Skip to content

Instantly share code, notes, and snippets.

@ArcherN9

ArcherN9/primary.rules

Created September 19, 2021 09:18
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save ArcherN9/228c54322685879db7c908767fd3768e to your computer and use it in GitHub Desktop.
Save ArcherN9/228c54322685879db7c908767fd3768e to your computer and use it in GitHub Desktop.
Download ZIP
ArcherN9 primary NFRule file to be loaded permanently on the system
Raw
primary.rules
flush ruleset
table ip pinhole_filter {
# allow all packets sent by Pi itself
chain output {
type filter hook output priority 100; policy accept;
}
# allow LAN to firewall, disallow WAN to firewall
chain input {
# Blanket policy to drop all incoming packets unless specified below
type filter hook input priority 100; policy drop;
# If a connection was requested by Pi itself, let it pass
ct state { established, related } counter accept comment "Accept connections related to connections made by Pi"
# Accept ICMP requests
ip protocol icmp counter accept comment "Blanket accept ICMP requests across all interfaces"
# Accept SSH requests from wlan0
iifname "wlan0" tcp dport 22 counter accept comment "Accept Packets from Service: SSH"
# Accept Wireguard connection requests
iifname "wlan0" udp dport 51820 counter accept comment "Accept connection requests: Wireguard"
}
}
Raw
wg0.rules
table ip wg0_pinhole_filter {
chain input {
# Blanket policy to drop all incoming packets unless specified below
type filter hook input priority 101; policy drop;
# Accept SSH requests from both wg0
iifname "wg0" tcp dport 22 counter accept comment "Accept Packets from Service: SSH"
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment