Nftables Testserver: Unterschied zwischen den Versionen

Schnittstellen

LAN: "wlan0" / "10.2.0.99"

OpenVPN: "tun0" / "10.9.2.1"

Stand 10.04.2020

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
  set internal_networks_ip4 {
    type ipv4_addr
    flags interval
    auto-merge
    elements = { 10.2.0.0/24, 10.0.0.0/24, 10.9.2.0/24 }
  }

  chain input {
    type filter hook input priority 0; policy drop;

    # established/related connections
    ct state established,related accept;

    # loopback interface
    iifname lo accept;

    # icmp (ping)
    iifname "wlan0" icmp type echo-request accept;
    iifname "tun0" icmp type echo-request accept;
    iifname "eth0" ip daddr { 10.3.0.1 } icmp type echo-request accept;

    # open sshd (22) for internal networks only
    tcp dport { ssh } ip saddr @internal_networks_ip4 accept comment "accept SSH from internal networks"

    # open tcp ports: http (80), https (443)
    tcp dport { http, https } accept;

    # open udp ports: domain (53), openvpn (1194)
    udp dport { domain, openvpn } accept;

    # dhcp ports: bootps (67)
    udp dport { bootps } accept;

    # mysql (3306)
    meta l4proto { tcp, udp } @th,16,16 { 3306 } ip saddr @internal_networks_ip4 accept comment "accept mysql from internal networks";

    #log
  }

  chain forward {
    type filter hook forward priority 0; policy drop;
    
    ip saddr @internal_networks_ip4 accept;
    iifname "wlan0" oifname "tun0" ct state related,established accept;

    #log
  }

  chain output {
    type filter hook output priority 100; policy accept;
  }
}

# NAT
table ip nat {
  chain prerouting {
    type nat hook prerouting priority 0; policy accept;
  }

  # for all packets to WAN, after routing, replace source address with primary IP of WAN interface
  chain postrouting {
    type nat hook postrouting priority 100; policy accept;
    oifname "wlan0" ip saddr 10.9.2.0/24 masquerade;
  }
}

Zurück zu nftables