{"id":592,"date":"2023-01-25T16:10:46","date_gmt":"2023-01-25T15:10:46","guid":{"rendered":"https:\/\/blog.exterra-services.cz\/?p=592"},"modified":"2023-01-25T17:14:24","modified_gmt":"2023-01-25T16:14:24","slug":"centos-8-iptables-umiraji-at-ziji-nftables","status":"publish","type":"post","link":"https:\/\/blog.exterra-services.cz\/index.php\/2023\/01\/25\/centos-8-iptables-umiraji-at-ziji-nftables\/","title":{"rendered":"CentOS 8: iptables um\u00edraj\u00ed, a\u0165 \u017eij\u00ed nftables!"},"content":{"rendered":"\n

Mnoho Linux administr\u00e1tor\u016f st\u00e1le s oblibou pou\u017e\u00edv\u00e1 osv\u011bd\u010den\u00fd firewall postaven\u00fd na projektu iptables. Syst\u00e9my RHEL\/CentOS 7\/8 implicitn\u011b obsahuj\u00ed firewald <\/a>jako jednoduch\u00e9 a rychle konfigurovateln\u00e9 \u0159e\u0161en\u00ed. Probl\u00e9m je ve sl\u016fvku jednoduch\u00e9. Dal\u0161\u00ed probl\u00e9m je v tom, \u017ee v\u011bt\u0161ina spr\u00e1vc\u016f perfektn\u011b ovl\u00e1d\u00e1 iptables a m\u00e1 p\u0159edp\u0159ipraven\u00e9 konfigurace pro \u010dast\u00e1 \u0159e\u0161en\u00ed, kter\u00e1 prost\u00fdm kop\u00edrov\u00e1n\u00edm do souboru \/etc\/sysconfig\/iptables nasad\u00ed.<\/p>\n\n\n\n

N\u00e1hradu firewalld \u0159e\u0161en\u00edm iptables popisuje tento \u010dl\u00e1nek<\/a>.<\/p>\n\n\n\n

U\u017e n\u011bjakou dobu n\u00e1s auto\u0159i „RHEL based“ distribuc\u00ed p\u0159ipravuj\u00ed na to, \u017ee budoucnost pat\u0159\u00ed nov\u00e9mu firewallu s n\u00e1zvem nftables<\/a>. Dokonce uv\u00e1d\u00ed, \u017ee jde o n\u00e1stupce iptables. Str\u00e1nka projektu nftables – https:\/\/www.nftables.org\/<\/a><\/p>\n\n\n\n

Projdeme si velice rychle nahrazen\u00ed implicitn\u00edho firewalld nov\u00fdm nftables. Postup bude zpracov\u00e1n na CentOS 8 Stream syst\u00e9mu. Na tomto syst\u00e9mu je je\u0161t\u011b zprovozn\u011bn IPS senzor fail2ban, tedy budeme muset nahradit v konfiguraci p\u016fvodn\u00ed firewalld nov\u00fdm nftables.<\/p>\n\n\n\n

Nejprve odstav\u00edme p\u016fvodn\u00ed firewall.<\/p>\n\n\n\n

[root@kerberos ~]# systemctl disable firewalld
Removed \/etc\/systemd\/system\/multi-user.target.wants\/firewalld.service.
Removed \/etc\/systemd\/system\/dbus-org.fedoraproject.FirewallD1.service.
[root@kerberos ~]# systemctl stop firewalld
[root@kerberos ~]# systemctl status firewalld
\u25cf firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (\/usr\/lib\/systemd\/system\/firewalld.service; disabled; vendor preset: enabled)
Active: inactive (dead) since Wed 2023-01-25 12:37:46 CET; 5s ago
Docs: man:firewalld(1)
Process: 886 ExecStart=\/usr\/sbin\/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=0\/SUCCESS)
Main PID: 886 (code=exited, status=0\/SUCCESS)<\/pre>\n\n\n\n
Jan 20 16:36:51 kerberos.exterra.local systemd[1]: Starting firewalld - dynamic firewall daemon\u2026
Jan 20 16:36:52 kerberos.exterra.local systemd[1]: Started firewalld - dynamic firewall daemon.
Jan 20 16:36:52 kerberos.exterra.local firewalld[886]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a >
Jan 25 12:37:43 kerberos.exterra.local systemd[1]: Stopping firewalld - dynamic firewall daemon\u2026
Jan 25 12:37:46 kerberos.exterra.local systemd[1]: firewalld.service: Succeeded.
Jan 25 12:37:46 kerberos.exterra.local systemd[1]: Stopped firewalld - dynamic firewall daemon.<\/pre>\n\n\n\n
Te\u010f nainstalujeme nftables (na na\u0161em syst\u00e9mu ji\u017e byl, proto je v\u00fdstup pouze ilustrativn\u00ed).<\/p>\n\n\n\n
[root@kerberos ~]# dnf install nftables
Last metadata expiration check: 1:06:31 ago on Wed 25 Jan 2023 11:32:12 AM CET.
Package nftables-1:0.9.3-26.el8.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!<\/pre>\n\n\n\n
Nyn\u00ed povol\u00edme spu\u0161t\u011bn\u00ed firewallu po startu syst\u00e9mu.<\/p>\n\n\n\n
[root@kerberos ~]# systemctl enable nftables\nCreated symlink \/etc\/systemd\/system\/multi-user.target.wants\/nftables.service \u2192 \/usr\/lib\/systemd\/system\/nftables.service.\n[root@kerberos ~]# systemctl start nftables\n[root@kerberos ~]# systemctl status nftables\n\u25cf nftables.service - Netfilter Tables\nLoaded: loaded (\/usr\/lib\/systemd\/system\/nftables.service; enabled; vendor preset: disabled)\nActive: active (exited) since Wed 2023-01-25 12:41:11 CET; 5s ago\nDocs: man:nft(8)\nProcess: 212802 ExecStart=\/sbin\/nft -f \/etc\/sysconfig\/nftables.conf (code=exited, status=0\/SUCCESS)\nMain PID: 212802 (code=exited, status=0\/SUCCESS)\nJan 25 12:41:11 kerberos.exterra.local systemd[1]: Starting Netfilter Tables\u2026\nJan 25 12:41:11 kerberos.exterra.local systemd[1]: Started Netfilter Tables.<\/pre>\n\n\n\n
nftables sice b\u011b\u017e\u00ed, ale nic nefiltruj\u00ed, tak\u017ee jde o velmi neuspokojiv\u00fd stav. Zde jsou konfigura\u010dn\u00ed soubory:<\/p>\n\n\n\n
\/etc\/sysconfig\/nftables.conf – zde odkomentujte \u0159\u00e1dek include „\/etc\/nftables\/main.nft“<\/strong><\/p>\n\n\n\n
Z v\u00fd\u0161e uveden\u00e9ho je z\u0159ejm\u00e9, \u017ee dal\u0161\u00ed konfigura\u010dn\u00ed soubory najdete v adres\u00e1\u0159 \/etc\/nftables. Pro n\u00e1\u0161 p\u0159\u00edklad je d\u016fle\u017eit\u00fd soubor \/etc\/nftables\/main.nft<\/p>\n\n\n\n
V na\u0161em p\u0159\u00edkladu budeme povolovat slu\u017eby SSH (TCP\/22), Cockpit (TCP\/9090) a Webmin (TCP\/10000) z jak\u00e9koliv IP adresy. Pro monitoring pomoc\u00ed SNMP (TCP\/161 a UDP\/161) a syst\u00e9mem Centreon (Nagios based syst\u00e9m – agent NRPE poslouch\u00e1 na TCP\/5666) povol\u00edme p\u0159\u00edstup pouze z 1 IP adresy na\u0161eho monitoring syst\u00e9mu.<\/p>\n\n\n\n
# Sample configuration for nftables service.\n# Load this by calling 'nft -f \/etc\/nftables\/main.nft'.\n\n# Note about base chain priorities:\n# The priority values used in these sample configs are\n# offset by 20 in order to avoid ambiguity when firewalld\n# is also running which uses an offset of 10. This means\n# that packets will traverse firewalld first and if not\n# dropped\/rejected there will hit the chains defined here.\n# Chains created by iptables, ebtables and arptables tools\n# do not use an offset, so those chains are traversed first\n# in any case.\n\n# drop any existing nftables ruleset\nflush ruleset\n\n# a common table for both IPv4 and IPv6\ntable inet nftables_svc {\n\n        # protocols to allow\n        set allowed_protocols {\n                type inet_proto\n                elements = { icmp, icmpv6 }\n        }\n\n        # interfaces to accept any traffic on\n        set allowed_interfaces {\n                type ifname\n                elements = { \"lo\" }\n        }\n\n        # services to allow\n        set allowed_tcp_dports {\n                type inet_service\n                elements = { ssh, 9090, 10000 }\n        }\n\n        # mgmt udp services to allow\n        set allowed_mgmt_udp_dports {\n                type inet_service\n                elements = { snmp }\n        }\n\n        # mgmt tcp services to allow\n        set allowed_mgmt_tcp_dports {\n                type inet_service\n                elements = { nrpe }\n        }\n\n        # this chain gathers all accept conditions\n        chain allow {\n                ct state established,related accept\n\n                meta l4proto @allowed_protocols accept\n                iifname @allowed_interfaces accept\n                tcp dport @allowed_tcp_dports accept\n                udp dport @allowed_mgmt_udp_dports ip saddr 192.168.xx.yy accept\n                tcp dport @allowed_mgmt_tcp_dports ip saddr 192.168.xx.yy accept\n        }\n\n        # base-chain for traffic to this host\n        chain INPUT {\n                type filter hook input priority filter + 20\n                policy accept\n\n                jump allow\n                reject with icmpx type port-unreachable\n        }\n}\n\n# By default, any forwarding traffic is allowed.\n# Uncomment the following line to filter it based\n# on the same criteria as input traffic.\n#include \"\/etc\/nftables\/router.nft\"\n\n# Uncomment the following line to enable masquerading of\n# forwarded traffic. May be used with or without router.nft.\n#include \"\/etc\/nftables\/nat.nft\"\n<\/code><\/pre>\n\n\n\n
Nyn\u00ed je t\u0159eba zav\u00e9st konfiguraci p\u0159\u00edkazem „systemctl restart nftables“. Pot\u00e9 si vylistujeme b\u011b\u017e\u00edc\u00ed konfiguraci pomoc\u00ed p\u0159\u00edkazu „nft list ruleset“.<\/p>\n\n\n\n
[root@nyx jail.d]# nft list ruleset\ntable inet nftables_svc {\n        set allowed_protocols {\n                type inet_proto\n                elements = { icmp, ipv6-icmp }\n        }\n\n        set allowed_interfaces {\n                type ifname\n                elements = { \"lo\" }\n        }\n\n        set allowed_tcp_dports {\n                type inet_service\n                elements = { 22, 9090, 10000 }\n        }\n\n        set allowed_mgmt_udp_dports {\n                type inet_service\n                elements = { 161 }\n        }\n\n        set allowed_mgmt_tcp_dports {\n                type inet_service\n                elements = { 5666 }\n        }\n\n        chain allow {\n                ct state established,related accept\n                meta l4proto @allowed_protocols accept\n                iifname @allowed_interfaces accept\n                tcp dport @allowed_tcp_dports accept\n                udp dport @allowed_mgmt_udp_dports ip saddr 192.168.xx.yy accept\n                tcp dport @allowed_mgmt_tcp_dports ip saddr 192.168.xx.yy accept\n        }\n\n        chain INPUT {\n                type filter hook input priority 20; policy accept;\n                jump allow\n                reject\n        }\n}\n<\/code><\/pre>\n\n\n\n
A nakonec mus\u00edme upravit existuj\u00edc\u00ed konfiguraci IPS senzoru fail2ban. Upravte soubor \/etc\/fail2ban\/jail.d\/00-firewalld.conf do n\u00e1sleduj\u00edc\u00ed podoby:<\/p>\n\n\n\n
