Nftables Nameserver: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
(Die Seite wurde neu angelegt: „{{note|Noch in Bearbeitung}} == Stand 10.04.2020 == <pre> #!/usr/sbin/nft -f flush ruleset table inet filter { set internal_networks_ip4 { type ipv4…“) |
|||
| (9 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) | |||
| Zeile 1: | Zeile 1: | ||
== Stand 16.07.2023 == | |||
<pre> | |||
#!/usr/sbin/nft -f | |||
flush ruleset | |||
table inet filter { | |||
set server_addresses_ip4 { | |||
type ipv4_addr | |||
flags constant | |||
elements = { 212.186.198.10, 212.186.198.11, 212.186.198.12, 212.186.198.14 } | |||
} | |||
set internal_networks_ip4 { | |||
type ipv4_addr | |||
flags interval | |||
auto-merge | |||
elements = { 10.2.0.0/24, 10.3.0.0/24, 10.0.0.0/24, 10.8.4.0-10.8.8.255 } | |||
} | |||
chain input { | |||
type filter hook input priority 0; policy drop; | |||
# established/related connections | |||
ct state established,related accept; | |||
# loopback interface | |||
iifname lo accept; | |||
# icmp (ping) | |||
iifname "wlan0" icmp type echo-request accept; | |||
iifname "tun0" icmp type echo-request accept; | |||
iifname "eth0" ip daddr { 212.186.198.13 } icmp type echo-request accept; | |||
# open sshd (22) for internal networks only | |||
tcp dport { ssh } ip saddr @internal_networks_ip4 log prefix "New SSH internal connection: " accept comment "accept SSH from internal networks" | |||
# open sshd (22) for all my other servers | |||
tcp dport { ssh } ip saddr @server_addresses_ip4 log prefix "New SSH server connection: " accept comment "accept SSH from my other servers" | |||
# open tcp ports: http (80), https (443) | |||
tcp dport { http, https } accept; | |||
# open udp ports: domain (53), openvpn (1194) | |||
udp dport { domain, openvpn } accept; | |||
# mysql (3306) | |||
meta l4proto { tcp, udp } @th,16,16 { 3306 } ip saddr @internal_networks_ip4 accept comment "accept mysql from internal networks"; | |||
# iperf (5201) | |||
tcp dport { 5201 } accept; | |||
# oscam | |||
tcp dport { 40000 } log prefix "New OSCam connection: " accept; | |||
#counter log prefix "nft.dropinput: " comment "count dropped packets"; | |||
counter comment "count dropped packets"; | |||
} | |||
chain forward { | |||
type filter hook forward priority 0; policy drop; | |||
== Stand | ip saddr @internal_networks_ip4 accept; | ||
iifname "tun0" accept; | |||
iifname "wlan0" oifname "tun0" ct state related,established accept; | |||
iifname "eth0" ct state related,established accept; | |||
tcp dport { 40000 } accept; | |||
} | |||
chain output { | |||
type filter hook output priority 0; policy accept; | |||
} | |||
} | |||
# NAT | |||
table ip nat { | |||
chain prerouting { | |||
type nat hook prerouting priority 0; policy accept; | |||
tcp dport 40000 dnat 10.0.0.171:40000; | |||
} | |||
# for all packets to WAN, after routing, replace source address with primary IP of WAN interface | |||
chain postrouting { | |||
type nat hook postrouting priority 100; policy accept; | |||
oifname "wlan0" ip saddr 10.8.5.0/24 masquerade; | |||
oifname "eth0" ip saddr 10.8.5.0/24 masquerade; | |||
oifname "eth0" ip saddr 10.0.0.0/24 masquerade; | |||
} | |||
} | |||
</pre> | |||
== Stand 25.06.2022 == | |||
<pre> | <pre> | ||
| Zeile 10: | Zeile 99: | ||
table inet filter { | table inet filter { | ||
set server_addresses_ip4 { | |||
type ipv4_addr | |||
flags constant | |||
elements = { 212.186.198.10, 212.186.198.11, 212.186.198.12, 212.186.198.14 } | |||
} | |||
set internal_networks_ip4 { | set internal_networks_ip4 { | ||
type ipv4_addr | type ipv4_addr | ||
| Zeile 27: | Zeile 122: | ||
# icmp (ping) | # icmp (ping) | ||
icmp type echo-request accept; | iifname "wlan0" icmp type echo-request accept; | ||
iifname "tun0" icmp type echo-request accept; | |||
iifname "eth0" ip daddr { 212.186.198.13 } icmp type echo-request accept; | |||
# open sshd (22) for internal networks only | |||
tcp dport { ssh } ip saddr @internal_networks_ip4 log prefix "New SSH internal connection: " accept comment "accept SSH from internal networks" | |||
# open sshd (22) for all my other servers | |||
tcp dport { ssh } ip saddr @server_addresses_ip4 log prefix "New SSH server connection: " accept comment "accept SSH from my other servers" | |||
# open tcp ports: http (80), https (443) | |||
tcp dport { http, https } accept; | |||
# open udp ports: domain (53), openvpn (1194) | |||
udp dport { domain, openvpn } accept; | |||
# mysql (3306) | |||
meta l4proto { tcp, udp } @th,16,16 { 3306 } ip saddr @internal_networks_ip4 accept comment "accept mysql from internal networks"; | |||
# iperf (5201) | |||
tcp dport { 5201 } accept; | |||
# oscam | |||
tcp dport { 40000 } log prefix "New OSCam connection: " accept; | |||
#counter log prefix "nft.dropinput: " comment "count dropped packets"; | |||
counter comment "count dropped packets"; | |||
} | |||
chain forward { | |||
type filter hook forward priority 0; policy drop; | |||
ip saddr @internal_networks_ip4 accept; | |||
iifname "wlan0" oifname "tun0" ct state related,established accept; | |||
iifname "eth0" ct state related,established accept; | |||
tcp dport { 40000 } accept; | |||
} | |||
chain output { | |||
type filter hook output priority 0; policy accept; | |||
} | |||
} | |||
# NAT | |||
table ip nat { | |||
chain prerouting { | |||
type nat hook prerouting priority 0; policy accept; | |||
tcp dport 40000 dnat 10.0.0.171:40000; | |||
} | |||
# for all packets to WAN, after routing, replace source address with primary IP of WAN interface | |||
chain postrouting { | |||
type nat hook postrouting priority 100; policy accept; | |||
oifname "wlan0" ip saddr 10.8.5.0/24 masquerade; | |||
oifname "eth0" ip saddr 10.8.5.0/24 masquerade; | |||
oifname "eth0" ip saddr 10.0.0.0/24 masquerade; | |||
} | |||
} | |||
</pre> | |||
== Stand 19.06.2022 == | |||
<pre> | |||
#!/usr/sbin/nft -f | |||
flush ruleset | |||
table inet filter { | |||
set server_addresses_ip4 { | |||
type ipv4_addr | |||
flags constant | |||
elements = { 212.186.198.10, 212.186.198.11, 212.186.198.12, 212.186.198.14 } | |||
} | |||
set internal_networks_ip4 { | |||
type ipv4_addr | |||
flags interval | |||
auto-merge | |||
elements = { 10.2.0.0/24, 10.0.0.0/24, 10.8.5.0/24 } | |||
} | |||
chain input { | |||
type filter hook input priority 0; policy drop; | |||
# established/related connections | |||
ct state established,related accept; | |||
# loopback interface | |||
iifname lo accept; | |||
# icmp (ping) | |||
iifname "wlan0" icmp type echo-request accept; | |||
iifname "tun0" icmp type echo-request accept; | |||
iifname "eth0" ip daddr { 212.186.198.13 } icmp type echo-request accept; | |||
# open sshd (22) for internal networks only | # open sshd (22) for internal networks only | ||
tcp dport { ssh } ip saddr @internal_networks_ip4 accept comment "accept SSH from internal networks" | tcp dport { ssh } ip saddr @internal_networks_ip4 accept comment "accept SSH from internal networks" | ||
# open sshd (22) for all my other servers | |||
tcp dport { ssh } ip saddr @server_addresses_ip4 accept comment "accept SSH from my other servers" | |||
# open tcp ports: http (80), https (443) | # open tcp ports: http (80), https (443) | ||
| Zeile 41: | Zeile 231: | ||
meta l4proto { tcp, udp } @th,16,16 { 3306 } ip saddr @internal_networks_ip4 accept comment "accept mysql from internal networks"; | meta l4proto { tcp, udp } @th,16,16 { 3306 } ip saddr @internal_networks_ip4 accept comment "accept mysql from internal networks"; | ||
# | # iperf (5201) | ||
tcp dport { 5201 } accept; | |||
counter comment "count dropped packets" | |||
#log | #log | ||
} | } | ||
| Zeile 48: | Zeile 240: | ||
chain forward { | chain forward { | ||
type filter hook forward priority 0; policy drop; | type filter hook forward priority 0; policy drop; | ||
ip saddr @internal_networks_ip4 accept; | |||
iifname " | iifname "wlan0" oifname "tun0" ct state related,established accept; | ||
iifname "eth0" oifname "tun0" ct state related,established accept; | |||
iifname "eth0" oifname "wlan0" ct state related,established accept; | iifname "eth0" oifname "wlan0" ct state related,established accept; | ||
iifname "eth0" tcp dport 40000 dnat 10.0.0.171:40000; | |||
} | |||
chain output { | |||
type filter hook output priority 0; policy accept; | |||
} | |||
} | |||
# NAT | |||
table ip nat { | |||
chain prerouting { | |||
type nat hook prerouting priority 0; policy accept; | |||
} | |||
# for all packets to WAN, after routing, replace source address with primary IP of WAN interface | |||
chain postrouting { | |||
type nat hook postrouting priority 100; policy accept; | |||
oifname "wlan0" ip saddr 10.8.5.0/24 masquerade; | |||
oifname "eth0" ip saddr 10.8.5.0/24 masquerade; | |||
oifname "eth0" ip saddr 10.0.0.0/24 masquerade; | |||
} | |||
} | |||
</pre> | |||
== Stand 22.09.2021 == | |||
<pre> | |||
#!/usr/sbin/nft -f | |||
flush ruleset | |||
table inet filter { | |||
set server_addresses_ip4 { | |||
type ipv4_addr | |||
flags constant | |||
elements = { 212.186.198.10, 212.186.198.11, 212.186.198.12, 212.186.198.14 } | |||
} | |||
set internal_networks_ip4 { | |||
type ipv4_addr | |||
flags interval | |||
auto-merge | |||
elements = { 10.2.0.0/24, 10.0.0.0/24, 10.8.5.0/24 } | |||
} | |||
chain input { | |||
type filter hook input priority 0; policy drop; | |||
# established/related connections | |||
ct state established,related accept; | |||
# loopback interface | |||
iifname lo accept; | |||
# icmp (ping) | |||
iifname "wlan0" icmp type echo-request accept; | |||
iifname "tun0" icmp type echo-request accept; | |||
iifname "eth0" ip daddr { 212.186.198.13 } icmp type echo-request accept; | |||
# open sshd (22) for internal networks only | |||
tcp dport { ssh } ip saddr @internal_networks_ip4 accept comment "accept SSH from internal networks" | |||
# open sshd (22) for all my other servers | |||
tcp dport { ssh } ip saddr @server_addresses_ip4 accept comment "accept SSH from my other servers" | |||
# open tcp ports: http (80), https (443) | |||
tcp dport { http, https } accept; | |||
# open udp ports: domain (53), openvpn (1194) | |||
udp dport { domain, openvpn } accept; | |||
# mysql (3306) | |||
meta l4proto { tcp, udp } @th,16,16 { 3306 } ip saddr @internal_networks_ip4 accept comment "accept mysql from internal networks"; | |||
# iperf (5201) | |||
tcp dport { 5201 } accept; | |||
counter comment "count dropped packets" | |||
#log | |||
} | |||
chain forward { | |||
type filter hook forward priority 0; policy drop; | |||
ip saddr @internal_networks_ip4 accept; | |||
iifname "wlan0" oifname "tun0" ct state related,established accept; | |||
iifname "eth0" oifname "tun0" ct state related,established accept; | |||
iifname "eth0" oifname "wlan0" ct state related,established accept; | |||
} | |||
chain output { | |||
type filter hook output priority 0; policy accept; | |||
} | |||
} | |||
# NAT | |||
table ip nat { | |||
chain prerouting { | |||
type nat hook prerouting priority 0; policy accept; | |||
} | |||
# for all packets to WAN, after routing, replace source address with primary IP of WAN interface | |||
chain postrouting { | |||
type nat hook postrouting priority 100; policy accept; | |||
oifname "wlan0" ip saddr 10.8.5.0/24 masquerade; | |||
oifname "eth0" ip saddr 10.8.5.0/24 masquerade; | |||
oifname "eth0" ip saddr 10.0.0.0/24 masquerade; | |||
} | |||
} | |||
</pre> | |||
== Stand 17.08.2020 == | |||
<pre> | |||
#!/usr/sbin/nft -f | |||
flush ruleset | |||
table inet filter { | |||
set internal_networks_ip4 { | |||
type ipv4_addr | |||
flags interval | |||
auto-merge | |||
elements = { 10.2.0.0/24, 10.0.0.0/24, 10.8.5.0/24 } | |||
} | |||
chain input { | |||
type filter hook input priority 0; policy drop; | |||
# established/related connections | |||
ct state established,related accept; | |||
# loopback interface | |||
iifname lo accept; | |||
# icmp (ping) | |||
iifname "wlan0" icmp type echo-request accept; | |||
iifname "tun0" icmp type echo-request accept; | |||
iifname "eth0" ip daddr { 212.186.198.13 } icmp type echo-request accept; | |||
# open sshd (22) for internal networks only | |||
tcp dport { ssh } ip saddr @internal_networks_ip4 accept comment "accept SSH from internal networks" | |||
# open tcp ports: http (80), https (443) | |||
tcp dport { http, https } accept; | |||
# open udp ports: domain (53), openvpn (1194) | |||
udp dport { domain, openvpn } accept; | |||
# mysql (3306) | |||
meta l4proto { tcp, udp } @th,16,16 { 3306 } ip saddr @internal_networks_ip4 accept comment "accept mysql from internal networks"; | |||
counter comment "count dropped packets" | |||
#log | |||
} | |||
chain forward { | |||
type filter hook forward priority 0; policy drop; | |||
ip saddr @internal_networks_ip4 accept; | |||
iifname "wlan0" oifname "tun0" ct state related,established accept; | |||
iifname "eth0" oifname "tun0" ct state related,established accept; | |||
iifname "eth0" oifname "wlan0" ct state related,established accept; | |||
} | |||
chain output { | |||
type filter hook output priority 0; policy accept; | |||
} | |||
} | |||
# NAT | |||
table ip nat { | |||
chain prerouting { | |||
type nat hook prerouting priority 0; policy accept; | |||
} | |||
# for all packets to WAN, after routing, replace source address with primary IP of WAN interface | |||
chain postrouting { | |||
type nat hook postrouting priority 100; policy accept; | |||
oifname "wlan0" ip saddr 10.8.5.0/24 masquerade; | |||
oifname "eth0" ip saddr 10.8.5.0/24 masquerade; | |||
oifname "eth0" ip saddr 10.0.0.0/24 masquerade; | |||
} | |||
} | |||
</pre> | |||
== Stand 17.04.2020 == | |||
<pre> | |||
#!/usr/sbin/nft -f | |||
flush ruleset | |||
table inet filter { | |||
set internal_networks_ip4 { | |||
type ipv4_addr | |||
flags interval | |||
auto-merge | |||
elements = { 10.2.0.0/24, 10.0.0.0/24, 10.8.5.0/24 } | |||
} | |||
chain input { | |||
type filter hook input priority 0; policy drop; | |||
# established/related connections | |||
ct state established,related accept; | |||
# loopback interface | |||
iifname lo accept; | |||
# icmp (ping) | |||
iifname "wlan0" icmp type echo-request accept; | |||
iifname "tun0" icmp type echo-request accept; | |||
iifname "eth0" ip daddr { 212.186.198.13 } icmp type echo-request accept; | |||
# open sshd (22) for internal networks only | |||
tcp dport { ssh } ip saddr @internal_networks_ip4 accept comment "accept SSH from internal networks" | |||
# open tcp ports: http (80), https (443) | |||
tcp dport { http, https } accept; | |||
# open udp ports: domain (53), openvpn (1194) | |||
udp dport { domain, openvpn } accept; | |||
# mysql (3306) | |||
meta l4proto { tcp, udp } @th,16,16 { 3306 } ip saddr @internal_networks_ip4 accept comment "accept mysql from internal networks"; | |||
counter comment "count dropped packets" | |||
#log | |||
} | |||
chain forward { | |||
type filter hook forward priority 0; policy drop; | |||
ip saddr @internal_networks_ip4 accept; | |||
iifname "wlan0" oifname "tun0" ct state related,established accept; | |||
iifname "eth0" oifname "tun0" ct state related,established accept; | |||
} | } | ||
| Zeile 68: | Zeile 497: | ||
chain postrouting { | chain postrouting { | ||
type nat hook postrouting priority 100; policy accept; | type nat hook postrouting priority 100; policy accept; | ||
oifname "wlan0" ip saddr 10.8.5.0/24 masquerade; | |||
oifname "eth0" masquerade; | oifname "eth0" ip saddr 10.8.5.0/24 masquerade; | ||
} | } | ||
} | } | ||
Aktuelle Version vom 16. Juli 2023, 13:15 Uhr
Stand 16.07.2023
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
set server_addresses_ip4 {
type ipv4_addr
flags constant
elements = { 212.186.198.10, 212.186.198.11, 212.186.198.12, 212.186.198.14 }
}
set internal_networks_ip4 {
type ipv4_addr
flags interval
auto-merge
elements = { 10.2.0.0/24, 10.3.0.0/24, 10.0.0.0/24, 10.8.4.0-10.8.8.255 }
}
chain input {
type filter hook input priority 0; policy drop;
# established/related connections
ct state established,related accept;
# loopback interface
iifname lo accept;
# icmp (ping)
iifname "wlan0" icmp type echo-request accept;
iifname "tun0" icmp type echo-request accept;
iifname "eth0" ip daddr { 212.186.198.13 } icmp type echo-request accept;
# open sshd (22) for internal networks only
tcp dport { ssh } ip saddr @internal_networks_ip4 log prefix "New SSH internal connection: " accept comment "accept SSH from internal networks"
# open sshd (22) for all my other servers
tcp dport { ssh } ip saddr @server_addresses_ip4 log prefix "New SSH server connection: " accept comment "accept SSH from my other servers"
# open tcp ports: http (80), https (443)
tcp dport { http, https } accept;
# open udp ports: domain (53), openvpn (1194)
udp dport { domain, openvpn } accept;
# mysql (3306)
meta l4proto { tcp, udp } @th,16,16 { 3306 } ip saddr @internal_networks_ip4 accept comment "accept mysql from internal networks";
# iperf (5201)
tcp dport { 5201 } accept;
# oscam
tcp dport { 40000 } log prefix "New OSCam connection: " accept;
#counter log prefix "nft.dropinput: " comment "count dropped packets";
counter comment "count dropped packets";
}
chain forward {
type filter hook forward priority 0; policy drop;
ip saddr @internal_networks_ip4 accept;
iifname "tun0" accept;
iifname "wlan0" oifname "tun0" ct state related,established accept;
iifname "eth0" ct state related,established accept;
tcp dport { 40000 } accept;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
# NAT
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
tcp dport 40000 dnat 10.0.0.171:40000;
}
# for all packets to WAN, after routing, replace source address with primary IP of WAN interface
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oifname "wlan0" ip saddr 10.8.5.0/24 masquerade;
oifname "eth0" ip saddr 10.8.5.0/24 masquerade;
oifname "eth0" ip saddr 10.0.0.0/24 masquerade;
}
}
Stand 25.06.2022
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
set server_addresses_ip4 {
type ipv4_addr
flags constant
elements = { 212.186.198.10, 212.186.198.11, 212.186.198.12, 212.186.198.14 }
}
set internal_networks_ip4 {
type ipv4_addr
flags interval
auto-merge
elements = { 10.2.0.0/24, 10.0.0.0/24, 10.8.5.0/24 }
}
chain input {
type filter hook input priority 0; policy drop;
# established/related connections
ct state established,related accept;
# loopback interface
iifname lo accept;
# icmp (ping)
iifname "wlan0" icmp type echo-request accept;
iifname "tun0" icmp type echo-request accept;
iifname "eth0" ip daddr { 212.186.198.13 } icmp type echo-request accept;
# open sshd (22) for internal networks only
tcp dport { ssh } ip saddr @internal_networks_ip4 log prefix "New SSH internal connection: " accept comment "accept SSH from internal networks"
# open sshd (22) for all my other servers
tcp dport { ssh } ip saddr @server_addresses_ip4 log prefix "New SSH server connection: " accept comment "accept SSH from my other servers"
# open tcp ports: http (80), https (443)
tcp dport { http, https } accept;
# open udp ports: domain (53), openvpn (1194)
udp dport { domain, openvpn } accept;
# mysql (3306)
meta l4proto { tcp, udp } @th,16,16 { 3306 } ip saddr @internal_networks_ip4 accept comment "accept mysql from internal networks";
# iperf (5201)
tcp dport { 5201 } accept;
# oscam
tcp dport { 40000 } log prefix "New OSCam connection: " accept;
#counter log prefix "nft.dropinput: " comment "count dropped packets";
counter comment "count dropped packets";
}
chain forward {
type filter hook forward priority 0; policy drop;
ip saddr @internal_networks_ip4 accept;
iifname "wlan0" oifname "tun0" ct state related,established accept;
iifname "eth0" ct state related,established accept;
tcp dport { 40000 } accept;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
# NAT
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
tcp dport 40000 dnat 10.0.0.171:40000;
}
# for all packets to WAN, after routing, replace source address with primary IP of WAN interface
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oifname "wlan0" ip saddr 10.8.5.0/24 masquerade;
oifname "eth0" ip saddr 10.8.5.0/24 masquerade;
oifname "eth0" ip saddr 10.0.0.0/24 masquerade;
}
}
Stand 19.06.2022
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
set server_addresses_ip4 {
type ipv4_addr
flags constant
elements = { 212.186.198.10, 212.186.198.11, 212.186.198.12, 212.186.198.14 }
}
set internal_networks_ip4 {
type ipv4_addr
flags interval
auto-merge
elements = { 10.2.0.0/24, 10.0.0.0/24, 10.8.5.0/24 }
}
chain input {
type filter hook input priority 0; policy drop;
# established/related connections
ct state established,related accept;
# loopback interface
iifname lo accept;
# icmp (ping)
iifname "wlan0" icmp type echo-request accept;
iifname "tun0" icmp type echo-request accept;
iifname "eth0" ip daddr { 212.186.198.13 } icmp type echo-request accept;
# open sshd (22) for internal networks only
tcp dport { ssh } ip saddr @internal_networks_ip4 accept comment "accept SSH from internal networks"
# open sshd (22) for all my other servers
tcp dport { ssh } ip saddr @server_addresses_ip4 accept comment "accept SSH from my other servers"
# open tcp ports: http (80), https (443)
tcp dport { http, https } accept;
# open udp ports: domain (53), openvpn (1194)
udp dport { domain, openvpn } accept;
# mysql (3306)
meta l4proto { tcp, udp } @th,16,16 { 3306 } ip saddr @internal_networks_ip4 accept comment "accept mysql from internal networks";
# iperf (5201)
tcp dport { 5201 } accept;
counter comment "count dropped packets"
#log
}
chain forward {
type filter hook forward priority 0; policy drop;
ip saddr @internal_networks_ip4 accept;
iifname "wlan0" oifname "tun0" ct state related,established accept;
iifname "eth0" oifname "tun0" ct state related,established accept;
iifname "eth0" oifname "wlan0" ct state related,established accept;
iifname "eth0" tcp dport 40000 dnat 10.0.0.171:40000;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
# NAT
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
}
# for all packets to WAN, after routing, replace source address with primary IP of WAN interface
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oifname "wlan0" ip saddr 10.8.5.0/24 masquerade;
oifname "eth0" ip saddr 10.8.5.0/24 masquerade;
oifname "eth0" ip saddr 10.0.0.0/24 masquerade;
}
}
Stand 22.09.2021
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
set server_addresses_ip4 {
type ipv4_addr
flags constant
elements = { 212.186.198.10, 212.186.198.11, 212.186.198.12, 212.186.198.14 }
}
set internal_networks_ip4 {
type ipv4_addr
flags interval
auto-merge
elements = { 10.2.0.0/24, 10.0.0.0/24, 10.8.5.0/24 }
}
chain input {
type filter hook input priority 0; policy drop;
# established/related connections
ct state established,related accept;
# loopback interface
iifname lo accept;
# icmp (ping)
iifname "wlan0" icmp type echo-request accept;
iifname "tun0" icmp type echo-request accept;
iifname "eth0" ip daddr { 212.186.198.13 } icmp type echo-request accept;
# open sshd (22) for internal networks only
tcp dport { ssh } ip saddr @internal_networks_ip4 accept comment "accept SSH from internal networks"
# open sshd (22) for all my other servers
tcp dport { ssh } ip saddr @server_addresses_ip4 accept comment "accept SSH from my other servers"
# open tcp ports: http (80), https (443)
tcp dport { http, https } accept;
# open udp ports: domain (53), openvpn (1194)
udp dport { domain, openvpn } accept;
# mysql (3306)
meta l4proto { tcp, udp } @th,16,16 { 3306 } ip saddr @internal_networks_ip4 accept comment "accept mysql from internal networks";
# iperf (5201)
tcp dport { 5201 } accept;
counter comment "count dropped packets"
#log
}
chain forward {
type filter hook forward priority 0; policy drop;
ip saddr @internal_networks_ip4 accept;
iifname "wlan0" oifname "tun0" ct state related,established accept;
iifname "eth0" oifname "tun0" ct state related,established accept;
