#!/usr/sbin/nft -f

# Flush all existing ruleset
flush ruleset

# Define the table and chain for IPv4
table inet my_filter {
    chain input_chain {
        type filter hook input priority 0; policy accept;

        # 允許已建立和相關的連接
        ct state {established, related} accept

        # 阻止所有內網私有地址段的連接
        ip saddr 192.168.31.0/16 drop

        # 允許所有來自本地的回環地址
        iifname "lo" accept
    }
}

sudo nft flush ruleset 清除內核所有規則

sudo systemctl start nftables 加載規則

sudo nft list ruleset 查看當前規則