router/nftables.conf
2023-07-17 18:09:47 +00:00

109 lines
3.1 KiB
Text
Executable file

define WAN = wan0
define LAN = lan0
define VPN = wg-vpn
table inet filter {
chain input {
type filter hook input priority filter; policy accept;
iifname "lo" accept
ct state invalid drop
ct state { established, related } accept
icmpv6 type {echo-request,nd-neighbor-solicit,nd-neighbor-advert,nd-router-solicit,nd-router-advert,mld-listener-query,destination-unreachable,packet-too-big,time-exceeded,parameter-problem} accept
ip protocol icmpv6 accept
ip protocol icmp accept
meta l4proto ipv6-icmp accept
# do these need ipv6-specific entries, too?
tcp dport { 64022, 10578, 51821, 51820, 22, 53, 67, 2201, 2221, 8448, 8008, 25565, 34197 } accept
udp dport { 64020, 10578, 51821, 51820, 22, 53, 67, 2201, 2221, 25565, 34197 } accept
udp dport { 60000-60009 } accept
udp dport dhcpv6-client accept
drop
}
chain forward {
type filter hook forward priority filter; policy accept;
accept
}
chain output {
type filter hook output priority filter; policy accept;
accept
}
}
table ip nat {
set masq_saddr {
type ipv4_addr
flags interval
elements = { 10.0.0.0/8 }
}
map map_port_ipport {
type inet_proto . inet_service : ipv4_addr . inet_service
}
chain prerouting {
iifname $LAN accept
type nat hook prerouting priority dstnat + 1; policy accept;
fib daddr type local dnat ip addr . port to meta l4proto . th dport map @map_port_ipport
# chromebox
iifname $WAN tcp dport { 443, 80, 22, 8008, 8448, 7777 } dnat to 10.0.0.5
iifname $WAN udp dport { 7777 } dnat to 10.0.0.5
iifname $WAN udp dport 60010-60019 dnat to 10.0.0.5
# old dragon?
# iifname $WAN tcp dport { 2221, 5588, 5589 } dnat to 10.0.0.10
# iifname $WAN udp dport 60020-60029 dnat to 10.0.0.10
iifname $WAN tcp dport { 10578, 5588, 5589 } dnat to 10.0.0.11
iifname $WAN udp dport { 10578 } dnat to 10.0.0.11
# dragon reinstall?
iifname $WAN tcp dport { 2221, 5588, 5589 } dnat to 10.0.0.10
iifname $WAN udp dport { 2221, 5588, 5589 } dnat to 10.0.0.10
iifname $WAN udp dport 60020-60029 dnat to 10.0.0.10
# iifname $WAN udp dport 9876-9877 dnat to 10.0.0.10 # valheim
# beefcake (ben access)
iifname $WAN tcp dport { 64022 } dnat to 10.0.0.9
iifname $WAN udp dport { 64020 } dnat to 10.0.0.9
# mnemonic
iifname $WAN tcp dport { 8022 } dnat to 10.0.0.248
# ourcraft
iifname $WAN tcp dport { 2456, 2457, 25565, 34197 } dnat to 10.0.0.100
iifname $WAN udp dport { 2456, 2457, 25565, 34197 } dnat to 10.0.0.100
# router
iifname $WAN tcp dport { 2201 } dnat to 10.0.0.1
iifname $WAN udp dport { 2201 } dnat to 10.0.0.1
}
chain output {
type nat hook output priority -99; policy accept;
ip daddr != 127.0.0.0/8 oif "lo" dnat ip addr . port to meta l4proto . th dport map @map_port_ipport
}
chain postrouting {
type nat hook postrouting priority srcnat + 1; policy accept;
oifname $LAN masquerade
ip saddr @masq_saddr masquerade
}
}
# table ip filter {
# chain output {
# type filter hook output priority 100; policy accept;
# }
#
# chain input {
# type filter hook input priority 0; policy accept;
# }
#
# chain forward {
# type filter hook forward priority 0; policy accept;
# }
# }
#