# This file is part of the fail2ban-firewalld package to configure the use of\n# the firewalld actions as the default actions.  You can remove this package\n# (along with the empty fail2ban meta-package) if you do not use firewalld\n[DEFAULT]\n# banaction = firewallcmd-rich-rules[actiontype=<multiport>]\n# banaction_allports = firewallcmd-rich-rules[actiontype=<allports>]\nbanaction = nftables-multiport\nbanaction_allports = nftables-allports\n<\/code><\/pre>\n\n\n\n
Nyn\u00ed restartujte fail2ban i souvisej\u00edc\u00ed nftables pomoc\u00ed „systemctl restart nftables fail2ban“.<\/p>\n\n\n\n
[root@nyx jail.d]# systemctl restart fail2ban nftables\n[root@nyx jail.d]# systemctl status fail2ban nftables\n\u25cf fail2ban.service - Fail2Ban Service\n   Loaded: loaded (\/usr\/lib\/systemd\/system\/fail2ban.service; enabled; vendor preset: disabled)\n   Active: active (running) since Wed 2023-01-25 15:24:12 CET; 5s ago\n     Docs: man:fail2ban(1)\n  Process: 46171 ExecStop=\/usr\/bin\/fail2ban-client stop (code=exited, status=0\/SUCCESS)\n  Process: 46179 ExecStartPre=\/bin\/mkdir -p \/run\/fail2ban (code=exited, status=0\/SUCCESS)\n Main PID: 46181 (fail2ban-server)\n    Tasks: 5 (limit: 11137)\n   Memory: 18.2M\n   CGroup: \/system.slice\/fail2ban.service\n           \u2514\u250046181 \/usr\/bin\/python3.6 -s \/usr\/bin\/fail2ban-server -xf start\n\nJan 25 15:24:12 nyx.exterra.local systemd[1]: Starting Fail2Ban Service...\nJan 25 15:24:12 nyx.exterra.local systemd[1]: Started Fail2Ban Service.\nJan 25 15:24:12 nyx.exterra.local fail2ban-server[46181]: Server ready\n\n\u25cf nftables.service - Netfilter Tables\n   Loaded: loaded (\/usr\/lib\/systemd\/system\/nftables.service; enabled; vendor preset: disabled)\n   Active: active (exited) since Wed 2023-01-25 15:24:12 CET; 5s ago\n     Docs: man:nft(8)\n  Process: 46173 ExecStop=\/sbin\/nft flush ruleset (code=exited, status=0\/SUCCESS)\n  Process: 46177 ExecStart=\/sbin\/nft -f \/etc\/sysconfig\/nftables.conf (code=exited, status=0\/SUCCESS)\n Main PID: 46177 (code=exited, status=0\/SUCCESS)\n    Tasks: 0 (limit: 11137)\n   Memory: 0B\n   CGroup: \/system.slice\/nftables.service\n\nJan 25 15:24:12 nyx.exterra.local systemd[1]: nftables.service: Succeeded.\nJan 25 15:24:12 nyx.exterra.local systemd[1]: Stopped Netfilter Tables.\nJan 25 15:24:12 nyx.exterra.local systemd[1]: Starting Netfilter Tables...\nJan 25 15:24:12 nyx.exterra.local systemd[1]: Started Netfilter Tables.\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
Mnoho Linux administr\u00e1tor\u016f st\u00e1le s oblibou pou\u017e\u00edv\u00e1 osv\u011bd\u010den\u00fd firewall postaven\u00fd na projektu iptables. Syst\u00e9my RHEL\/CentOS 7\/8 implicitn\u011b obsahuj\u00ed firewald jako jednoduch\u00e9 a rychle konfigurovateln\u00e9 \u0159e\u0161en\u00ed. Probl\u00e9m je ve sl\u016fvku jednoduch\u00e9. Dal\u0161\u00ed probl\u00e9m je v tom, \u017ee v\u011bt\u0161ina spr\u00e1vc\u016f perfektn\u011b ovl\u00e1d\u00e1 iptables a m\u00e1 p\u0159edp\u0159ipraven\u00e9 konfigurace pro \u010dast\u00e1 \u0159e\u0161en\u00ed, kter\u00e1 prost\u00fdm kop\u00edrov\u00e1n\u00edm do souboru \/etc\/sysconfig\/iptables nasad\u00ed. […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ocean_post_layout":"","ocean_both_sidebars_style":"","ocean_both_sidebars_content_width":0,"ocean_both_sidebars_sidebars_width":0,"ocean_sidebar":"0","ocean_second_sidebar":"0","ocean_disable_margins":"enable","ocean_add_body_class":"","ocean_shortcode_before_top_bar":"","ocean_shortcode_after_top_bar":"","ocean_shortcode_before_header":"","ocean_shortcode_after_header":"","ocean_has_shortcode":"","ocean_shortcode_after_title":"","ocean_shortcode_before_footer_widgets":"","ocean_shortcode_after_footer_widgets":"","ocean_shortcode_before_footer_bottom":"","ocean_shortcode_after_footer_bottom":"","ocean_display_top_bar":"default","ocean_display_header":"default","ocean_header_style":"","ocean_center_header_left_menu":"0","ocean_custom_header_template":"0","ocean_custom_logo":0,"ocean_custom_retina_logo":0,"ocean_custom_logo_max_width":0,"ocean_custom_logo_tablet_max_width":0,"ocean_custom_logo_mobile_max_width":0,"ocean_custom_logo_max_height":0,"ocean_custom_logo_tablet_max_height":0,"ocean_custom_logo_mobile_max_height":0,"ocean_header_custom_menu":"0","ocean_menu_typo_font_family":"0","ocean_menu_typo_font_subset":"","ocean_menu_typo_font_size":0,"ocean_menu_typo_font_size_tablet":0,"ocean_menu_typo_font_size_mobile":0,"ocean_menu_typo_font_size_unit":"px","ocean_menu_typo_font_weight":"","ocean_menu_typo_font_weight_tablet":"","ocean_menu_typo_font_weight_mobile":"","ocean_menu_typo_transform":"","ocean_menu_typo_transform_tablet":"","ocean_menu_typo_transform_mobile":"","ocean_menu_typo_line_height":0,"ocean_menu_typo_line_height_tablet":0,"ocean_menu_typo_line_height_mobile":0,"ocean_menu_typo_line_height_unit":"","ocean_menu_typo_spacing":0,"ocean_menu_typo_spacing_tablet":0,"ocean_menu_typo_spacing_mobile":0,"ocean_menu_typo_spacing_unit":"","ocean_menu_link_color":"","ocean_menu_link_color_hover":"","ocean_menu_link_color_active":"","ocean_menu_link_background":"","ocean_menu_link_hover_background":"","ocean_menu_link_active_background":"","ocean_menu_social_links_bg":"","ocean_menu_social_hover_links_bg":"","ocean_menu_social_links_color":"","ocean_menu_social_hover_links_color":"","ocean_disable_title":"default","ocean_disable_heading":"default","ocean_post_title":"","ocean_post_subheading":"","ocean_post_title_style":"","ocean_post_title_background_color":"","ocean_post_title_background":0,"ocean_post_title_bg_image_position":"","ocean_post_title_bg_image_attachment":"","ocean_post_title_bg_image_repeat":"","ocean_post_title_bg_image_size":"","ocean_post_title_height":0,"ocean_post_title_bg_overlay":0.5,"ocean_post_title_bg_overlay_color":"","ocean_disable_breadcrumbs":"default","ocean_breadcrumbs_color":"","ocean_breadcrumbs_separator_color":"","ocean_breadcrumbs_links_color":"","ocean_breadcrumbs_links_hover_color":"","ocean_display_footer_widgets":"default","ocean_display_footer_bottom":"default","ocean_custom_footer_template":"0","ocean_post_oembed":"","ocean_post_self_hosted_media":"","ocean_post_video_embed":"","ocean_link_format":"","ocean_link_format_target":"self","ocean_quote_format":"","ocean_quote_format_link":"post","ocean_gallery_link_images":"off","ocean_gallery_id":[],"footnotes":""},"categories":[5],"tags":[],"class_list":["post-592","post","type-post","status-publish","format-standard","hentry","category-technologie","entry"],"yoast_head":"\nCentOS 8: iptables um\u00edraj\u00ed, a\u0165 \u017eij\u00ed nftables! | Coffeespot<\/title>\n<meta name=\"description\" content=\"U\u017e n\u011bjakou dobu n\u00e1s auto\u0159i "RHEL based" distribuc\u00ed p\u0159ipravuj\u00ed na to, \u017ee budoucnost pat\u0159\u00ed nov\u00e9mu firewallu s n\u00e1zvem nftables.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.exterra-services.cz\/index.php\/2023\/01\/25\/centos-8-iptables-umiraji-at-ziji-nftables\/\" \/>\n<meta property=\"og:locale\" content=\"cs_CZ\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"CentOS 8: iptables um\u00edraj\u00ed, a\u0165 \u017eij\u00ed nftables! | Coffeespot\" \/>\n<meta property=\"og:description\" content=\"U\u017e n\u011bjakou dobu n\u00e1s auto\u0159i "RHEL based" distribuc\u00ed p\u0159ipravuj\u00ed na to, \u017ee budoucnost pat\u0159\u00ed nov\u00e9mu firewallu s n\u00e1zvem nftables.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.exterra-services.cz\/index.php\/2023\/01\/25\/centos-8-iptables-umiraji-at-ziji-nftables\/\" \/>\n<meta property=\"og:site_name\" content=\"Coffeespot\" \/>\n<meta property=\"article:published_time\" content=\"2023-01-25T15:10:46+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-01-25T16:14:24+00:00\" \/>\n<meta name=\"author\" content=\"Petr \u0160antr\u016f\u010dek\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Napsal(a)\" \/>\n\t<meta name=\"twitter:data1\" content=\"Petr \u0160antr\u016f\u010dek\" \/>\n\t<meta name=\"twitter:label2\" content=\"Odhadovan\u00e1 doba \u010dten\u00ed\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minut\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.exterra-services.cz\/index.php\/2023\/01\/25\/centos-8-iptables-umiraji-at-ziji-nftables\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.exterra-services.cz\/index.php\/2023\/01\/25\/centos-8-iptables-umiraji-at-ziji-nftables\/\"},\"author\":{\"name\":\"Petr \u0160antr\u016f\u010dek\",\"@id\":\"https:\/\/blog.exterra-services.cz\/#\/schema\/person\/9d7d8c191f609a8a425d4c493eeee788\"},\"headline\":\"CentOS 8: iptables um\u00edraj\u00ed, a\u0165 \u017eij\u00ed nftables!\",\"datePublished\":\"2023-01-25T15:10:46+00:00\",\"dateModified\":\"2023-01-25T16:14:24+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.exterra-services.cz\/index.php\/2023\/01\/25\/centos-8-iptables-umiraji-at-ziji-nftables\/\"},\"wordCount\":398,\"publisher\":{\"@id\":\"https:\/\/blog.exterra-services.cz\/#\/schema\/person\/9d7d8c191f609a8a425d4c493eeee788\"},\"articleSection\":[\"Technologie\"],\"inLanguage\":\"cs\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.exterra-services.cz\/index.php\/2023\/01\/25\/centos-8-iptables-umiraji-at-ziji-nftables\/\",\"url\":\"https:\/\/blog.exterra-services.cz\/index.php\/2023\/01\/25\/centos-8-iptables-umiraji-at-ziji-nftables\/\",\"name\":\"CentOS 8: iptables um\u00edraj\u00ed, a\u0165 \u017eij\u00ed nftables! | Coffeespot\",\"isPartOf\":{\"@id\":\"https:\/\/blog.exterra-services.cz\/#website\"},\"datePublished\":\"2023-01-25T15:10:46+00:00\",\"dateModified\":\"2023-01-25T16:14:24+00:00\",\"description\":\"U\u017e n\u011bjakou dobu n\u00e1s auto\u0159i \\\"RHEL based\\\" distribuc\u00ed p\u0159ipravuj\u00ed na to, \u017ee budoucnost pat\u0159\u00ed nov\u00e9mu firewallu s n\u00e1zvem nftables.\",\"breadcrumb\":{\"@id\":\"https:\/\/blog.exterra-services.cz\/index.php\/2023\/01\/25\/centos-8-iptables-umiraji-at-ziji-nftables\/#breadcrumb\"},\"inLanguage\":\"cs\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.exterra-services.cz\/index.php\/2023\/01\/25\/centos-8-iptables-umiraji-at-ziji-nftables\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.exterra-services.cz\/index.php\/2023\/01\/25\/centos-8-iptables-umiraji-at-ziji-nftables\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.exterra-services.cz\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"CentOS 8: iptables um\u00edraj\u00ed, a\u0165 \u017eij\u00ed nftables!\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.exterra-services.cz\/#website\",\"url\":\"https:\/\/blog.exterra-services.cz\/\",\"name\":\"Coffeespot\",\"description\":\"novinky z IT sv\u011bta\",\"publisher\":{\"@id\":\"https:\/\/blog.exterra-services.cz\/#\/schema\/person\/9d7d8c191f609a8a425d4c493eeee788\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.exterra-services.cz\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"cs\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/blog.exterra-services.cz\/#\/schema\/person\/9d7d8c191f609a8a425d4c493eeee788\",\"name\":\"Petr \u0160antr\u016f\u010dek\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"cs\",\"@id\":\"https:\/\/blog.exterra-services.cz\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/154c38d0d2d25a88896d979541de331f6606987733e06f398d3552a6871e5b77?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/154c38d0d2d25a88896d979541de331f6606987733e06f398d3552a6871e5b77?s=96&d=mm&r=g\",\"caption\":\"Petr \u0160antr\u016f\u010dek\"},\"logo\":{\"@id\":\"https:\/\/blog.exterra-services.cz\/#\/schema\/person\/image\/\"},\"sameAs\":[\"http:\/\/www.exterra-services.cz\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"CentOS 8: iptables um\u00edraj\u00ed, a\u0165 \u017eij\u00ed nftables! | Coffeespot","description":"U\u017e n\u011bjakou dobu n\u00e1s auto\u0159i \"RHEL based\" distribuc\u00ed p\u0159ipravuj\u00ed na to, \u017ee budoucnost pat\u0159\u00ed nov\u00e9mu firewallu s n\u00e1zvem nftables.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.exterra-services.cz\/index.php\/2023\/01\/25\/centos-8-iptables-umiraji-at-ziji-nftables\/","og_locale":"cs_CZ","og_type":"article","og_title":"CentOS 8: iptables um\u00edraj\u00ed, a\u0165 \u017eij\u00ed nftables! | Coffeespot","og_description":"U\u017e n\u011bjakou dobu n\u00e1s auto\u0159i \"RHEL based\" distribuc\u00ed p\u0159ipravuj\u00ed na to, \u017ee budoucnost pat\u0159\u00ed nov\u00e9mu firewallu s n\u00e1zvem nftables.","og_url":"https:\/\/blog.exterra-services.cz\/index.php\/2023\/01\/25\/centos-8-iptables-umiraji-at-ziji-nftables\/","og_site_name":"Coffeespot","article_published_time":"2023-01-25T15:10:46+00:00","article_modified_time":"2023-01-25T16:14:24+00:00","author":"Petr \u0160antr\u016f\u010dek","twitter_card":"summary_large_image","twitter_misc":{"Napsal(a)":"Petr \u0160antr\u016f\u010dek","Odhadovan\u00e1 doba \u010dten\u00ed":"7 minut"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.exterra-services.cz\/index.php\/2023\/01\/25\/centos-8-iptables-umiraji-at-ziji-nftables\/#article","isPartOf":{"@id":"https:\/\/blog.exterra-services.cz\/index.php\/2023\/01\/25\/centos-8-iptables-umiraji-at-ziji-nftables\/"},"author":{"name":"Petr \u0160antr\u016f\u010dek","@id":"https:\/\/blog.exterra-services.cz\/#\/schema\/person\/9d7d8c191f609a8a425d4c493eeee788"},"headline":"CentOS 8: iptables um\u00edraj\u00ed, a\u0165 \u017eij\u00ed nftables!","datePublished":"2023-01-25T15:10:46+00:00","dateModified":"2023-01-25T16:14:24+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.exterra-services.cz\/index.php\/2023\/01\/25\/centos-8-iptables-umiraji-at-ziji-nftables\/"},"wordCount":398,"publisher":{"@id":"https:\/\/blog.exterra-services.cz\/#\/schema\/person\/9d7d8c191f609a8a425d4c493eeee788"},"articleSection":["Technologie"],"inLanguage":"cs"},{"@type":"WebPage","@id":"https:\/\/blog.exterra-services.cz\/index.php\/2023\/01\/25\/centos-8-iptables-umiraji-at-ziji-nftables\/","url":"https:\/\/blog.exterra-services.cz\/index.php\/2023\/01\/25\/centos-8-iptables-umiraji-at-ziji-nftables\/","name":"CentOS 8: iptables um\u00edraj\u00ed, a\u0165 \u017eij\u00ed nftables! | Coffeespot","isPartOf":{"@id":"https:\/\/blog.exterra-services.cz\/#website"},"datePublished":"2023-01-25T15:10:46+00:00","dateModified":"2023-01-25T16:14:24+00:00","description":"U\u017e n\u011bjakou dobu n\u00e1s auto\u0159i \"RHEL based\" distribuc\u00ed p\u0159ipravuj\u00ed na to, \u017ee budoucnost pat\u0159\u00ed nov\u00e9mu firewallu s n\u00e1zvem nftables.","breadcrumb":{"@id":"https:\/\/blog.exterra-services.cz\/index.php\/2023\/01\/25\/centos-8-iptables-umiraji-at-ziji-nftables\/#breadcrumb"},"inLanguage":"cs","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.exterra-services.cz\/index.php\/2023\/01\/25\/centos-8-iptables-umiraji-at-ziji-nftables\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/blog.exterra-services.cz\/index.php\/2023\/01\/25\/centos-8-iptables-umiraji-at-ziji-nftables\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.exterra-services.cz\/"},{"@type":"ListItem","position":2,"name":"CentOS 8: iptables um\u00edraj\u00ed, a\u0165 \u017eij\u00ed nftables!"}]},{"@type":"WebSite","@id":"https:\/\/blog.exterra-services.cz\/#website","url":"https:\/\/blog.exterra-services.cz\/","name":"Coffeespot","description":"novinky z IT sv\u011bta","publisher":{"@id":"https:\/\/blog.exterra-services.cz\/#\/schema\/person\/9d7d8c191f609a8a425d4c493eeee788"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.exterra-services.cz\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"cs"},{"@type":["Person","Organization"],"@id":"https:\/\/blog.exterra-services.cz\/#\/schema\/person\/9d7d8c191f609a8a425d4c493eeee788","name":"Petr \u0160antr\u016f\u010dek","image":{"@type":"ImageObject","inLanguage":"cs","@id":"https:\/\/blog.exterra-services.cz\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/154c38d0d2d25a88896d979541de331f6606987733e06f398d3552a6871e5b77?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/154c38d0d2d25a88896d979541de331f6606987733e06f398d3552a6871e5b77?s=96&d=mm&r=g","caption":"Petr \u0160antr\u016f\u010dek"},"logo":{"@id":"https:\/\/blog.exterra-services.cz\/#\/schema\/person\/image\/"},"sameAs":["http:\/\/www.exterra-services.cz"]}]}},"_links":{"self":[{"href":"https:\/\/blog.exterra-services.cz\/index.php\/wp-json\/wp\/v2\/posts\/592","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.exterra-services.cz\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.exterra-services.cz\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.exterra-services.cz\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.exterra-services.cz\/index.php\/wp-json\/wp\/v2\/comments?post=592"}],"version-history":[{"count":0,"href":"https:\/\/blog.exterra-services.cz\/index.php\/wp-json\/wp\/v2\/posts\/592\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.exterra-services.cz\/index.php\/wp-json\/wp\/v2\/media?parent=592"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.exterra-services.cz\/index.php\/wp-json\/wp\/v2\/categories?post=592"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.exterra-services.cz\/index.php\/wp-json\/wp\/v2\/tags?post=592"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}