Nftables Nameserver
Zur Navigation springen
Zur Suche springen
Stand 16.07.2023
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
set server_addresses_ip4 {
type ipv4_addr
flags constant
elements = { 212.186.198.10, 212.186.198.11, 212.186.198.12, 212.186.198.14 }
}
set internal_networks_ip4 {
type ipv4_addr
flags interval
auto-merge
elements = { 10.2.0.0/24, 10.3.0.0/24, 10.0.0.0/24, 10.8.4.0-10.8.8.255 }
}
chain input {
type filter hook input priority 0; policy drop;
# established/related connections
ct state established,related accept;
# loopback interface
iifname lo accept;
# icmp (ping)
iifname "wlan0" icmp type echo-request accept;
iifname "tun0" icmp type echo-request accept;
iifname "eth0" ip daddr { 212.186.198.13 } icmp type echo-request accept;
# open sshd (22) for internal networks only
tcp dport { ssh } ip saddr @internal_networks_ip4 log prefix "New SSH internal connection: " accept comment "accept SSH from internal networks"
# open sshd (22) for all my other servers
tcp dport { ssh } ip saddr @server_addresses_ip4 log prefix "New SSH server connection: " accept comment "accept SSH from my other servers"
# open tcp ports: http (80), https (443)
tcp dport { http, https } accept;
# open udp ports: domain (53), openvpn (1194)
udp dport { domain, openvpn } accept;
# mysql (3306)
meta l4proto { tcp, udp } @th,16,16 { 3306 } ip saddr @internal_networks_ip4 accept comment "accept mysql from internal networks";
# iperf (5201)
tcp dport { 5201 } accept;
# oscam
tcp dport { 40000 } log prefix "New OSCam connection: " accept;
#counter log prefix "nft.dropinput: " comment "count dropped packets";
counter comment "count dropped packets";
}
chain forward {
type filter hook forward priority 0; policy drop;
ip saddr @internal_networks_ip4 accept;
iifname "tun0" accept;
iifname "wlan0" oifname "tun0" ct state related,established accept;
iifname "eth0" ct state related,established accept;
tcp dport { 40000 } accept;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
# NAT
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
tcp dport 40000 dnat 10.0.0.171:40000;
}
# for all packets to WAN, after routing, replace source address with primary IP of WAN interface
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oifname "wlan0" ip saddr 10.8.5.0/24 masquerade;
oifname "eth0" ip saddr 10.8.5.0/24 masquerade;
oifname "eth0" ip saddr 10.0.0.0/24 masquerade;
}
}
Stand 25.06.2022
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
set server_addresses_ip4 {
type ipv4_addr
flags constant
elements = { 212.186.198.10, 212.186.198.11, 212.186.198.12, 212.186.198.14 }
}
set internal_networks_ip4 {
type ipv4_addr
flags interval
auto-merge
elements = { 10.2.0.0/24, 10.0.0.0/24, 10.8.5.0/24 }
}
chain input {
type filter hook input priority 0; policy drop;
# established/related connections
ct state established,related accept;
# loopback interface
iifname lo accept;
# icmp (ping)
iifname "wlan0" icmp type echo-request accept;
iifname "tun0" icmp type echo-request accept;
iifname "eth0" ip daddr { 212.186.198.13 } icmp type echo-request accept;
# open sshd (22) for internal networks only
tcp dport { ssh } ip saddr @internal_networks_ip4 log prefix "New SSH internal connection: " accept comment "accept SSH from internal networks"
# open sshd (22) for all my other servers
tcp dport { ssh } ip saddr @server_addresses_ip4 log prefix "New SSH server connection: " accept comment "accept SSH from my other servers"
# open tcp ports: http (80), https (443)
tcp dport { http, https } accept;
# open udp ports: domain (53), openvpn (1194)
udp dport { domain, openvpn } accept;
# mysql (3306)
meta l4proto { tcp, udp } @th,16,16 { 3306 } ip saddr @internal_networks_ip4 accept comment "accept mysql from internal networks";
# iperf (5201)
tcp dport { 5201 } accept;
# oscam
tcp dport { 40000 } log prefix "New OSCam connection: " accept;
#counter log prefix "nft.dropinput: " comment "count dropped packets";
counter comment "count dropped packets";
}
chain forward {
type filter hook forward priority 0; policy drop;
ip saddr @internal_networks_ip4 accept;
