dae linux nftables

旁路设备专用
mail@pastecode.io avatar
unknown
sh
a month ago
4.6 kB
36
Indexable
Never
#!/usr/sbin/nft -f

# This configuration file is customized by gk,
# Optimize nftables rules for local Magic server.

table inet router
flush table inet router

table inet router {
    #
    # Flowtable
    #

    flowtable ft {
        hook ingress priority filter;
        devices = { eth0 };
        counter;
    }


    #
    # Filter rules
    #

    chain input {
        type filter hook input priority filter; policy drop;
        iif "lo" accept comment "defconf: accept traffic from loopback"
        ct state vmap { established : accept, related : accept } comment "defconf: handle inbound flows"
        tcp flags syn / fin,syn,rst,ack counter jump syn_flood comment "defconf: rate limit TCP-SYN packets"
        iifname "eth0" jump input_lan comment "defconf: handle LAN IPv4 / IPv6 input traffic"
    }

    chain forward {
        type filter hook forward priority filter; policy drop;
        ct state established,related flow add @ft comment "defconf: track forwarded flows"
        ct state vmap { established : accept, related : accept } comment "defconf: handle forwarded flows"
        iifname "eth0" jump forward_lan comment "defconf: handle LAN IPv4 / IPv6 forward traffic"
    }

    chain output {
        type filter hook output priority filter; policy accept;
        oif "lo" accept comment "defconf: accept traffic towards loopback"
        ct state vmap { established : accept, related : accept } comment "defconf: handle outbound flows"
        oifname "eth0" jump output_lan comment "defconf: handle LAN IPv4 / IPv6 output traffic"
    }

    chain prerouting {
        type filter hook prerouting priority filter; policy accept;
        iifname "eth0" jump helper_lan comment "defconf: handle LAN IPv4 / IPv6 helper assignment"
    }

    chain syn_flood {
        limit rate 200/second burst 100 packets return comment "defconf: accept SYN packets below rate-limit"
        counter drop comment "defconf: drop excess packets"
    }

    chain input_lan {
        ct status dnat counter accept comment "lanconf: accept port redirect"
        jump accept_from_lan
    }

    chain forward_lan {
        ct status dnat counter accept comment "lanconf: accept port forward"
        jump accept_to_lan
    }

    chain output_lan {
        jump accept_to_lan
    }

    chain helper_lan {
    }

    chain accept_from_lan {
        iifname "eth0" counter accept comment "defconf: accept LAN IPv4 / IPv6 traffic"
    }

    chain accept_to_lan {
        meta nfproto ipv4 oifname "eth0" ct state invalid counter drop comment "defconf: prevent NATv4 leakage"
        meta nfproto ipv6 oifname "eth0" ct state invalid counter drop comment "defconf: prevent NATv6 leakage"
        oifname "eth0" counter accept comment "defconf: accept LAN IPv4 / IPv6 traffic"
    }


    #
    # NAT rules
    #

    chain dstnat {
        type nat hook prerouting priority dstnat; policy accept;
        iifname "eth0" meta l4proto { tcp, udp } th dport domain jump dstnat_lan comment "defconf: handle LAN IPv4 / IPv6 dstnat traffic"
    }

    chain srcnat {
        type nat hook postrouting priority srcnat; policy accept;
        oifname "eth0" jump srcnat_lan comment "defconf: handle LAN IPv4 / IPv6 srcnat traffic"
    }

    chain dstnat_lan {
        meta nfproto ipv4 meta l4proto { tcp, udp } th dport domain counter comment "lanconf: LAN IPv4 DNS counter"
        meta nfproto ipv6 meta l4proto { tcp, udp } th dport domain counter comment "lanconf: LAN IPv6 DNS counter"
    }

    chain srcnat_lan {
        meta nfproto ipv4 counter masquerade comment "defconf: masquerade IPv4 LAN traffic"
        meta nfproto ipv6 counter masquerade comment "defconf: masquerade IPv6 LAN traffic"
    }


    #
    # Raw rules (notrack)
    #

    chain raw_prerouting {
        type filter hook prerouting priority raw; policy accept;
    }

    chain raw_output {
        type filter hook output priority raw; policy accept;
    }


    #
    # Mangle rules
    #

    chain mangle_prerouting {
        type filter hook prerouting priority mangle; policy accept;
    }

    chain mangle_postrouting {
        type filter hook postrouting priority mangle; policy accept;
    }

    chain mangle_input {
        type filter hook input priority mangle; policy accept;
    }

    chain mangle_output {
        type route hook output priority mangle; policy accept;
    }

    chain mangle_forward {
        type filter hook forward priority mangle; policy accept;
    }

}
Leave a Comment