-
Notifications
You must be signed in to change notification settings - Fork 1
/
example-router2.nft
103 lines (78 loc) · 3.23 KB
/
example-router2.nft
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
#!/usr/sbin/nft -f
## Note: This example is default reject for forwarded traffic.
## You will need to whitelist required ports/IPs to allow traffic.
flush ruleset
define LAN_IPV4 = {
172.16.0.0/24
}
define LAN_IPV6 = {
2001:abcd:2222:100a::/64
}
define PRIVATE_IPV4 = {
10.0.0.0/8,
192.168.0.0/16,
172.16.0.0/12
}
define PRIVATE_IPV6 = {
fe80::/10,
fd00::/8
}
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
ct state invalid counter drop comment "early drop of invalid packets"
ct state {established, related} counter accept comment "accept all connections related to connections made by us"
meta l4proto icmp icmp type echo-request limit rate over 10/second burst 4 packets drop comment "No ping floods"
meta l4proto ipv6-icmp icmpv6 type echo-request limit rate over 10/second burst 4 packets drop comment "No ping floods"
iif lo accept comment "accept loopback"
iif != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback"
iif != lo ip6 daddr ::1/128 counter drop comment "drop connections to loopback not coming from loopback"
ip protocol icmp counter accept comment "accept all ICMP types"
ip6 nexthdr icmpv6 counter accept comment "accept all ICMP types"
# SSH
tcp dport 22 accept
# DNS for LAN
tcp dport 53 ip saddr {$LAN_IPV4} accept
udp dport 53 ip saddr {$LAN_IPV4} accept
# DNS for LAN (IPv6)
tcp dport 53 ip6 saddr {$LAN_IPV6} accept
udp dport 53 ip6 saddr {$LAN_IPV6} accept
# DHCP for LAN
udp dport 67 ip saddr {$LAN_IPV4} accept
}
chain forward {
type filter hook forward priority 0; policy reject;
# HTTP / HTTPS ports
tcp dport {80,443} accept
# DNS
tcp dport 53 accept
udp dport 53 accept
# SSH
tcp dport 22 accept
# RDP
tcp dport 3389 accept
udp dport 3389 accept
# POP3 (TLS)
tcp dport {995} accept
# IMAP (TLS)
tcp dport {993} accept
# SMTP (TLS)
tcp dport {465,587} accept
}
chain prerouting {
type nat hook prerouting priority -101; policy accept;
# RDP port forwarding example
ip saddr 0.0.0.0/0 ip daddr 1.2.3.4 tcp dport 3389 dnat to 172.16.0.51:3389
ip saddr 0.0.0.0/0 ip daddr 1.2.3.4 udp dport 3389 dnat to 172.16.0.51:3389
}
chain postrouting {
type nat hook postrouting priority 101; policy accept;
# NAT (Example 1)
#ip saddr {$LAN_IPV4} oifname eth2 snat to 1.2.3.4 random
# NAT (Example 2)
#oifname eth2 masquerade
}
chain output {
type filter hook output priority 0; policy accept;
}
}