Nftables Router Hofstetten: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| (Eine dazwischenliegende Version desselben Benutzers wird nicht angezeigt) | |||
| Zeile 1: | Zeile 1: | ||
== Stand 03.11.2023 == | |||
<pre> | |||
#!/usr/sbin/nft -f | |||
flush ruleset | |||
# firewall | |||
table ip filter { | |||
# allow all packets sent by the firewall machine itself | |||
chain output { | |||
type filter hook output priority 100; policy accept; | |||
} | |||
# allow LAN to firewall, disallow WAN to firewall | |||
chain input { | |||
type filter hook input priority 0; policy drop; | |||
# established/related connections | |||
ct state established,related accept; | |||
# loopback interface | |||
iifname lo accept; | |||
iifname "eth0" accept; | |||
# icmp (ping) | |||
icmp type echo-request accept; | |||
# open tcp ports: http (80), https (443) | |||
tcp dport { http, https, 8080, 8090 } accept; | |||
# open udp ports: domain (53), openvpn (1194), openvpn (1195) | |||
udp dport { domain, openvpn, 1195 } accept; | |||
# open sshd (22) | |||
tcp dport { ssh } accept; | |||
} | |||
# allow packets from LAN to WAN and WAN to LAN | |||
chain forward { | |||
type filter hook forward priority 0; policy accept; | |||
} | |||
} | |||
# NAT | |||
table ip nat { | |||
chain prerouting { | |||
type nat hook prerouting priority 0; policy accept; | |||
} | |||
# for all packets to WAN, after routing, replace source address with primary IP of WAN interface | |||
chain postrouting { | |||
type nat hook postrouting priority 100; policy accept; | |||
oifname "wlan0" masquerade | |||
} | |||
} | |||
</pre> | |||
== Stand 09.04.2023 == | |||
<pre> | |||
#!/usr/sbin/nft -f | |||
flush ruleset | |||
# firewall | |||
table ip filter { | |||
# allow all packets sent by the firewall machine itself | |||
chain output { | |||
type filter hook output priority 100; policy accept; | |||
} | |||
# allow LAN to firewall, disallow WAN to firewall | |||
chain input { | |||
type filter hook input priority 0; policy drop; | |||
# established/related connections | |||
ct state established,related accept; | |||
# loopback interface | |||
iifname lo accept; | |||
iifname "eth0" accept; | |||
# icmp (ping) | |||
icmp type echo-request accept; | |||
# open tcp ports: http (80), https (443) | |||
tcp dport { http, https, 8080, 8090 } accept; | |||
# open udp ports: domain (53), openvpn (1194), openvpn (1195) | |||
udp dport { domain, openvpn, 1195 } accept; | |||
# open sshd (22) | |||
tcp dport { ssh } accept; | |||
} | |||
# allow packets from LAN to WAN and WAN to LAN | |||
chain forward { | |||
type filter hook forward priority 0; policy accept; | |||
} | |||
} | |||
# NAT | |||
table ip nat { | |||
chain prerouting { | |||
type nat hook prerouting priority 0; policy accept; | |||
# redirect port 81 to port 80 at 10.1.0.150 | |||
iifname "wlan0" tcp dport 81 dnat 10.1.0.150:80; | |||
iifname "tun0" tcp dport 81 dnat 10.1.0.150:80; | |||
} | |||
# for all packets to WAN, after routing, replace source address with primary IP of WAN interface | |||
chain postrouting { | |||
type nat hook postrouting priority 100; policy accept; | |||
oifname "wlan0" masquerade | |||
} | |||
} | |||
</pre> | |||
== Stand 21.05.2022 == | == Stand 21.05.2022 == | ||
Aktuelle Version vom 3. November 2023, 10:48 Uhr
Stand 03.11.2023
#!/usr/sbin/nft -f
flush ruleset
# firewall
table ip filter {
# allow all packets sent by the firewall machine itself
chain output {
type filter hook output priority 100; policy accept;
}
# allow LAN to firewall, disallow WAN to firewall
chain input {
type filter hook input priority 0; policy drop;
# established/related connections
ct state established,related accept;
# loopback interface
iifname lo accept;
iifname "eth0" accept;
# icmp (ping)
icmp type echo-request accept;
# open tcp ports: http (80), https (443)
tcp dport { http, https, 8080, 8090 } accept;
# open udp ports: domain (53), openvpn (1194), openvpn (1195)
udp dport { domain, openvpn, 1195 } accept;
