dae linux nftables
旁路设备专用
unknown
sh
a year ago
4.6 kB
51
Indexable
#!/usr/sbin/nft -f
# This configuration file is customized by gk,
# Optimize nftables rules for local Magic server.
table inet router
flush table inet router
table inet router {
#
# Flowtable
#
flowtable ft {
hook ingress priority filter;
devices = { eth0 };
counter;
}
#
# Filter rules
#
chain input {
type filter hook input priority filter; policy drop;
iif "lo" accept comment "defconf: accept traffic from loopback"
ct state vmap { established : accept, related : accept } comment "defconf: handle inbound flows"
tcp flags syn / fin,syn,rst,ack counter jump syn_flood comment "defconf: rate limit TCP-SYN packets"
iifname "eth0" jump input_lan comment "defconf: handle LAN IPv4 / IPv6 input traffic"
}
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related flow add @ft comment "defconf: track forwarded flows"
ct state vmap { established : accept, related : accept } comment "defconf: handle forwarded flows"
iifname "eth0" jump forward_lan comment "defconf: handle LAN IPv4 / IPv6 forward traffic"
}
chain output {
type filter hook output priority filter; policy accept;
oif "lo" accept comment "defconf: accept traffic towards loopback"
ct state vmap { established : accept, related : accept } comment "defconf: handle outbound flows"
oifname "eth0" jump output_lan comment "defconf: handle LAN IPv4 / IPv6 output traffic"
}
chain prerouting {
type filter hook prerouting priority filter; policy accept;
iifname "eth0" jump helper_lan comment "defconf: handle LAN IPv4 / IPv6 helper assignment"
}
chain syn_flood {
limit rate 200/second burst 100 packets return comment "defconf: accept SYN packets below rate-limit"
counter drop comment "defconf: drop excess packets"
}
chain input_lan {
ct status dnat counter accept comment "lanconf: accept port redirect"
jump accept_from_lan
}
chain forward_lan {
ct status dnat counter accept comment "lanconf: accept port forward"
jump accept_to_lan
}
chain output_lan {
jump accept_to_lan
}
chain helper_lan {
}
chain accept_from_lan {
iifname "eth0" counter accept comment "defconf: accept LAN IPv4 / IPv6 traffic"
}
chain accept_to_lan {
meta nfproto ipv4 oifname "eth0" ct state invalid counter drop comment "defconf: prevent NATv4 leakage"
meta nfproto ipv6 oifname "eth0" ct state invalid counter drop comment "defconf: prevent NATv6 leakage"
oifname "eth0" counter accept comment "defconf: accept LAN IPv4 / IPv6 traffic"
}
#
# NAT rules
#
chain dstnat {
type nat hook prerouting priority dstnat; policy accept;
iifname "eth0" meta l4proto { tcp, udp } th dport domain jump dstnat_lan comment "defconf: handle LAN IPv4 / IPv6 dstnat traffic"
}
chain srcnat {
type nat hook postrouting priority srcnat; policy accept;
oifname "eth0" jump srcnat_lan comment "defconf: handle LAN IPv4 / IPv6 srcnat traffic"
}
chain dstnat_lan {
meta nfproto ipv4 meta l4proto { tcp, udp } th dport domain counter comment "lanconf: LAN IPv4 DNS counter"
meta nfproto ipv6 meta l4proto { tcp, udp } th dport domain counter comment "lanconf: LAN IPv6 DNS counter"
}
chain srcnat_lan {
meta nfproto ipv4 counter masquerade comment "defconf: masquerade IPv4 LAN traffic"
meta nfproto ipv6 counter masquerade comment "defconf: masquerade IPv6 LAN traffic"
}
#
# Raw rules (notrack)
#
chain raw_prerouting {
type filter hook prerouting priority raw; policy accept;
}
chain raw_output {
type filter hook output priority raw; policy accept;
}
#
# Mangle rules
#
chain mangle_prerouting {
type filter hook prerouting priority mangle; policy accept;
}
chain mangle_postrouting {
type filter hook postrouting priority mangle; policy accept;
}
chain mangle_input {
type filter hook input priority mangle; policy accept;
}
chain mangle_output {
type route hook output priority mangle; policy accept;
}
chain mangle_forward {
type filter hook forward priority mangle; policy accept;
}
}
Editor is loading...
Leave a Comment