#!/usr/sbin/nft -f# Flush all existing ruleset
flush ruleset# Define the table and chain for IPv4
table inet my_filter {chain input_chain {type filter hook input priority 0; policy accept;# 允许已建立和相关的连接ct state {established, related} accept# 阻止所有内网私有地址段的连接ip saddr 192.168.31.0/16 drop# 允许所有来自本地的回环地址iifname "lo" accept}
}

sudo nft flush ruleset 清除内核所有规则

sudo systemctl start nftables 加载规则

sudo nft list ruleset 查看当前规则