Nftables Mailserver: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
Zeile 2: | Zeile 2: | ||
== Stand | == Stand 17.04.2020 == | ||
<pre> | <pre> | ||
Zeile 8: | Zeile 8: | ||
flush ruleset | flush ruleset | ||
include "/etc/nftables/fail2ban.conf" | |||
table inet filter { | table inet filter { | ||
Zeile 27: | Zeile 29: | ||
# icmp (ping) | # icmp (ping) | ||
icmp type echo-request accept; | iifname "wlan0" icmp type echo-request accept; | ||
iifname "tun0" icmp type echo-request accept; | |||
iifname "eth0" ip daddr { 212.186.198.11 } icmp type echo-request accept; | |||
# open sshd (22) for internal networks only | # open sshd (22) for internal networks only | ||
tcp dport { ssh } ip saddr @internal_networks_ip4 accept comment "accept SSH from internal networks" | tcp dport { ssh } ip saddr @internal_networks_ip4 accept comment "accept SSH from internal networks" | ||
# open tcp ports: http (80), https (443) | # open tcp ports: http (80), https (443) | ||
Zeile 47: | Zeile 50: | ||
counter comment "count dropped packets" | counter comment "count dropped packets" | ||
#log | |||
} | } | ||
Zeile 52: | Zeile 56: | ||
chain forward { | chain forward { | ||
type filter hook forward priority 0; policy drop; | type filter hook forward priority 0; policy drop; | ||
ip saddr @internal_networks_ip4 accept; | |||
iifname "wlan0" oifname "tun0" ct state related,established accept; | |||
iifname "eth0" oifname "tun0" ct state related,established accept; | |||
} | } | ||
chain output { | chain output { | ||
type filter hook output priority 0; policy accept; | type filter hook output priority 0; policy accept; | ||
} | |||
} | |||
# NAT | |||
table ip nat { | |||
chain prerouting { | |||
type nat hook prerouting priority 0; policy accept; | |||
} | |||
# for all packets to WAN, after routing, replace source address with primary IP of WAN interface | |||
chain postrouting { | |||
type nat hook postrouting priority 100; policy accept; | |||
oifname "wlan0" ip saddr 10.8.4.0/24 masquerade; | |||
oifname "eth0" ip saddr 10.8.4.0/24 masquerade; | |||
} | } | ||
} | } |
Version vom 17. April 2020, 18:10 Uhr
Noch in Bearbeitung
Stand 17.04.2020
#!/usr/sbin/nft -f flush ruleset include "/etc/nftables/fail2ban.conf" table inet filter { set internal_networks_ip4 { type ipv4_addr flags interval auto-merge elements = { 10.2.0.0/24, 10.0.0.0/24, 10.8.4.0/24 } } chain input { type filter hook input priority 0; policy drop; # established/related connections ct state established,related accept; # loopback interface iifname lo accept; # icmp (ping) iifname "wlan0" icmp type echo-request accept; iifname "tun0" icmp type echo-request accept; iifname "eth0" ip daddr { 212.186.198.11 } icmp type echo-request accept; # open sshd (22) for internal networks only tcp dport { ssh } ip saddr @internal_networks_ip4 accept comment "accept SSH from internal networks" # open tcp ports: http (80), https (443) tcp dport { http, https } accept; # open udp ports: domain (53), openvpn (1194) udp dport { domain, openvpn } accept; # mail ports: pop3 (143), imap (110), submission (SMTP/587), smtp (25), doveadm (47111) tcp dport { pop3, imap2, submission, smtp, 47111 } accept; udp dport { imap2 } accept; # mysql (3306) meta l4proto { tcp, udp } @th,16,16 { 3306 } ip saddr @internal_networks_ip4 accept comment "accept mysql from internal networks"; counter comment "count dropped packets" #log } chain forward { type filter hook forward priority 0; policy drop; ip saddr @internal_networks_ip4 accept; iifname "wlan0" oifname "tun0" ct state related,established accept; iifname "eth0" oifname "tun0" ct state related,established accept; } chain output { type filter hook output priority 0; policy accept; } } # NAT table ip nat { chain prerouting { type nat hook prerouting priority 0; policy accept; } # for all packets to WAN, after routing, replace source address with primary IP of WAN interface chain postrouting { type nat hook postrouting priority 100; policy accept; oifname "wlan0" ip saddr 10.8.4.0/24 masquerade; oifname "eth0" ip saddr 10.8.4.0/24 masquerade; } }
Zurück zu nftables