Nftables Router Hofstetten: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| Zeile 1: | Zeile 1: | ||
== Stand | == Stand 07.06.2020 == | ||
<pre> | <pre> | ||
| Zeile 19: | Zeile 19: | ||
# iifname "wlan0" drop | # iifname "wlan0" drop | ||
iifname "wlan0" accept | iifname "wlan0" accept | ||
iifname "tun0" accept | |||
} | } | ||
| Zeile 36: | Zeile 37: | ||
# redirect port 81 to port 80 at 10.1.0.150 | # redirect port 81 to port 80 at 10.1.0.150 | ||
iifname "wlan0" tcp dport 81 dnat 10.1.0.150:80; | |||
iifname "tun0" tcp dport 81 dnat 10.1.0.150:80; | |||
} | } | ||
Version vom 7. Juni 2020, 16:27 Uhr
Stand 07.06.2020
#!/usr/sbin/nft -f
flush ruleset
# firewall
table ip filter {
# allow all packets sent by the firewall machine itself
chain output {
type filter hook output priority 100; policy accept;
}
# allow LAN to firewall, disallow WAN to firewall
chain input {
type filter hook input priority 0; policy accept;
iifname "eth0" accept
# iifname "wlan0" drop
iifname "wlan0" accept
iifname "tun0" accept
}
# allow packets from LAN to WAN, and WAN to LAN if LAN initiated the connection
chain forward {
# type filter hook forward priority 0; policy drop;
type filter hook forward priority 0; policy accept;
# iifname "eth0" oifname "wlan0" accept
# iifname "wlan0" oifname "eth0" ct state related,established accept
}
}
# NAT
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
# redirect port 81 to port 80 at 10.1.0.150
iifname "wlan0" tcp dport 81 dnat 10.1.0.150:80;
iifname "tun0" tcp dport 81 dnat 10.1.0.150:80;
}
# for all packets to WAN, after routing, replace source address with primary IP of WAN interface
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oifname "wlan0" masquerade
}
}
Zurück zu nftables