Created
September 19, 2021 09:18
-
-
Save ArcherN9/228c54322685879db7c908767fd3768e to your computer and use it in GitHub Desktop.
ArcherN9 primary NFRule file to be loaded permanently on the system
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
flush ruleset | |
table ip pinhole_filter { | |
# allow all packets sent by Pi itself | |
chain output { | |
type filter hook output priority 100; policy accept; | |
} | |
# allow LAN to firewall, disallow WAN to firewall | |
chain input { | |
# Blanket policy to drop all incoming packets unless specified below | |
type filter hook input priority 100; policy drop; | |
# If a connection was requested by Pi itself, let it pass | |
ct state { established, related } counter accept comment "Accept connections related to connections made by Pi" | |
# Accept ICMP requests | |
ip protocol icmp counter accept comment "Blanket accept ICMP requests across all interfaces" | |
# Accept SSH requests from wlan0 | |
iifname "wlan0" tcp dport 22 counter accept comment "Accept Packets from Service: SSH" | |
# Accept Wireguard connection requests | |
iifname "wlan0" udp dport 51820 counter accept comment "Accept connection requests: Wireguard" | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
table ip wg0_pinhole_filter { | |
chain input { | |
# Blanket policy to drop all incoming packets unless specified below | |
type filter hook input priority 101; policy drop; | |
# Accept SSH requests from both wg0 | |
iifname "wg0" tcp dport 22 counter accept comment "Accept Packets from Service: SSH" | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment