router/nftables.conf

114 lines
3.1 KiB
Plaintext
Raw Normal View History

define WAN = wan0
2021-07-10 23:48:10 -05:00
define LAN = lan0
2022-02-07 16:51:23 -06:00
define VPN = wg-vpn
2021-07-10 23:48:10 -05:00
2021-07-09 17:21:45 -05:00
table inet filter {
chain input {
type filter hook input priority filter; policy accept;
2021-07-10 23:48:10 -05:00
iifname "lo" accept
2021-07-09 17:21:45 -05:00
ct state invalid drop
2022-01-31 16:44:36 -06:00
ct state { established, related } accept
2022-02-07 16:51:23 -06:00
icmpv6 type {echo-request,nd-neighbor-solicit,nd-neighbor-advert,nd-router-solicit,nd-router-advert,mld-listener-query,destination-unreachable,packet-too-big,time-exceeded,parameter-problem} accept
2022-01-31 16:44:36 -06:00
ip protocol icmpv6 accept
2021-07-09 17:21:45 -05:00
ip protocol icmp accept
meta l4proto ipv6-icmp accept
2022-02-07 16:51:23 -06:00
# do these need ipv6-specific entries, too?
tcp dport { 51821, 22, 2200, 2221, 2222, 25565 } accept comment "globally allowed ipv6 ports"
udp dport { 51821, 51820, 546, 53, 67 } accept comment "allow dhcpv6-client, dns, dhcp, and wireguard"
2022-01-31 17:06:53 -06:00
udp dport { 60000-60009 } accept comment "allow mosh common ports"
2021-07-10 23:48:10 -05:00
drop
2021-07-09 17:21:45 -05:00
}
chain forward {
type filter hook forward priority filter; policy accept;
accept
}
chain output {
type filter hook output priority filter; policy accept;
2022-01-31 16:44:36 -06:00
accept
2021-07-09 17:21:45 -05:00
}
}
2021-07-10 14:46:26 -05:00
2021-07-10 23:48:10 -05:00
table ip nat {
2022-01-31 16:44:36 -06:00
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oifname $LAN masquerade
}
2021-07-10 23:48:10 -05:00
2022-01-31 16:44:36 -06:00
chain prerouting {
type nat hook prerouting priority -100; policy accept;
2021-07-10 23:48:10 -05:00
2022-02-04 10:45:06 -06:00
# ip daddr 10.0.0.1 tcp dport { 80, 443 } dnat to 10.0.0.210
2022-02-09 11:00:24 -06:00
iifname $LAN accept
2022-01-31 16:44:36 -06:00
2022-01-31 17:06:53 -06:00
# faceless
# allow HTTP, HTTPS, gitea's SSH, and host ssh to faceless
2022-02-04 10:45:06 -06:00
iifname $WAN tcp dport { 443, 80, 2222, 2200 } dnat to 10.0.0.210
2022-01-31 17:06:53 -06:00
# allow mosh
2022-02-04 10:45:06 -06:00
iifname $WAN udp dport 60010-60019 dnat to 10.0.0.210
2022-01-31 16:44:36 -06:00
2022-01-31 17:06:53 -06:00
# allow host ssh
2022-02-14 10:37:26 -06:00
iifname $WAN tcp dport { 2221, 5588, 5555 } dnat to 10.0.0.10
2022-01-31 17:06:53 -06:00
# allow mosh
2022-01-31 16:44:36 -06:00
iifname $WAN udp dport 60020-60029 dnat to 10.0.0.10
2022-01-31 17:06:53 -06:00
# ourcraft
2022-01-31 16:44:36 -06:00
iifname $WAN tcp dport { 25565 } dnat to 10.0.0.244
}
}
2021-07-10 23:48:10 -05:00
2021-07-10 14:46:26 -05:00
# nat ipv4 for lan
2021-07-09 17:21:45 -05:00
table ip io.systemd.nat {
set masq_saddr {
type ipv4_addr
flags interval
elements = { 10.0.0.0/24 }
}
map map_port_ipport {
type inet_proto . inet_service : ipv4_addr . inet_service
}
chain prerouting {
type nat hook prerouting priority dstnat + 1; policy accept;
fib daddr type local dnat ip addr . port to meta l4proto . th dport map @map_port_ipport
}
chain output {
type nat hook output priority -99; policy accept;
ip daddr != 127.0.0.0/8 oif "lo" dnat ip addr . port to meta l4proto . th dport map @map_port_ipport
}
chain postrouting {
type nat hook postrouting priority srcnat + 1; policy accept;
ip saddr @masq_saddr masquerade
}
}
2021-07-10 14:46:26 -05:00
2022-01-31 16:44:36 -06:00
table ip6 io.systemd.nat {
chain input {
type filter hook input priority filter; policy accept;
iifname "lo" accept
ct state invalid drop
ct state { established, related } accept
2022-02-07 16:51:23 -06:00
# icmpv6 accept
# icmp accept
meta l4proto ipv6-icmp accept
2022-02-07 16:51:23 -06:00
tcp dport { 51821, 2200, 2221, 2222, 25565 } accept comment "globally allowed ipv6 ports"
udp dport { 51821, 51820, 546, 53, 67 } accept comment "allow dhcpv6-client, dns, dhcp, and wireguard"
udp dport { 60000-60009 } accept comment "allow mosh common ports"
drop
2022-01-31 16:44:36 -06:00
}
chain forward {
type filter hook forward priority filter; policy accept;
accept
2022-01-31 16:44:36 -06:00
}
chain output {
type filter hook output priority filter; policy accept;
accept
2022-01-31 16:44:36 -06:00
}
}