iptables -A INPUT -p tcp --dport 23 -j LOG iptables -A INPUT -p tcp --dport 23 -j DROP nft add rule filter input tcp dport 23 log drop nft add|list|flush|delete table|chain|rule nft add table inet firewall nft list tables inet table inet firewall nft create chain inet firewall incoming { type filter hook input priority 0\; } nft list chains table inet firewall { chain incoming { type filter hook input priority 0; policy accept; } } nft add rule inet firewall incoming iif lo accept nft add rule inet firewall incoming ct state established,related accept nft add rule inet firewall incoming tcp dport 22 ct state new accept nft add rule inet firewall incoming drop nft add rule inet firewall incoming position 4 tcp dport 443 ct state new accept nft add chain inet firewall smtp-chain nft add rule inet firewall incoming position 8 tcp dport 25 ct state new jump smtp-chain nft add rule inet firewall smtp-chain counter nft add set inet firewall allow-smtp-set {type ipv4_addr\; flags interval\; } nft add element inet firewall allow-smtp-set { 10.1.0.0/24, 192.168.0.0/24 } nft add rule inet firewall incoming position 8 tcp dport { 25, 587 } ip saddr @allow-smtp-set accept nft create chain inet firewall forward { type filter hook forward priority 0\; } nft add set inet firewall audit-servers {type ipv4_addr \; } nft add element inet firewall audit-servers { 10.1.0.1, 192.168.0.1 } nft add set inet firewall http-servers {type ipv4_addr \; } nft add element inet firewall http-servers { 10.1.1.1, 192.168.1.1 } nft add chain inet firewall audit-chain nft add chain inet firewall http-chain nft add rule inet firewall audit-chain tcp dport 60 ip daddr @audit-servers nft add rule inet firewall http-chain tcp dport { 80, 443 } ip daddr @http-servers nft add rule inet firewall forward ip daddr vmap {10.1.0.2-10.1.0.10 : jump audit-chain, 192.168.0.2-192.168.0.10 : jump audit-chain, 10.1.1.1.2-10.1.1.10 : jump http-chain, 192.168.1.2-192.168.1.10 : jump http-chain } nft add rule inet firewall forward drop iptables-translate -A INPUT -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT nft add rule ip filter INPUT tcp dport 22 ct state new counter accept iptables-restore-translate -f /etc/sysconfig/iptables-save > /tmp/ruleset.nft nft -f /tmp/ruleset.nft