define WAN = eth0 define LAN = lan0 define ROUTER_TCP_PORTS = { 22 } define ROUTER_UDP_PORTS = { 546, 53, 67 } define ROUTER_INET_PORTS = { 546, 53, 67 } define FACELESS_TCP_PORTS = { 443, 80, 2222, 2200 } # define FACELESS_UDP_PORTS = { } define DRAGON_TCP_PORTS = { 2221 } # define DRAGON_UDP_PORTS = { } table inet filter { chain input { type filter hook input priority filter; policy accept; iifname "lo" accept icmpv6 type {echo-request,nd-neighbor-solicit,nd-neighbor-advert,nd-router-solicit,nd-router-advert,mld-listener-query} accept ct state { established, related } accept ct state invalid drop ip protocol icmp accept meta l4proto ipv6-icmp accept tcp dport $ROUTER_TCP_PORTS accept udp dport $ROUTER_UDP_PORTS accept drop } chain forward { type filter hook forward priority filter; policy accept; accept } chain output { type filter hook output priority filter; policy accept; accept } } table ip nat { chain postrouting { type nat hook postrouting priority 100; policy accept; oifname $LAN masquerade } chain prerouting { type nat hook prerouting priority -100; policy accept; # ip daddr 10.0.0.1 tcp dport { 80, 443 } dnat to 10.0.0.10 iifname $WAN tcp dport $FACELESS_TCP_PORTS dnat to 10.0.0.10 # iifname $WAN udp dport $FACELESS_UDP_PORTS dnat to 10.0.0.10 iifname $WAN udp dport 60000-60009 dnat to 10.0.0.10 iifname $WAN tcp dport $DRAGON_TCP_PORTS dnat to 10.0.0.5 # iifname $WAN udp dport $DRAGON_UDP_PORTS dnat to 10.0.0.5 iifname $WAN udp dport 60020-60029 dnat to 10.0.0.5 } } # the following two blocks were generated by restarting systemd-networkd and # dumping nftables # nat ipv4 for lan table ip io.systemd.nat { set masq_saddr { type ipv4_addr flags interval elements = { 10.0.0.0/24 } } map map_port_ipport { type inet_proto . inet_service : ipv4_addr . inet_service } chain prerouting { type nat hook prerouting priority dstnat + 1; policy accept; fib daddr type local dnat ip addr . port to meta l4proto . th dport map @map_port_ipport } chain output { type nat hook output priority -99; policy accept; ip daddr != 127.0.0.0/8 oif "lo" dnat ip addr . port to meta l4proto . th dport map @map_port_ipport } chain postrouting { type nat hook postrouting priority srcnat + 1; policy accept; ip saddr @masq_saddr masquerade } } # nat ipv6 for lan (probably unnecessary?) # table ip6 io.systemd.nat { # set masq_saddr { # type ipv6_addr # flags interval # } # # map map_port_ipport { # type inet_proto . inet_service : ipv6_addr . inet_service # } # # chain prerouting { # type nat hook prerouting priority dstnat + 1; policy accept; # fib daddr type local dnat ip6 addr . port to meta l4proto . th dport map @map_port_ipport # } # # chain output { # type nat hook output priority -99; policy accept; # ip6 daddr != ::1 oif "lo" dnat ip6 addr . port to meta l4proto . th dport map @map_port_ipport # } # # chain postrouting { # type nat hook postrouting priority srcnat + 1; policy accept; # ip6 saddr @masq_saddr masquerade # } # }