.mkd @@ -0,0 +1,53 @@ +# How to persistent nft rules with debian 10 + +## Test platform info + +Debian 10.0 +netfilter-persistent 1.0.11 +nftables 0.9.0-2 + +## Pre-Install +``` +$ sudo apt-get install -y nftables netfilter-persistent +``` + +## How to enable netfilter-persistent service + +netfilter-persistent service is auto running when netfilter-persistent was installed. + +Check service status: +``` +$ sudo systemctl status netfilter-persistent +``` + +If netfilter-persistent service is not started, use the following command to enable netfilter-persistent service: +``` +$ sudo systemctl start netfilter-persistent +``` + +## How to config for persistent iptables + +### Get nftables ruleset +``` +~$ wget https://raw.githubusercontent.com/hardenedlinux/harbian-audit/master/docs/configurations/nftables.conf +~$ sudo mv nftables.conf /etc/nftables.conf +``` + +Note: Please replace ens33 to interface name of your device + +### Get plugin of netfilter-persistent +``` +~$ wget https://raw.githubusercontent.com/hardenedlinux/harbian-audit/master/docs/configurations/nftables-plugin.sh +~$ sudo mv nftables-plugin.sh /usr/share/netfilter-persistent/plugins.d/ +``` + +## Well-done +Nft rules would auto restore nftables rules when Operation system restart, or manual to exec following command: +``` +$ sudo systemctl restart netfilter-persistent +``` + +## Reference +[http://manpages.org/netfilter-persistent/8](http://manpages.org/netfilter-persistent/8) + + diff --git a/docs/configurations/nftables.conf b/docs/configurations/nftables.conf index 8ecdbe4..245f2db 100644 --- a/docs/configurations/nftables.conf +++ b/docs/configurations/nftables.conf @@ -1,5 +1,6 @@ #!/usr/sbin/nft -f +# Please replace ens33 to interface name of your device define int_if = ens33 # If there are multiple net interface, example: