Nftables Router Hofstetten

Aus Tutorials
Zur Navigation springen Zur Suche springen

Stand 09.04.2023

#!/usr/sbin/nft -f

flush ruleset

# firewall
table ip filter {
  # allow all packets sent by the firewall machine itself
  chain output {
    type filter hook output priority 100; policy accept;
  }

  # allow LAN to firewall, disallow WAN to firewall
  chain input {
    type filter hook input priority 0; policy drop;

    # established/related connections
    ct state established,related accept;

    # loopback interface
    iifname lo accept;

    iifname "eth0" accept;

    # icmp (ping)
    icmp type echo-request accept;

    # open tcp ports: http (80), https (443)
    tcp dport { http, https, 8080, 8090 } accept;

    # open udp ports: domain (53), openvpn (1194), openvpn (1195)
    udp dport { domain, openvpn, 1195 } accept;

    # open sshd (22)
    tcp dport { ssh } accept;
  }

  # allow packets from LAN to WAN and WAN to LAN
  chain forward {
    type filter hook forward priority 0; policy accept;
  }
}

# NAT
table ip nat {
  chain prerouting {
    type nat hook prerouting priority 0; policy accept;

    # redirect port 81 to port 80 at 10.1.0.150
    iifname "wlan0" tcp dport 81 dnat 10.1.0.150:80;
    iifname "tun0" tcp dport 81 dnat 10.1.0.150:80;
  }

  # for all packets to WAN, after routing, replace source address with primary IP of WAN interface
  chain postrouting {
    type nat hook postrouting priority 100; policy accept;
    oifname "wlan0" masquerade
  }
}

Stand 21.05.2022

#!/usr/sbin/nft -f

flush ruleset

# firewall
table ip filter {
  # allow all packets sent by the firewall machine itself
  chain output {
    type filter hook output priority 100; policy accept;
  }

  # allow LAN to firewall, disallow WAN to firewall
  chain input {
    type filter hook input priority 0; policy drop;

    # established/related connections
    ct state established,related accept;

    # loopback interface
    iifname lo accept;

    iifname "eth0" accept;

    # open tcp ports: http (80), https (443)
    tcp dport { http, https } accept;

    # open udp ports: domain (53), openvpn (1194), openvpn (1195)
    udp dport { domain, openvpn, 1195 } accept;

    # open sshd (22)
    tcp dport { ssh } accept;
  }

  # allow packets from LAN to WAN and WAN to LAN
  chain forward {
    type filter hook forward priority 0; policy accept;
  }
}

# NAT
table ip nat {
  chain prerouting {
    type nat hook prerouting priority 0; policy accept;

    # redirect port 81 to port 80 at 10.1.0.150
    iifname "wlan0" tcp dport 81 dnat 10.1.0.150:80;
    iifname "tun0" tcp dport 81 dnat 10.1.0.150:80;
  }

  # for all packets to WAN, after routing, replace source address with primary IP of WAN interface
  chain postrouting {
    type nat hook postrouting priority 100; policy accept;
    oifname "wlan0" masquerade
  }
}

Stand 07.06.2020

#!/usr/sbin/nft -f

flush ruleset

# firewall
table ip filter {
  # allow all packets sent by the firewall machine itself
  chain output {
    type filter hook output priority 100; policy accept;
  }

  # allow LAN to firewall, disallow WAN to firewall
  chain input {
    type filter hook input priority 0; policy accept;
    iifname "eth0" accept
#    iifname "wlan0" drop
    iifname "wlan0" accept
    iifname "tun0" accept
  }

  # allow packets from LAN to WAN, and WAN to LAN if LAN initiated the connection
  chain forward {
#    type filter hook forward priority 0; policy drop;
    type filter hook forward priority 0; policy accept;
#    iifname "eth0" oifname "wlan0" accept
#    iifname "wlan0" oifname "eth0" ct state related,established accept
  }
}

# NAT
table ip nat {
  chain prerouting {
    type nat hook prerouting priority 0; policy accept;

    # redirect port 81 to port 80 at 10.1.0.150
    iifname "wlan0" tcp dport 81 dnat 10.1.0.150:80;
    iifname "tun0" tcp dport 81 dnat 10.1.0.150:80;
  }

  # for all packets to WAN, after routing, replace source address with primary IP of WAN interface
  chain postrouting {
    type nat hook postrouting priority 100; policy accept;
    oifname "wlan0" masquerade
  }
}


Zurück zu nftables