-
-
Save Borromini/f65398749bd3a2fb256ab56dbc434122 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- nft-pre 2022-05-29 20:10:06.712756621 +0200 | |
+++ nft-post 2022-05-29 20:10:06.708756589 +0200 | |
@@ -5,8 +5,10 @@ | |
ct state established,related accept comment "!fw4: Allow inbound established and related flows" | |
ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state" | |
tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets" | |
- udp dport 8192 counter packets 0 bytes 0 accept comment "!fw4: Allow-Wireguard-Inbound" | |
+ udp dport 8192 counter packets 91 bytes 15464 accept comment "!fw4: Allow-Wireguard-Inbound" | |
iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic" | |
+ iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic" | |
+ iifname "wg0" jump input_wg comment "!fw4: Handle wg IPv4/IPv6 input traffic" | |
} | |
chain forward { | |
@@ -14,6 +16,8 @@ | |
ct state established,related accept comment "!fw4: Allow forwarded established and related flows" | |
ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state" | |
iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic" | |
+ iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic" | |
+ iifname "wg0" jump forward_wg comment "!fw4: Handle wg IPv4/IPv6 forward traffic" | |
jump handle_reject | |
} | |
@@ -23,6 +27,8 @@ | |
ct state established,related accept comment "!fw4: Allow outbound established and related flows" | |
ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state" | |
oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic" | |
+ oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic" | |
+ oifname "wg0" jump output_wg comment "!fw4: Handle wg IPv4/IPv6 output traffic" | |
} | |
chain handle_reject { | |
@@ -52,11 +58,11 @@ | |
} | |
chain accept_from_lan { | |
- iifname "br-lan" counter packets 948 bytes 696395 accept comment "!fw4: accept lan IPv4/IPv6 traffic" | |
+ iifname "br-lan" counter packets 698 bytes 473189 accept comment "!fw4: accept lan IPv4/IPv6 traffic" | |
} | |
chain accept_to_lan { | |
- oifname "br-lan" counter packets 138 bytes 14004 accept comment "!fw4: accept lan IPv4/IPv6 traffic" | |
+ oifname "br-lan" counter packets 103 bytes 16576 accept comment "!fw4: accept lan IPv4/IPv6 traffic" | |
} | |
chain input_wan { | |
@@ -85,12 +91,15 @@ | |
} | |
chain accept_to_wan { | |
+ oifname "pppoe-wan" counter packets 103 bytes 10698 accept comment "!fw4: accept wan IPv4/IPv6 traffic" | |
} | |
chain reject_from_wan { | |
+ iifname "pppoe-wan" counter packets 72 bytes 4479 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic" | |
} | |
chain reject_to_wan { | |
+ oifname "pppoe-wan" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic" | |
} | |
chain input_wg { | |
@@ -107,30 +116,39 @@ | |
} | |
chain accept_from_wg { | |
+ iifname "wg0" counter packets 2 bytes 120 accept comment "!fw4: accept wg IPv4/IPv6 traffic" | |
} | |
chain accept_to_wg { | |
+ oifname "wg0" counter packets 0 bytes 0 accept comment "!fw4: accept wg IPv4/IPv6 traffic" | |
} | |
chain dstnat { | |
type nat hook prerouting priority dstnat; policy accept; | |
iifname "br-lan" jump dstnat_lan comment "!fw4: Handle lan IPv4/IPv6 dstnat traffic" | |
+ iifname "pppoe-wan" jump dstnat_wan comment "!fw4: Handle wan IPv4/IPv6 dstnat traffic" | |
} | |
chain srcnat { | |
type nat hook postrouting priority srcnat; policy accept; | |
oifname "br-lan" jump srcnat_lan comment "!fw4: Handle lan IPv4/IPv6 srcnat traffic" | |
+ oifname "pppoe-wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic" | |
+ oifname "wg0" jump srcnat_wg comment "!fw4: Handle wg IPv4/IPv6 srcnat traffic" | |
} | |
chain dstnat_lan { | |
+ ip saddr 10.0.0.0/24 ip daddr 213.219.163.106 tcp dport 4505 dnat ip to 10.0.0.5:4505 comment "!fw4: Salt 1 (reflection)" | |
+ ip saddr 10.0.0.0/24 ip daddr 213.219.163.106 tcp dport 4506 dnat ip to 10.0.0.5:4506 comment "!fw4: Salt 2 (reflection)" | |
} | |
chain srcnat_lan { | |
+ ip saddr 10.0.0.0/24 ip daddr 10.0.0.5 tcp dport 4505 snat ip to 10.0.0.1 comment "!fw4: Salt 1 (reflection)" | |
+ ip saddr 10.0.0.0/24 ip daddr 10.0.0.5 tcp dport 4506 snat ip to 10.0.0.1 comment "!fw4: Salt 2 (reflection)" | |
} | |
chain dstnat_wan { | |
meta nfproto ipv4 tcp dport 4505 counter packets 0 bytes 0 dnat ip to 10.0.0.5:4505 comment "!fw4: Salt 1" | |
- meta nfproto ipv4 tcp dport 4506 counter packets 0 bytes 0 dnat ip to 10.0.0.5:4506 comment "!fw4: Salt 2" | |
+ meta nfproto ipv4 tcp dport 4506 counter packets 120 bytes 7200 dnat ip to 10.0.0.5:4506 comment "!fw4: Salt 2" | |
} | |
chain srcnat_wan { | |
@@ -171,5 +189,7 @@ | |
chain mangle_forward { | |
type filter hook forward priority mangle; policy accept; | |
+ iifname "pppoe-wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing" | |
+ oifname "pppoe-wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing" | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment