Nftables Router Hofstetten
Version vom 3. November 2023, 10:48 Uhr von Martin Kirner (Diskussion | Beiträge)
Stand 03.11.2023
#!/usr/sbin/nft -f flush ruleset # firewall table ip filter { # allow all packets sent by the firewall machine itself chain output { type filter hook output priority 100; policy accept; } # allow LAN to firewall, disallow WAN to firewall chain input { type filter hook input priority 0; policy drop; # established/related connections ct state established,related accept; # loopback interface iifname lo accept; iifname "eth0" accept; # icmp (ping) icmp type echo-request accept; # open tcp ports: http (80), https (443) tcp dport { http, https, 8080, 8090 } accept; # open udp ports: domain (53), openvpn (1194), openvpn (1195) udp dport { domain, openvpn, 1195 } accept; # open sshd (22) tcp dport { ssh } accept; } # allow packets from LAN to WAN and WAN to LAN chain forward { type filter hook forward priority 0; policy accept; } } # NAT table ip nat { chain prerouting { type nat hook prerouting priority 0; policy accept; } # for all packets to WAN, after routing, replace source address with primary IP of WAN interface chain postrouting { type nat hook postrouting priority 100; policy accept; oifname "wlan0" masquerade } }
Stand 09.04.2023
#!/usr/sbin/nft -f flush ruleset # firewall table ip filter { # allow all packets sent by the firewall machine itself chain output { type filter hook output priority 100; policy accept; } # allow LAN to firewall, disallow WAN to firewall chain input { type filter hook input priority 0; policy drop; # established/related connections ct state established,related accept; # loopback interface iifname lo accept; iifname "eth0" accept; # icmp (ping) icmp type echo-request accept; # open tcp ports: http (80), https (443) tcp dport { http, https, 8080, 8090 } accept; # open udp ports: domain (53), openvpn (1194), openvpn (1195) udp dport { domain, openvpn, 1195 } accept; # open sshd (22) tcp dport { ssh } accept; } # allow packets from LAN to WAN and WAN to LAN chain forward { type filter hook forward priority 0; policy accept; } } # NAT table ip nat { chain prerouting { type nat hook prerouting priority 0; policy accept; # redirect port 81 to port 80 at 10.1.0.150 iifname "wlan0" tcp dport 81 dnat 10.1.0.150:80; iifname "tun0" tcp dport 81 dnat 10.1.0.150:80; } # for all packets to WAN, after routing, replace source address with primary IP of WAN interface chain postrouting { type nat hook postrouting priority 100; policy accept; oifname "wlan0" masquerade } }
Stand 21.05.2022
#!/usr/sbin/nft -f flush ruleset # firewall table ip filter { # allow all packets sent by the firewall machine itself chain output { type filter hook output priority 100; policy accept; } # allow LAN to firewall, disallow WAN to firewall chain input { type filter hook input priority 0; policy drop; # established/related connections ct state established,related accept; # loopback interface iifname lo accept; iifname "eth0" accept; # open tcp ports: http (80), https (443) tcp dport { http, https } accept; # open udp ports: domain (53), openvpn (1194), openvpn (1195) udp dport { domain, openvpn, 1195 } accept; # open sshd (22) tcp dport { ssh } accept; } # allow packets from LAN to WAN and WAN to LAN chain forward { type filter hook forward priority 0; policy accept; } } # NAT table ip nat { chain prerouting { type nat hook prerouting priority 0; policy accept; # redirect port 81 to port 80 at 10.1.0.150 iifname "wlan0" tcp dport 81 dnat 10.1.0.150:80; iifname "tun0" tcp dport 81 dnat 10.1.0.150:80; } # for all packets to WAN, after routing, replace source address with primary IP of WAN interface chain postrouting { type nat hook postrouting priority 100; policy accept; oifname "wlan0" masquerade } }
Stand 07.06.2020
#!/usr/sbin/nft -f flush ruleset # firewall table ip filter { # allow all packets sent by the firewall machine itself chain output { type filter hook output priority 100; policy accept; } # allow LAN to firewall, disallow WAN to firewall chain input { type filter hook input priority 0; policy accept; iifname "eth0" accept # iifname "wlan0" drop iifname "wlan0" accept iifname "tun0" accept } # allow packets from LAN to WAN, and WAN to LAN if LAN initiated the connection chain forward { # type filter hook forward priority 0; policy drop; type filter hook forward priority 0; policy accept; # iifname "eth0" oifname "wlan0" accept # iifname "wlan0" oifname "eth0" ct state related,established accept } } # NAT table ip nat { chain prerouting { type nat hook prerouting priority 0; policy accept; # redirect port 81 to port 80 at 10.1.0.150 iifname "wlan0" tcp dport 81 dnat 10.1.0.150:80; iifname "tun0" tcp dport 81 dnat 10.1.0.150:80; } # for all packets to WAN, after routing, replace source address with primary IP of WAN interface chain postrouting { type nat hook postrouting priority 100; policy accept; oifname "wlan0" masquerade } }
Zurück zu nftables