iifname "wlan0" oifname "tun0" ct state related,established accept;
iifname "eth0" ct state related,established accept;
tcp dport { 40000 } accept;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
# NAT
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
tcp dport 40000 dnat 10.0.0.171:40000;
}
# for all packets to WAN, after routing, replace source address with primary IP of WAN interface
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oifname "wlan0" ip saddr 10.8.5.0/24 masquerade;
oifname "eth0" ip saddr 10.8.5.0/24 masquerade;
oifname "eth0" ip saddr 10.0.0.0/24 masquerade;
}
}
Stand 19.06.2022
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
set server_addresses_ip4 {
type ipv4_addr
flags constant
elements = { 212.186.198.10, 212.186.198.11, 212.186.198.12, 212.186.198.14 }
}
set internal_networks_ip4 {
type ipv4_addr
flags interval
auto-merge
elements = { 10.2.0.0/24, 10.0.0.0/24, 10.8.5.0/24 }
}
chain input {
type filter hook input priority 0; policy drop;
# established/related connections
ct state established,related accept;
# loopback interface
iifname lo accept;
# icmp (ping)
iifname "wlan0" icmp type echo-request accept;
iifname "tun0" icmp type echo-request accept;
iifname "eth0" ip daddr { 212.186.198.13 } icmp type echo-request accept;
# open sshd (22) for internal networks only
tcp dport { ssh } ip saddr @internal_networks_ip4 accept comment "accept SSH from internal networks"
# open sshd (22) for all my other servers
tcp dport { ssh } ip saddr @server_addresses_ip4 accept comment "accept SSH from my other servers"
# open tcp ports: http (80), https (443)
tcp dport { http, https } accept;
# open udp ports: domain (53), openvpn (1194)
udp dport { domain, openvpn } accept;
# mysql (3306)
meta l4proto { tcp, udp } @th,16,16 { 3306 } ip saddr @internal_networks_ip4 accept comment "accept mysql from internal networks";
# iperf (5201)
tcp dport { 5201 } accept;
counter comment "count dropped packets"
#log
}
chain forward {
type filter hook forward priority 0; policy drop;
ip saddr @internal_networks_ip4 accept;
iifname "wlan0" oifname "tun0" ct state related,established accept;
iifname "eth0" oifname "tun0" ct state related,established accept;
iifname "eth0" oifname "wlan0" ct state related,established accept;
iifname "eth0" tcp dport 40000 dnat 10.0.0.171:40000;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
# NAT
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
}
# for all packets to WAN, after routing, replace source address with primary IP of WAN interface
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oifname "wlan0" ip saddr 10.8.5.0/24 masquerade;
oifname "eth0" ip saddr 10.8.5.0/24 masquerade;
oifname "eth0" ip saddr 10.0.0.0/24 masquerade;
}
}
Stand 22.09.2021
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
set server_addresses_ip4 {
type ipv4_addr
flags constant
elements = { 212.186.198.10, 212.186.198.11, 212.186.198.12, 212.186.198.14 }
}
set internal_networks_ip4 {
type ipv4_addr
flags interval
auto-merge
elements = { 10.2.0.0/24, 10.0.0.0/24, 10.8.5.0/24 }
}
chain input {
type filter hook input priority 0; policy drop;
# established/related connections
ct state established,related accept;
# loopback interface
iifname lo accept;
# icmp (ping)
iifname "wlan0" icmp type echo-request accept;
iifname "tun0" icmp type echo-request accept;
iifname "eth0" ip daddr { 212.186.198.13 } icmp type echo-request accept;
# open sshd (22) for internal networks only
tcp dport { ssh } ip saddr @internal_networks_ip4 accept comment "accept SSH from internal networks"
# open sshd (22) for all my other servers
tcp dport { ssh } ip saddr @server_addresses_ip4 accept comment "accept SSH from my other servers"
# open tcp ports: http (80), https (443)
tcp dport { http, https } accept;
# open udp ports: domain (53), openvpn (1194)
udp dport { domain, openvpn } accept;
# mysql (3306)
meta l4proto { tcp, udp } @th,16,16 { 3306 } ip saddr @internal_networks_ip4 accept comment "accept mysql from internal networks";
# iperf (5201)
tcp dport { 5201 } accept;
counter comment "count dropped packets"
#log
}
chain forward {
