router/nftables.conf
Daniel Flanagan 7c2d0d6345 /8
2022-07-03 20:18:56 -05:00

93 lines
2.5 KiB
Text

define WAN = wan0
define LAN = lan0
define VPN = wg-vpn
table inet filter {
chain input {
type filter hook input priority filter; policy accept;
iifname "lo" accept
ct state invalid drop
ct state { established, related } accept
icmpv6 type {echo-request,nd-neighbor-solicit,nd-neighbor-advert,nd-router-solicit,nd-router-advert,mld-listener-query,destination-unreachable,packet-too-big,time-exceeded,parameter-problem} accept
ip protocol icmpv6 accept
ip protocol icmp accept
meta l4proto ipv6-icmp accept
# do these need ipv6-specific entries, too?
tcp dport { 51821, 22, 53, 67, 2201, 2221, 25565, 34197 } accept
udp dport { 51821, 51820, 53, 67, 34197 } accept
udp dport { 60000-60009 } accept
udp dport dhcpv6-client accept
drop
}
chain forward {
type filter hook forward priority filter; policy accept;
accept
}
chain output {
type filter hook output priority filter; policy accept;
accept
}
}
table ip nat {
set masq_saddr {
type ipv4_addr
flags interval
elements = { 10.0.0.0/8 }
}
map map_port_ipport {
type inet_proto . inet_service : ipv4_addr . inet_service
}
chain prerouting {
iifname $LAN accept
type nat hook prerouting priority dstnat + 1; policy accept;
fib daddr type local dnat ip addr . port to meta l4proto . th dport map @map_port_ipport
# faceless
iifname $WAN tcp dport { 443, 80, 22 } dnat to 10.0.0.210
iifname $WAN udp dport 60010-60019 dnat to 10.0.0.210
# dragon
# iifname $WAN tcp dport { 2221, 5588, 5589 } dnat to 10.0.0.10
# iifname $WAN udp dport 60020-60029 dnat to 10.0.0.10
# dragon reinstall?
iifname $WAN tcp dport { 2221, 5588, 5589 } dnat to 10.0.0.10
iifname $WAN udp dport 60020-60029 dnat to 10.0.0.10
iifname $WAN udp dport 9876-9877 dnat to 10.0.0.10
# ourcraft
iifname $WAN tcp dport { 25565, 34197 } dnat to 10.0.0.244
iifname $WAN udp dport { 25565, 34197 } dnat to 10.0.0.244
}
chain output {
type nat hook output priority -99; policy accept;
ip daddr != 127.0.0.0/8 oif "lo" dnat ip addr . port to meta l4proto . th dport map @map_port_ipport
}
chain postrouting {
type nat hook postrouting priority srcnat + 1; policy accept;
oifname $LAN masquerade
ip saddr @masq_saddr masquerade
}
}
# table ip filter {
# chain output {
# type filter hook output priority 100; policy accept;
# }
#
# chain input {
# type filter hook input priority 0; policy accept;
# }
#
# chain forward {
# type filter hook forward priority 0; policy accept;
# }
# }
#