2021-07-10 23:48:10 -05:00
|
|
|
define WAN = eth0
|
|
|
|
define LAN = lan0
|
|
|
|
|
|
|
|
define FACELESS_TCP_PORTS = { 443, 80, 2222, 2200 }
|
|
|
|
# define FACELESS_UDP_PORTS = 60000-60009
|
|
|
|
define DRAGON_TCP_PORTS = { 2221 }
|
|
|
|
# define DRAGON_UDP_PORTS = 60020-60029
|
|
|
|
|
2021-07-09 17:21:45 -05:00
|
|
|
table inet filter {
|
|
|
|
chain input {
|
|
|
|
type filter hook input priority filter; policy accept;
|
2021-07-10 23:48:10 -05:00
|
|
|
iifname "lo" accept
|
2021-07-09 17:21:45 -05:00
|
|
|
ct state { established, related } accept
|
|
|
|
ct state invalid drop
|
|
|
|
ip protocol icmp accept
|
|
|
|
meta l4proto ipv6-icmp accept
|
2021-07-10 23:48:10 -05:00
|
|
|
tcp dport { 22 } accept
|
|
|
|
udp dport { 546, 53, 67 } accept
|
|
|
|
drop
|
2021-07-09 17:21:45 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
chain forward {
|
|
|
|
type filter hook forward priority filter; policy accept;
|
|
|
|
accept
|
|
|
|
}
|
|
|
|
|
|
|
|
chain output {
|
|
|
|
type filter hook output priority filter; policy accept;
|
2021-07-10 23:48:10 -05:00
|
|
|
accept
|
2021-07-09 17:21:45 -05:00
|
|
|
}
|
|
|
|
}
|
2021-07-10 14:46:26 -05:00
|
|
|
|
2021-07-10 23:48:10 -05:00
|
|
|
table ip nat {
|
|
|
|
chain postrouting {
|
|
|
|
type nat hook postrouting priority 100; policy accept;
|
|
|
|
oifname $LAN masquerade
|
|
|
|
}
|
|
|
|
|
|
|
|
chain prerouting {
|
|
|
|
type nat hook prerouting priority -100; policy accept;
|
|
|
|
|
|
|
|
# ip daddr 10.0.0.1 tcp dport ( 2221 ) dnat to 10.0.0.5:22
|
|
|
|
# ip daddr 10.0.0.1 udp dport ( 60020 ) dnat to 10.0.0.5:60020
|
|
|
|
# ip daddr 10.0.0.1 udp dport ( 60021 ) dnat to 10.0.0.5:60021
|
|
|
|
|
|
|
|
# ip daddr 10.0.0.1 tcp dport ( 80 ) dnat to 10.0.0.10:80
|
|
|
|
# ip daddr 10.0.0.1 tcp dport ( 443 ) dnat to 10.0.0.10:443
|
|
|
|
# ip daddr 10.0.0.1 tcp dport ( 2222 ) dnat to 10.0.0.10:2222
|
|
|
|
# ip daddr 10.0.0.1 tcp dport ( 2200 ) dnat to 10.0.0.10:22
|
|
|
|
|
|
|
|
iifname $WAN tcp dport { 443, 80 } dnat to 10.0.0.10
|
|
|
|
# iifname "lan0" tcp dport { 443, 80 } dnat to 10.0.0.10
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-07-10 14:46:26 -05:00
|
|
|
# the following two blocks were generated by restarting systemd-networkd and
|
|
|
|
# dumping nftables
|
|
|
|
|
|
|
|
# nat ipv4 for lan
|
2021-07-09 17:21:45 -05:00
|
|
|
table ip io.systemd.nat {
|
|
|
|
set masq_saddr {
|
|
|
|
type ipv4_addr
|
|
|
|
flags interval
|
|
|
|
elements = { 10.0.0.0/24 }
|
|
|
|
}
|
|
|
|
|
|
|
|
map map_port_ipport {
|
|
|
|
type inet_proto . inet_service : ipv4_addr . inet_service
|
|
|
|
}
|
|
|
|
|
|
|
|
chain prerouting {
|
|
|
|
type nat hook prerouting priority dstnat + 1; policy accept;
|
|
|
|
fib daddr type local dnat ip addr . port to meta l4proto . th dport map @map_port_ipport
|
|
|
|
}
|
|
|
|
|
|
|
|
chain output {
|
|
|
|
type nat hook output priority -99; policy accept;
|
|
|
|
ip daddr != 127.0.0.0/8 oif "lo" dnat ip addr . port to meta l4proto . th dport map @map_port_ipport
|
|
|
|
}
|
|
|
|
|
|
|
|
chain postrouting {
|
|
|
|
type nat hook postrouting priority srcnat + 1; policy accept;
|
|
|
|
ip saddr @masq_saddr masquerade
|
|
|
|
}
|
|
|
|
}
|
2021-07-10 14:46:26 -05:00
|
|
|
|
|
|
|
# nat ipv6 for lan (probably unnecessary?)
|
2021-07-09 17:21:45 -05:00
|
|
|
table ip6 io.systemd.nat {
|
|
|
|
set masq_saddr {
|
|
|
|
type ipv6_addr
|
|
|
|
flags interval
|
|
|
|
}
|
|
|
|
|
|
|
|
map map_port_ipport {
|
|
|
|
type inet_proto . inet_service : ipv6_addr . inet_service
|
|
|
|
}
|
|
|
|
|
|
|
|
chain prerouting {
|
|
|
|
type nat hook prerouting priority dstnat + 1; policy accept;
|
|
|
|
fib daddr type local dnat ip6 addr . port to meta l4proto . th dport map @map_port_ipport
|
|
|
|
}
|
|
|
|
|
|
|
|
chain output {
|
|
|
|
type nat hook output priority -99; policy accept;
|
|
|
|
ip6 daddr != ::1 oif "lo" dnat ip6 addr . port to meta l4proto . th dport map @map_port_ipport
|
|
|
|
}
|
|
|
|
|
|
|
|
chain postrouting {
|
|
|
|
type nat hook postrouting priority srcnat + 1; policy accept;
|
|
|
|
ip6 saddr @masq_saddr masquerade
|
|
|
|
}
|
|
|
|
}
|