46 lines
1.2 KiB
Plaintext
46 lines
1.2 KiB
Plaintext
|
#!/usr/sbin/nft -f
|
||
|
|
|
||
|
|
flush ruleset
|
||
|
|
|
||
|
|
table inet filter {
|
||
|
|
chain input {
|
||
|
|
type filter hook input priority 0; policy drop;
|
||
|
|
log prefix "Dropped Input: " level debug
|
||
|
|
iif lo accept
|
||
|
|
ct state established,related accept
|
||
|
|
tcp dport { 22,514,53,80,443,2024,445,139,88 } accept
|
||
|
|
udp dport { 53,123,500,4500,88,137 } accept
|
||
|
|
ip protocol icmp accept
|
||
|
|
ip protocol esp accept
|
||
|
|
ip protocol gre accept
|
||
|
|
ip protocol ospf accept
|
||
|
|
}
|
||
|
|
chain forward {
|
||
|
|
type filter hook forward priority 0; policy drop;
|
||
|
|
log prefix "Dropped forward: " level debug
|
||
|
|
iif lo accept
|
||
|
|
ct state established,related accept
|
||
|
|
tcp dport { 22,514,53,80,443,2024,445,139,88 } accept
|
||
|
|
udp dport { 53,123,500,4500,88,137 } accept
|
||
|
|
ip protocol icmp accept
|
||
|
|
ip protocol esp accept
|
||
|
|
ip protocol gre accept
|
||
|
|
ip protocol ospf accept
|
||
|
|
}
|
||
|
|
chain output {
|
||
|
|
type filter hook output priority 0; policy accept;
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
table inet nat {
|
||
|
|
chain prerouting {
|
||
|
|
type nat hook prerouting priority filter; policy accept
|
||
|
|
ip daddr 172.16.4.2 tcp dport 2024 dnat ip to 192.168.100.2:2024
|
||
|
|
}
|
||
|
|
chain postrouting {
|
||
|
|
type nat hook postrouting priority srcnat
|
||
|
|
|
||
|
|
oif "ens18" ip saddr { 192.168.100.0/26, 192.168.10.0/28 } masquerade
|
||
|
|
}
|
||
|
|
}
|