← из прошлого урока
You can turn names into addresses now. Next: how to keep those addresses out. We move to nftables: tables, chains, drop by port, and a pcap that shows the packet killed before it ever reached the socket.
Средний
15 мин · урок входит в курс «Средний»
cmd-nft is the replacement for iptables (the older interface to
the same netfilter subsystems in the kernel). On Ubuntu 22+ and
Debian 12+ it is the default. Many enterprise distros still ship
iptables: different syntax, same idea.
This lesson builds the basic skeleton: you create a table, the
input/output chains, and allow/drop rules by port. Keep the
packets visualizer open alongside so you can watch what gets
blocked live.
Чтобы запустить sandbox и пройти этот урок целиком, нужен соответствующий курс. Внутри - ещё много практических уроков того же уровня и сквозной прогресс.
дальше →
You can drive drop rules. Next is a related job: NAT and masquerade. The same netfilter machinery, but instead of "kill" the packet you "rewrite" it. This is what every home router does.