type filter hook forward priority 0; policy drop;
ip saddr @internal_networks_ip4 accept;
iifname "wlan0" oifname "tun0" ct state related,established accept;
iifname "eth0" oifname "tun0" ct state related,established accept;
iifname "eth0" oifname "wlan0" ct state related,established accept;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
# NAT
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
}
# for all packets to WAN, after routing, replace source address with primary IP of WAN interface
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oifname "wlan0" ip saddr 10.8.5.0/24 masquerade;
oifname "eth0" ip saddr 10.8.5.0/24 masquerade;
oifname "eth0" ip saddr 10.0.0.0/24 masquerade;
}
}
Stand 17.08.2020
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
set internal_networks_ip4 {
type ipv4_addr
flags interval
auto-merge
elements = { 10.2.0.0/24, 10.0.0.0/24, 10.8.5.0/24 }
}
chain input {
type filter hook input priority 0; policy drop;
# established/related connections
ct state established,related accept;
# loopback interface
iifname lo accept;
# icmp (ping)
iifname "wlan0" icmp type echo-request accept;
iifname "tun0" icmp type echo-request accept;
iifname "eth0" ip daddr { 212.186.198.13 } icmp type echo-request accept;
# open sshd (22) for internal networks only
tcp dport { ssh } ip saddr @internal_networks_ip4 accept comment "accept SSH from internal networks"
# open tcp ports: http (80), https (443)
tcp dport { http, https } accept;
# open udp ports: domain (53), openvpn (1194)
udp dport { domain, openvpn } accept;
# mysql (3306)
meta l4proto { tcp, udp } @th,16,16 { 3306 } ip saddr @internal_networks_ip4 accept comment "accept mysql from internal networks";
counter comment "count dropped packets"
#log
}
chain forward {
type filter hook forward priority 0; policy drop;
ip saddr @internal_networks_ip4 accept;
iifname "wlan0" oifname "tun0" ct state related,established accept;
iifname "eth0" oifname "tun0" ct state related,established accept;
iifname "eth0" oifname "wlan0" ct state related,established accept;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
# NAT
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
}
# for all packets to WAN, after routing, replace source address with primary IP of WAN interface
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oifname "wlan0" ip saddr 10.8.5.0/24 masquerade;
oifname "eth0" ip saddr 10.8.5.0/24 masquerade;
oifname "eth0" ip saddr 10.0.0.0/24 masquerade;
}
}
Stand 17.04.2020
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
set internal_networks_ip4 {
type ipv4_addr
flags interval
auto-merge
elements = { 10.2.0.0/24, 10.0.0.0/24, 10.8.5.0/24 }
}
chain input {
type filter hook input priority 0; policy drop;
# established/related connections
ct state established,related accept;
# loopback interface
iifname lo accept;
# icmp (ping)
iifname "wlan0" icmp type echo-request accept;
iifname "tun0" icmp type echo-request accept;
iifname "eth0" ip daddr { 212.186.198.13 } icmp type echo-request accept;
# open sshd (22) for internal networks only
tcp dport { ssh } ip saddr @internal_networks_ip4 accept comment "accept SSH from internal networks"
# open tcp ports: http (80), https (443)
tcp dport { http, https } accept;
# open udp ports: domain (53), openvpn (1194)
udp dport { domain, openvpn } accept;
# mysql (3306)
meta l4proto { tcp, udp } @th,16,16 { 3306 } ip saddr @internal_networks_ip4 accept comment "accept mysql from internal networks";
counter comment "count dropped packets"
#log
}
chain forward {
type filter hook forward priority 0; policy drop;
ip saddr @internal_networks_ip4 accept;
iifname "wlan0" oifname "tun0" ct state related,established accept;
iifname "eth0" oifname "tun0" ct state related,established accept;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
# NAT
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
}
# for all packets to WAN, after routing, replace source address with primary IP of WAN interface
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oifname "wlan0" ip saddr 10.8.5.0/24 masquerade;
oifname "eth0" ip saddr 10.8.5.0/24 masquerade;
}
}
Zurück zu nftables