# open sshd (22)
tcp dport { ssh } accept;
}
# allow packets from LAN to WAN and WAN to LAN
chain forward {
type filter hook forward priority 0; policy accept;
}
}
# NAT
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
}
# for all packets to WAN, after routing, replace source address with primary IP of WAN interface
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oifname "wlan0" masquerade
}
}
Stand 09.04.2023
#!/usr/sbin/nft -f
flush ruleset
# firewall
table ip filter {
# allow all packets sent by the firewall machine itself
chain output {
type filter hook output priority 100; policy accept;
}
# allow LAN to firewall, disallow WAN to firewall
chain input {
type filter hook input priority 0; policy drop;
# established/related connections
ct state established,related accept;
# loopback interface
iifname lo accept;
iifname "eth0" accept;
# icmp (ping)
icmp type echo-request accept;
# open tcp ports: http (80), https (443)
tcp dport { http, https, 8080, 8090 } accept;
# open udp ports: domain (53), openvpn (1194), openvpn (1195)
udp dport { domain, openvpn, 1195 } accept;
# open sshd (22)
tcp dport { ssh } accept;
}
# allow packets from LAN to WAN and WAN to LAN
chain forward {
type filter hook forward priority 0; policy accept;
}
}
# NAT
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
# redirect port 81 to port 80 at 10.1.0.150
iifname "wlan0" tcp dport 81 dnat 10.1.0.150:80;
iifname "tun0" tcp dport 81 dnat 10.1.0.150:80;
}
# for all packets to WAN, after routing, replace source address with primary IP of WAN interface
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oifname "wlan0" masquerade
}
}
Stand 21.05.2022
#!/usr/sbin/nft -f
flush ruleset
# firewall
table ip filter {
# allow all packets sent by the firewall machine itself
chain output {
type filter hook output priority 100; policy accept;
}
# allow LAN to firewall, disallow WAN to firewall
chain input {
type filter hook input priority 0; policy drop;
# established/related connections
ct state established,related accept;
# loopback interface
iifname lo accept;
iifname "eth0" accept;
# open tcp ports: http (80), https (443)
tcp dport { http, https } accept;
# open udp ports: domain (53), openvpn (1194), openvpn (1195)
udp dport { domain, openvpn, 1195 } accept;
# open sshd (22)
tcp dport { ssh } accept;
}
# allow packets from LAN to WAN and WAN to LAN
chain forward {
type filter hook forward priority 0; policy accept;
}
}
# NAT
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
# redirect port 81 to port 80 at 10.1.0.150
iifname "wlan0" tcp dport 81 dnat 10.1.0.150:80;
iifname "tun0" tcp dport 81 dnat 10.1.0.150:80;
}
# for all packets to WAN, after routing, replace source address with primary IP of WAN interface
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oifname "wlan0" masquerade
}
}
Stand 07.06.2020
#!/usr/sbin/nft -f
flush ruleset
# firewall
table ip filter {
# allow all packets sent by the firewall machine itself
chain output {
type filter hook output priority 100; policy accept;
}
# allow LAN to firewall, disallow WAN to firewall
chain input {
type filter hook input priority 0; policy accept;
iifname "eth0" accept
# iifname "wlan0" drop
iifname "wlan0" accept
iifname "tun0" accept
}
# allow packets from LAN to WAN, and WAN to LAN if LAN initiated the connection
chain forward {
# type filter hook forward priority 0; policy drop;
type filter hook forward priority 0; policy accept;
# iifname "eth0" oifname "wlan0" accept
# iifname "wlan0" oifname "eth0" ct state related,established accept
}
}
# NAT
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
# redirect port 81 to port 80 at 10.1.0.150
iifname "wlan0" tcp dport 81 dnat 10.1.0.150:80;
iifname "tun0" tcp dport 81 dnat 10.1.0.150:80;
}
# for all packets to WAN, after routing, replace source address with primary IP of WAN interface
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oifname "wlan0" masquerade
}
}
Zurück zu nftables