Skip to content

Instantly share code, notes, and snippets.

@Borromini
Last active May 29, 2022
Embed
What would you like to do?
--- nft-pre 2022-05-29 20:10:06.712756621 +0200
+++ nft-post 2022-05-29 20:10:06.708756589 +0200
@@ -5,8 +5,10 @@
ct state established,related accept comment "!fw4: Allow inbound established and related flows"
ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state"
tcp flags syn / fin,syn,rst,ack jump syn_flood comment "!fw4: Rate limit TCP syn packets"
- udp dport 8192 counter packets 0 bytes 0 accept comment "!fw4: Allow-Wireguard-Inbound"
+ udp dport 8192 counter packets 91 bytes 15464 accept comment "!fw4: Allow-Wireguard-Inbound"
iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
+ iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
+ iifname "wg0" jump input_wg comment "!fw4: Handle wg IPv4/IPv6 input traffic"
}
chain forward {
@@ -14,6 +16,8 @@
ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state"
iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
+ iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
+ iifname "wg0" jump forward_wg comment "!fw4: Handle wg IPv4/IPv6 forward traffic"
jump handle_reject
}
@@ -23,6 +27,8 @@
ct state established,related accept comment "!fw4: Allow outbound established and related flows"
ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state"
oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
+ oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
+ oifname "wg0" jump output_wg comment "!fw4: Handle wg IPv4/IPv6 output traffic"
}
chain handle_reject {
@@ -52,11 +58,11 @@
}
chain accept_from_lan {
- iifname "br-lan" counter packets 948 bytes 696395 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
+ iifname "br-lan" counter packets 698 bytes 473189 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
}
chain accept_to_lan {
- oifname "br-lan" counter packets 138 bytes 14004 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
+ oifname "br-lan" counter packets 103 bytes 16576 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
}
chain input_wan {
@@ -85,12 +91,15 @@
}
chain accept_to_wan {
+ oifname "pppoe-wan" counter packets 103 bytes 10698 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
}
chain reject_from_wan {
+ iifname "pppoe-wan" counter packets 72 bytes 4479 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
}
chain reject_to_wan {
+ oifname "pppoe-wan" counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
}
chain input_wg {
@@ -107,30 +116,39 @@
}
chain accept_from_wg {
+ iifname "wg0" counter packets 2 bytes 120 accept comment "!fw4: accept wg IPv4/IPv6 traffic"
}
chain accept_to_wg {
+ oifname "wg0" counter packets 0 bytes 0 accept comment "!fw4: accept wg IPv4/IPv6 traffic"
}
chain dstnat {
type nat hook prerouting priority dstnat; policy accept;
iifname "br-lan" jump dstnat_lan comment "!fw4: Handle lan IPv4/IPv6 dstnat traffic"
+ iifname "pppoe-wan" jump dstnat_wan comment "!fw4: Handle wan IPv4/IPv6 dstnat traffic"
}
chain srcnat {
type nat hook postrouting priority srcnat; policy accept;
oifname "br-lan" jump srcnat_lan comment "!fw4: Handle lan IPv4/IPv6 srcnat traffic"
+ oifname "pppoe-wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
+ oifname "wg0" jump srcnat_wg comment "!fw4: Handle wg IPv4/IPv6 srcnat traffic"
}
chain dstnat_lan {
+ ip saddr 10.0.0.0/24 ip daddr 213.219.163.106 tcp dport 4505 dnat ip to 10.0.0.5:4505 comment "!fw4: Salt 1 (reflection)"
+ ip saddr 10.0.0.0/24 ip daddr 213.219.163.106 tcp dport 4506 dnat ip to 10.0.0.5:4506 comment "!fw4: Salt 2 (reflection)"
}
chain srcnat_lan {
+ ip saddr 10.0.0.0/24 ip daddr 10.0.0.5 tcp dport 4505 snat ip to 10.0.0.1 comment "!fw4: Salt 1 (reflection)"
+ ip saddr 10.0.0.0/24 ip daddr 10.0.0.5 tcp dport 4506 snat ip to 10.0.0.1 comment "!fw4: Salt 2 (reflection)"
}
chain dstnat_wan {
meta nfproto ipv4 tcp dport 4505 counter packets 0 bytes 0 dnat ip to 10.0.0.5:4505 comment "!fw4: Salt 1"
- meta nfproto ipv4 tcp dport 4506 counter packets 0 bytes 0 dnat ip to 10.0.0.5:4506 comment "!fw4: Salt 2"
+ meta nfproto ipv4 tcp dport 4506 counter packets 120 bytes 7200 dnat ip to 10.0.0.5:4506 comment "!fw4: Salt 2"
}
chain srcnat_wan {
@@ -171,5 +189,7 @@
chain mangle_forward {
type filter hook forward priority mangle; policy accept;
+ iifname "pppoe-wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
+ oifname "pppoe-wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment