Nftables Router Hofstetten: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| Zeile 1: | Zeile 1: | ||
== Stand 10.04.2020 == | |||
<pre> | |||
#!/usr/sbin/nft -f | |||
flush ruleset | |||
# firewall | |||
table ip filter { | |||
# allow all packets sent by the firewall machine itself | |||
chain output { | |||
type filter hook output priority 100; policy accept; | |||
} | |||
# allow LAN to firewall, disallow WAN to firewall | |||
chain input { | |||
type filter hook input priority 0; policy accept; | |||
iifname "eth0" accept | |||
# iifname "wlan0" drop | |||
iifname "wlan0" accept | |||
} | |||
# allow packets from LAN to WAN, and WAN to LAN if LAN initiated the connection | |||
chain forward { | |||
# type filter hook forward priority 0; policy drop; | |||
type filter hook forward priority 0; policy accept; | |||
# iifname "eth0" oifname "wlan0" accept | |||
# iifname "wlan0" oifname "eth0" ct state related,established accept | |||
} | |||
} | |||
# NAT | |||
table ip nat { | |||
chain prerouting { | |||
type nat hook prerouting priority 0; policy accept; | |||
# redirect port 81 to port 80 at 10.1.0.150 | |||
iif wlan0 tcp dport 81 dnat 10.1.0.150:80; | |||
} | |||
# for all packets to WAN, after routing, replace source address with primary IP of WAN interface | |||
chain postrouting { | |||
type nat hook postrouting priority 100; policy accept; | |||
oifname "wlan0" masquerade | |||
} | |||
} | |||
</pre> | |||
Zurück zu [[Nftables_(Linux)#Beispielkonfigurationen|nftables]] | Zurück zu [[Nftables_(Linux)#Beispielkonfigurationen|nftables]] | ||
Version vom 10. April 2020, 12:17 Uhr
Stand 10.04.2020
#!/usr/sbin/nft -f
flush ruleset
# firewall
table ip filter {
# allow all packets sent by the firewall machine itself
chain output {
type filter hook output priority 100; policy accept;
}
# allow LAN to firewall, disallow WAN to firewall
chain input {
type filter hook input priority 0; policy accept;
iifname "eth0" accept
# iifname "wlan0" drop
iifname "wlan0" accept
}
# allow packets from LAN to WAN, and WAN to LAN if LAN initiated the connection
chain forward {
# type filter hook forward priority 0; policy drop;
type filter hook forward priority 0; policy accept;
# iifname "eth0" oifname "wlan0" accept
# iifname "wlan0" oifname "eth0" ct state related,established accept
}
}
# NAT
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
# redirect port 81 to port 80 at 10.1.0.150
iif wlan0 tcp dport 81 dnat 10.1.0.150:80;
}
# for all packets to WAN, after routing, replace source address with primary IP of WAN interface
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oifname "wlan0" masquerade
}
}
Zurück zu nftables