Last active
March 30, 2024 02:12
-
-
Save mortn/0624297e966a0a2be9a992ee8f77d68b to your computer and use it in GitHub Desktop.
nftables router
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| flush ruleset | |
| # filter | |
| table ip filter { | |
| chain input { | |
| type filter hook input priority 0; policy drop; | |
| ct state invalid counter drop comment "drop invalid packets" | |
| ct state {established, related} counter accept comment "accept all connections related to connections made by us" | |
| iifname lo accept comment "accept loopback" | |
| iifname != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to loopback not coming from loopback" | |
| iifname enp3s0 ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16} log drop comment "drop rfc1918 input on inet if" | |
| iif enp1s0f0 ip saddr 10.0.0.0/26 ct state new accept | |
| iif enp1s0f1 ip saddr 10.0.1.0/24 ct state new accept | |
| ip protocol icmp counter accept comment "accept all icmp types" | |
| tcp dport ssh counter accept comment "accept ssh" | |
| tcp dport { http, https} ct state new accept comment "accept https" | |
| counter comment "count dropped packets" | |
| counter log prefix "nft#in: " | |
| } | |
| chain forward { | |
| type filter hook forward priority 0; policy drop; | |
| ct state established,related accept | |
| counter comment "count dropped packets" | |
| ip saddr 10.0.0.0/22 ct state new accept | |
| } | |
| chain output { | |
| type filter hook output priority 0; policy accept; | |
| counter comment "count accepted packets" | |
| } | |
| } | |
| # nat | |
| table ip nat { | |
| chain prerouting { | |
| type nat hook prerouting priority 0; policy accept; | |
| counter comment "count accepted packets" | |
| } | |
| chain input { | |
| type nat hook input priority 0; policy accept; | |
| counter comment "count accepted packets" | |
| } | |
| chain output { | |
| type nat hook output priority 0; policy accept; | |
| counter comment "count accepted packets" | |
| } | |
| chain postrouting { | |
| type nat hook postrouting priority 0; policy accept; | |
| oifname enp3s0 masquerade | |
| counter comment "count accepted packets" | |
| counter log prefix "nft#nat: " | |
| } | |
| } | |
| #filter | |
| table ip6 filter6 { | |
| chain input { | |
| type filter hook input priority 0; policy drop; | |
| ct state invalid counter drop comment "drop invalid packets" | |
| ct state {established, related} counter accept comment "accept all connections related to connections made by us" | |
| iifname lo accept comment "accept loopback" | |
| iifname != lo ip6 daddr ::1/128 counter drop comment "drop connections to loopback not coming from loopback" | |
| ip6 nexthdr icmpv6 counter accept comment "accept all icmp types" | |
| #tcp dport 22 counter accept comment "accept ssh" | |
| counter comment "count dropped packets" | |
| } | |
| chain forward { | |
| type filter hook forward priority 0; policy drop; | |
| counter comment "count dropped packets" | |
| } | |
| chain output { | |
| type filter hook output priority 0; policy accept; | |
| counter comment "count accepted packets" | |
| } | |
| } | |
| # nat | |
| table ip6 nat6 { | |
| chain prerouting { | |
| type nat hook prerouting priority 0; policy accept; | |
| counter comment "count accepted packets" | |
| } | |
| chain input { | |
| type nat hook input priority 0; policy accept; | |
| counter comment "count accepted packets" | |
| } | |
| chain output { | |
| type nat hook output priority 0; policy accept; | |
| counter comment "count accepted packets" | |
| } | |
| chain postrouting { | |
| type nat hook postrouting priority 0; policy accept; | |
| counter comment "count accepted packets" | |
| } | |
| } | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment