Nftables Nameserver

Stand 10.04.2020

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
  set internal_networks_ip4 {
    type ipv4_addr
    flags interval
    auto-merge
    elements = { 10.2.0.0/24, 10.0.0.0/24, 10.8.5.0/24 }
  }

  chain input {
    type filter hook input priority 0; policy drop;

    # established/related connections
    ct state established,related accept;

    # loopback interface
    iifname lo accept;

    # icmp (ping)
    icmp type echo-request accept;

    # open sshd (22) for internal networks only
    tcp dport { ssh } ip saddr @internal_networks_ip4 accept comment "accept SSH from internal networks"

    # open tcp ports: http (80), https (443)
    tcp dport { http, https } accept;

    # open udp ports: domain (53), openvpn (1194)
    udp dport { domain, openvpn } accept;

    # mysql (3306)
    meta l4proto { tcp, udp } @th,16,16 { 3306 } ip saddr @internal_networks_ip4 accept comment "accept mysql from internal networks";

    #iifname "wlan0" accept;

    #log
  }

  chain forward {
    type filter hook forward priority 0; policy drop;
    #type filter hook forward priority 0; policy accept;
    
    iifname "wlan0" oifname "eth0" accept;
    iifname "eth0" oifname "wlan0" ct state related,established accept;
  }

  chain output {
    type filter hook output priority 0; policy accept;
  }
}

# NAT
table ip nat {
  chain prerouting {
    type nat hook prerouting priority 0; policy accept;
  }

  # for all packets to WAN, after routing, replace source address with primary IP of WAN interface
  chain postrouting {
    type nat hook postrouting priority 100; policy accept;
    #ip saddr 10.8.5.0/24 oifname "eth0" masquerade
    oifname "eth0" masquerade;
  }
}

Zurück zu nftables