首頁 探索 說明
註冊 登入
jerrita
/
nix-router
1
0
複刻 0
Files 問題管理 0 合併請求 0 Wiki
目錄樹: 9b5b2baf36
分支列表 標籤列表
nix-router
/
networking
/
firewall.nft

firewall.nft 2.3 KB
文件歷史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263 
  1. #!/usr/sbin/nft -f
    2. 

  2. 

  3. table inet global {
    4. 

  4.     flowtable f {
    5. 

  5.         hook ingress priority 0;
    6. 

  6.         devices = { ppp0, lan };
    7. 

  7.     }
    8. 

  8. 

  9.     chain input {
    10. 

  10.         type filter hook input priority filter; policy drop;
    11. 

  11. 

  12.         iifname lo accept
    13. 

  13.         iifname lan counter accept
    14. 

  14. 

  15.         # iifname ppp0 udp dport { 546, 547 } accept  # IPv6 PD
    16. 

  16.         ip6 nexthdr icmpv6 icmpv6 type nd-router-solicit counter accept
    17. 

  17.         ip6 nexthdr icmpv6 icmpv6 type nd-router-advert counter accept
    18. 

  18.         udp dport dhcpv6-client udp sport dhcpv6-server counter accept comment "IPv6 DHCP"
    19. 

  19.         ct state { established, related } counter accept
    20. 

  20.         iifname ppp0 counter drop
    21. 

  21.     }
    22. 

  22. 

  23.     chain forward {
    24. 

  24.         type filter hook forward priority filter; policy drop;
    25. 

  25.         # clamp MSS to PMTU
    26. 

  26.         tcp flags syn tcp option maxseg size set rt mtu
    27. 

  27.         # ip6 nexthdr tcp tcp flags syn tcp option maxseg size set rt mtu
    28. 

  28. 

  29.         ip protocol { tcp, udp } flow offload @f
    30. 

  30.         ip6 nexthdr { tcp, udp } flow offload @f
    31. 

  31. 

  32.         iifname lan counter accept comment "Allow lan -> *"
    33. 

  33.         iifname ppp0 oifname lan ct state { established, related } counter accept comment "Allow established back to lan"
    34. 

  34.         iifname ppp0 oifname lan counter drop
    35. 

  35.     }
    36. 

  36. 

  37.     chain postrouting {
    38. 

  38.         type nat hook postrouting priority filter; policy accept;
    39. 

  39.         ip saddr 192.168.5.0/24 oifname ppp0 counter masquerade
    40. 

  40.     }
    41. 

  41. }
    42. 

  42. 

  43. 

  44. table ip clash {
    45. 

  45.     chain prerouting {
    46. 

  46.         type nat hook prerouting priority filter; policy accept;
    47. 

  47.         meta skuid clash counter return
    48. 

  48.         ip daddr 198.18.0.0/16 tcp dport 1-65535 counter redirect to :7893 comment "!chnroute -> clash (tcp)"
    49. 

  49.         ip daddr 198.18.0.0/16 udp dport 1-65535 meta mark set 0x233 tproxy to :7894 counter accept comment "!chnroute -> clash (udp)"
    50. 

  50.     }
    51. 

  51. 

  52.     chain output {
    53. 

  53.         type nat hook output priority mangle; policy accept;
    54. 

  54.         meta skuid clash counter return
    55. 

  55.         ip daddr 198.18.0.0/16 tcp dport 1-65535 counter redirect to :7893 comment "!chnroute -> clash (tcp) [local]"
    56. 

  56.         ip daddr 198.18.0.0/16 udp dport 1-65535 meta mark set 0x233 counter comment "!chnroute -> clash (udp) [local]"
    57. 

  57.     }
    58. 

  58. 

  59.     chain divert {
    60. 

  60.         type filter hook prerouting priority mangle; policy accept;
    61. 

  61.         ip protocol tcp socket transparent 1 meta mark set 0x233 counter accept
    62. 

  62.     }
    63. 

  63. }
    64.