This repository was archived by the owner on Dec 27, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathtest.nft
More file actions
85 lines (75 loc) · 2.36 KB
/
test.nft
File metadata and controls
85 lines (75 loc) · 2.36 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
#!/usr/sbin/nft -f
# Generated by ezg
# Do not edit this file directly
flush ruleset
define BOGONS4 = { 0.0.0.0/8, 10.0.0.0/8, 10.64.0.0/10, 127.0.0.0/8, 127.0.53.53, 169.254.0.0/16, 172.16.0.0/12, 192.0.0.0/24, 192.0.2.0/24, 192.168.0.0/16, 198.18.0.0/15, 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/4, 240.0.0.0/4, 255.255.255.255/32 }
table inet filter {
# Zone wan
chain input_wan {
icmp type echo-request limit 5/second accept;
}
chain output_wan {
}
# Zone lan
chain input_lan {
tcp dport 80 accept;
tcp dport 443 accept;
tcp dport 22 accept;
udp dport 53 accept;
udp dport 67 accept;
tcp dport 3000 accept;
}
chain output_lan {
}
chain forward_lan_wan {
tcp dport 80 accept;
tcp dport 443 accept;
udp dport 53 accept;
udp dport 67 accept;
tcp dport 3000 accept;
}
##
chain input {
# Default Deny
type filter hook input priority 0; policy drop;
# Allow established and related connections: Allows Internet servers to respond to requests from our Internal network
ct state vmap { established : accept, related : accept, invalid : drop} counter
# Drop obviously spoofed loopback traffic
iifname "lo" ip daddr != 127.0.0.0/8 drop
# Separate rules for traffic from Internet and from the internal network
iifname lo accept
iifname eth0 jump input_wan;
iifname eth1 jump input_lan;
}
# chain forward_private {
# # INTERNAL => INTERNET
# icmp type echo-request limit rate 5/second accept
#
# }
# Rules for sending traffic from one network interface to another
chain forward {
# Default deny, again
type filter hook forward priority 0; policy drop;
# Accept established and related traffic
ct state vmap { established : accept, related : accept, invalid : drop }
# Let traffic from this router and from the Internal network get out onto the Internet
iifname lo accept
# iifname wlan0 oifname eth1 accept
# iifname eth1 accept
# iifname eth1 jump forward_private
iifname eth1 oifname wan jump forward_lan_wan;
# Only allow specific inbound traffic from the Internet (only relevant if we present services to the Internet).
# tcp dport { $PORTFORWARDS } counter
}
}
table nat {
chain prerouting {
type nat hook prerouting priority dstnat;
# iifname eth0 tcp dport { $PORTFORWARDS } dnat to 10.199.200.1
}
chain postrouting {
type nat hook postrouting priority srcnat;
policy accept;
oif eth0 masquerade;
}
}