iifname "eth0" oifname "wlan0" ct state related,established accept;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
# NAT
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
}
# for all packets to WAN, after routing, replace source address with primary IP of WAN interface
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oifname "wlan0" ip saddr 10.8.5.0/24 masquerade;
oifname "eth0" ip saddr 10.8.5.0/24 masquerade;
oifname "eth0" ip saddr 10.0.0.0/24 masquerade;
}
}
Stand 17.08.2020
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
set internal_networks_ip4 {
type ipv4_addr
flags interval
auto-merge
elements = { 10.2.0.0/24, 10.0.0.0/24, 10.8.5.0/24 }
}
chain input {
type filter hook input priority 0; policy drop;
# established/related connections
ct state established,related accept;
# loopback interface
iifname lo accept;
# icmp (ping)
iifname "wlan0" icmp type echo-request accept;
iifname "tun0" icmp type echo-request accept;
iifname "eth0" ip daddr { 212.186.198.13 } icmp type echo-request accept;
# open sshd (22) for internal networks only
tcp dport { ssh } ip saddr @internal_networks_ip4 accept comment "accept SSH from internal networks"
# open tcp ports: http (80), https (443)
tcp dport { http, https } accept;
# open udp ports: domain (53), openvpn (1194)
udp dport { domain, openvpn } accept;
# mysql (3306)
meta l4proto { tcp, udp } @th,16,16 { 3306 } ip saddr @internal_networks_ip4 accept comment "accept mysql from internal networks";
counter comment "count dropped packets"
#log
}
chain forward {
type filter hook forward priority 0; policy drop;
ip saddr @internal_networks_ip4 accept;
iifname "wlan0" oifname "tun0" ct state related,established accept;
iifname "eth0" oifname "tun0" ct state related,established accept;
iifname "eth0" oifname "wlan0" ct state related,established accept;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
# NAT
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
}
# for all packets to WAN, after routing, replace source address with primary IP of WAN interface
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oifname "wlan0" ip saddr 10.8.5.0/24 masquerade;
oifname "eth0" ip saddr 10.8.5.0/24 masquerade;
oifname "eth0" ip saddr 10.0.0.0/24 masquerade;
}
}
Stand 17.04.2020
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
set internal_networks_ip4 {
type ipv4_addr
flags interval
auto-merge
elements = { 10.2.0.0/24, 10.0.0.0/24, 10.8.5.0/24 }
}
chain input {
type filter hook input priority 0; policy drop;
# established/related connections
ct state established,related accept;
# loopback interface
iifname lo accept;
# icmp (ping)
iifname "wlan0" icmp type echo-request accept;
iifname "tun0" icmp type echo-request accept;
iifname "eth0" ip daddr { 212.186.198.13 } icmp type echo-request accept;
# open sshd (22) for internal networks only
tcp dport { ssh } ip saddr @internal_networks_ip4 accept comment "accept SSH from internal networks"
# open tcp ports: http (80), https (443)
tcp dport { http, https } accept;
# open udp ports: domain (53), openvpn (1194)
udp dport { domain, openvpn } accept;
# mysql (3306)
meta l4proto { tcp, udp } @th,16,16 { 3306 } ip saddr @internal_networks_ip4 accept comment "accept mysql from internal networks";
counter comment "count dropped packets"
#log
}
chain forward {
type filter hook forward priority 0; policy drop;
ip saddr @internal_networks_ip4 accept;
iifname "wlan0" oifname "tun0" ct state related,established accept;
iifname "eth0" oifname "tun0" ct state related,established accept;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
# NAT
table ip nat {
chain prerouting {
type nat hook prerouting priority 0; policy accept;
}
# for all packets to WAN, after routing, replace source address with primary IP of WAN interface
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oifname "wlan0" ip saddr 10.8.5.0/24 masquerade;
oifname "eth0" ip saddr 10.8.5.0/24 masquerade;
}
}
Zurück zu nftables