dae linux nftables
旁路设备专用unknown
sh
a year ago
4.6 kB
51
Indexable
#!/usr/sbin/nft -f # This configuration file is customized by gk, # Optimize nftables rules for local Magic server. table inet router flush table inet router table inet router { # # Flowtable # flowtable ft { hook ingress priority filter; devices = { eth0 }; counter; } # # Filter rules # chain input { type filter hook input priority filter; policy drop; iif "lo" accept comment "defconf: accept traffic from loopback" ct state vmap { established : accept, related : accept } comment "defconf: handle inbound flows" tcp flags syn / fin,syn,rst,ack counter jump syn_flood comment "defconf: rate limit TCP-SYN packets" iifname "eth0" jump input_lan comment "defconf: handle LAN IPv4 / IPv6 input traffic" } chain forward { type filter hook forward priority filter; policy drop; ct state established,related flow add @ft comment "defconf: track forwarded flows" ct state vmap { established : accept, related : accept } comment "defconf: handle forwarded flows" iifname "eth0" jump forward_lan comment "defconf: handle LAN IPv4 / IPv6 forward traffic" } chain output { type filter hook output priority filter; policy accept; oif "lo" accept comment "defconf: accept traffic towards loopback" ct state vmap { established : accept, related : accept } comment "defconf: handle outbound flows" oifname "eth0" jump output_lan comment "defconf: handle LAN IPv4 / IPv6 output traffic" } chain prerouting { type filter hook prerouting priority filter; policy accept; iifname "eth0" jump helper_lan comment "defconf: handle LAN IPv4 / IPv6 helper assignment" } chain syn_flood { limit rate 200/second burst 100 packets return comment "defconf: accept SYN packets below rate-limit" counter drop comment "defconf: drop excess packets" } chain input_lan { ct status dnat counter accept comment "lanconf: accept port redirect" jump accept_from_lan } chain forward_lan { ct status dnat counter accept comment "lanconf: accept port forward" jump accept_to_lan } chain output_lan { jump accept_to_lan } chain helper_lan { } chain accept_from_lan { iifname "eth0" counter accept comment "defconf: accept LAN IPv4 / IPv6 traffic" } chain accept_to_lan { meta nfproto ipv4 oifname "eth0" ct state invalid counter drop comment "defconf: prevent NATv4 leakage" meta nfproto ipv6 oifname "eth0" ct state invalid counter drop comment "defconf: prevent NATv6 leakage" oifname "eth0" counter accept comment "defconf: accept LAN IPv4 / IPv6 traffic" } # # NAT rules # chain dstnat { type nat hook prerouting priority dstnat; policy accept; iifname "eth0" meta l4proto { tcp, udp } th dport domain jump dstnat_lan comment "defconf: handle LAN IPv4 / IPv6 dstnat traffic" } chain srcnat { type nat hook postrouting priority srcnat; policy accept; oifname "eth0" jump srcnat_lan comment "defconf: handle LAN IPv4 / IPv6 srcnat traffic" } chain dstnat_lan { meta nfproto ipv4 meta l4proto { tcp, udp } th dport domain counter comment "lanconf: LAN IPv4 DNS counter" meta nfproto ipv6 meta l4proto { tcp, udp } th dport domain counter comment "lanconf: LAN IPv6 DNS counter" } chain srcnat_lan { meta nfproto ipv4 counter masquerade comment "defconf: masquerade IPv4 LAN traffic" meta nfproto ipv6 counter masquerade comment "defconf: masquerade IPv6 LAN traffic" } # # Raw rules (notrack) # chain raw_prerouting { type filter hook prerouting priority raw; policy accept; } chain raw_output { type filter hook output priority raw; policy accept; } # # Mangle rules # chain mangle_prerouting { type filter hook prerouting priority mangle; policy accept; } chain mangle_postrouting { type filter hook postrouting priority mangle; policy accept; } chain mangle_input { type filter hook input priority mangle; policy accept; } chain mangle_output { type route hook output priority mangle; policy accept; } chain mangle_forward { type filter hook forward priority mangle; policy accept; } }
Editor is loading...
Leave a Comment