{ "nftables": [ { "metainfo": { "version": "1.1.6", "release_name": "Commodore Bullmoose #7", "json_schema_version": 1 } }, { "table": { "family": "inet", "name": "firewall", "handle": 42 } }, { "chain": { "family": "inet", "table": "firewall", "name": "input", "handle": 1, "type": "filter", "hook": "input", "prio": 0, "policy": "drop" } }, { "chain": { "family": "inet", "table": "firewall", "name": "forward", "handle": 2, "type": "filter", "hook": "forward", "prio": 0, "policy": "drop" } }, { "chain": { "family": "inet", "table": "firewall", "name": "zone_wan_input", "handle": 3 } }, { "chain": { "family": "inet", "table": "firewall", "name": "zone_wan_forward", "handle": 4 } }, { "chain": { "family": "inet", "table": "firewall", "name": "zone_lan_input", "handle": 5 } }, { "chain": { "family": "inet", "table": "firewall", "name": "zone_lan_forward", "handle": 6 } }, { "chain": { "family": "inet", "table": "firewall", "name": "output", "handle": 7, "type": "filter", "hook": "output", "prio": 0, "policy": "accept" } }, { "set": { "family": "inet", "name": "port_forward_v6", "table": "firewall", "type": [ "inet_proto", "ipv6_addr", "inet_service" ], "handle": 8, "elem": [ { "concat": [ "tcp", "2600:1700:115f:300f::11:1", 22000 ] }, { "concat": [ "udp", "2600:1700:115f:300f::11:1", 22000 ] } ] } }, { "set": { "family": "inet", "name": "cloudflare_forward_v6", "table": "firewall", "type": "ipv6_addr", "handle": 9, "elem": [ "2600:1700:115f:300f::11:1" ] } }, { "rule": { "family": "inet", "table": "firewall", "chain": "input", "handle": 10, "expr": [ { "match": { "op": "==", "left": { "meta": { "key": "iifname" } }, "right": "wan" } }, { "match": { "op": "==", "left": { "payload": { "protocol": "ip6", "field": "saddr" } }, "right": "fe80::be24:11ff:fe83:d8de" } }, { "match": { "op": "==", "left": { "payload": { "protocol": "icmpv6", "field": "type" } }, "right": "nd-router-advert" } }, { "log": { "prefix": "self radvt: " } }, { "drop": null } ] } }, { "rule": { "family": "inet", "table": "firewall", "chain": "input", "handle": 11, "expr": [ { "match": { "op": "in", "left": { "ct": { "key": "state" } }, "right": [ "established", "related" ] } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "firewall", "chain": "input", "handle": 13, "expr": [ { "match": { "op": "==", "left": { "payload": { "protocol": "ip6", "field": "nexthdr" } }, "right": "ipv6-icmp" } }, { "match": { "op": "==", "left": { "payload": { "protocol": "ip6", "field": "saddr" } }, "right": { "set": [ { "prefix": { "addr": "2600:1700:115f:3000::", "len": 60 } }, { "prefix": { "addr": "fe80::", "len": 10 } } ] } } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "firewall", "chain": "input", "handle": 14, "expr": [ { "match": { "op": "==", "left": { "payload": { "protocol": "ip6", "field": "nexthdr" } }, "right": "ipv6-icmp" } }, { "match": { "op": "==", "left": { "payload": { "protocol": "ip6", "field": "daddr" } }, "right": { "prefix": { "addr": "fe80::", "len": 10 } } } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "firewall", "chain": "input", "handle": 15, "expr": [ { "match": { "op": "==", "left": { "meta": { "key": "iif" } }, "right": "lo" } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "firewall", "chain": "input", "handle": 18, "expr": [ { "match": { "op": "==", "left": { "payload": { "protocol": "ip6", "field": "daddr" } }, "right": { "set": [ { "prefix": { "addr": "fe80::", "len": 10 } }, { "prefix": { "addr": "ff02::", "len": 16 } } ] } } }, { "match": { "op": "==", "left": { "payload": { "protocol": "th", "field": "dport" } }, "right": { "set": [ 546, 547 ] } } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "firewall", "chain": "input", "handle": 19, "expr": [ { "match": { "op": "==", "left": { "payload": { "protocol": "tcp", "field": "dport" } }, "right": 22 } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "firewall", "chain": "input", "handle": 20, "expr": [ { "match": { "op": "==", "left": { "payload": { "protocol": "udp", "field": "dport" } }, "right": 51944 } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "firewall", "chain": "input", "handle": 21, "expr": [ { "match": { "op": "==", "left": { "meta": { "key": "iifname" } }, "right": "wan" } }, { "jump": { "target": "zone_wan_input" } } ] } }, { "rule": { "family": "inet", "table": "firewall", "chain": "input", "handle": 23, "expr": [ { "match": { "op": "==", "left": { "meta": { "key": "iifname" } }, "right": { "set": [ "wg0", "lan", "lan.10", "lan.20", "lan.30", "lan.40", "lan.50" ] } } }, { "jump": { "target": "zone_lan_input" } } ] } }, { "rule": { "family": "inet", "table": "firewall", "chain": "input", "handle": 25, "expr": [ { "match": { "op": "==", "left": { "payload": { "protocol": "ip6", "field": "saddr" } }, "right": { "set": [ { "prefix": { "addr": "2600:1700:115f:3000::", "len": 64 } }, { "prefix": { "addr": "2600:1700:115f:300d::", "len": 64 } } ] } } }, { "jump": { "target": "zone_lan_input" } } ] } }, { "rule": { "family": "inet", "table": "firewall", "chain": "forward", "handle": 26, "expr": [ { "match": { "op": "in", "left": { "ct": { "key": "state" } }, "right": [ "established", "related" ] } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "firewall", "chain": "forward", "handle": 27, "expr": [ { "match": { "op": "==", "left": { "meta": { "key": "iifname" } }, "right": "wan" } }, { "jump": { "target": "zone_wan_forward" } } ] } }, { "rule": { "family": "inet", "table": "firewall", "chain": "forward", "handle": 29, "expr": [ { "match": { "op": "==", "left": { "meta": { "key": "iifname" } }, "right": { "set": [ "wg0", "lan", "lan.10", "lan.20", "lan.30", "lan.40", "lan.50" ] } } }, { "jump": { "target": "zone_lan_forward" } } ] } }, { "rule": { "family": "inet", "table": "firewall", "chain": "forward", "handle": 31, "expr": [ { "match": { "op": "==", "left": { "payload": { "protocol": "ip6", "field": "saddr" } }, "right": { "set": [ { "prefix": { "addr": "2600:1700:115f:3000::", "len": 64 } }, { "prefix": { "addr": "2600:1700:115f:300d::", "len": 64 } } ] } } }, { "jump": { "target": "zone_lan_forward" } } ] } }, { "rule": { "family": "inet", "table": "firewall", "chain": "zone_wan_forward", "handle": 32, "expr": [ { "match": { "op": "in", "left": { "ct": { "key": "status" } }, "right": "dnat" } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "firewall", "chain": "zone_wan_forward", "handle": 33, "expr": [ { "match": { "op": "==", "left": { "concat": [ { "meta": { "key": "l4proto" } }, { "payload": { "protocol": "ip6", "field": "daddr" } }, { "payload": { "protocol": "th", "field": "dport" } } ] }, "right": "@port_forward_v6" } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "firewall", "chain": "zone_wan_forward", "handle": 35, "expr": [ { "match": { "op": "==", "left": { "payload": { "protocol": "ip6", "field": "saddr" } }, "right": { "set": [ { "prefix": { "addr": "2400:cb00::", "len": 32 } }, { "prefix": { "addr": "2405:8100::", "len": 32 } }, { "prefix": { "addr": "2405:b500::", "len": 32 } }, { "prefix": { "addr": "2606:4700::", "len": 32 } }, { "prefix": { "addr": "2803:f800::", "len": 32 } }, { "prefix": { "addr": "2a06:98c0::", "len": 29 } }, { "prefix": { "addr": "2c0f:f248::", "len": 32 } } ] } } }, { "match": { "op": "==", "left": { "payload": { "protocol": "ip6", "field": "daddr" } }, "right": "@cloudflare_forward_v6" } }, { "match": { "op": "==", "left": { "payload": { "protocol": "th", "field": "dport" } }, "right": 443 } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "firewall", "chain": "zone_lan_input", "handle": 36, "expr": [ { "match": { "op": "==", "left": { "payload": { "protocol": "ip6", "field": "nexthdr" } }, "right": "ipv6-icmp" } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "firewall", "chain": "zone_lan_input", "handle": 37, "expr": [ { "match": { "op": "==", "left": { "payload": { "protocol": "ip", "field": "protocol" } }, "right": "icmp" } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "firewall", "chain": "zone_lan_input", "handle": 39, "expr": [ { "match": { "op": "==", "left": { "payload": { "protocol": "tcp", "field": "dport" } }, "right": { "set": [ 22, 443 ] } } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "firewall", "chain": "zone_lan_input", "handle": 41, "expr": [ { "match": { "op": "==", "left": { "payload": { "protocol": "udp", "field": "dport" } }, "right": { "set": [ 53, 67, 443, 547 ] } } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "firewall", "chain": "zone_lan_forward", "handle": 42, "expr": [ { "match": { "op": "==", "left": { "meta": { "key": "oifname" } }, "right": "wan" } }, { "match": { "op": "==", "left": { "payload": { "protocol": "ip6", "field": "saddr" } }, "right": { "prefix": { "addr": "fd00::", "len": 8 } } } }, { "drop": null } ] } }, { "rule": { "family": "inet", "table": "firewall", "chain": "zone_lan_forward", "handle": 43, "expr": [ { "match": { "op": "==", "left": { "meta": { "key": "oifname" } }, "right": "wan" } }, { "accept": null } ] } }, { "rule": { "family": "inet", "table": "firewall", "chain": "zone_lan_forward", "handle": 45, "expr": [ { "match": { "op": "==", "left": { "meta": { "key": "oifname" } }, "right": { "set": [ "wg0", "lan", "lan.10", "lan.20", "lan.30", "lan.40", "lan.50" ] } } }, { "accept": null } ] } }, { "table": { "family": "ip", "name": "nat4", "handle": 43 } }, { "chain": { "family": "ip", "table": "nat4", "name": "prerouting", "handle": 1, "type": "nat", "hook": "prerouting", "prio": -100, "policy": "accept" } }, { "chain": { "family": "ip", "table": "nat4", "name": "postrouting", "handle": 2, "type": "nat", "hook": "postrouting", "prio": 100, "policy": "accept" } }, { "map": { "family": "ip", "name": "port_forward", "table": "nat4", "type": [ "inet_proto", "inet_service" ], "handle": 3, "map": [ "ipv4_addr", "inet_service" ], "elem": [ [ { "concat": [ "udp", 35848 ] }, { "concat": [ "10.17.1.250", 35848 ] } ], [ { "concat": [ "udp", 37138 ] }, { "concat": [ "10.17.10.31", 37138 ] } ], [ { "concat": [ "udp", 40993 ] }, { "concat": [ "10.17.1.250", 40993 ] } ], [ { "concat": [ "udp", 45608 ] }, { "concat": [ "10.17.1.250", 45608 ] } ], [ { "concat": [ "udp", 48425 ] }, { "concat": [ "10.17.1.250", 48425 ] } ], [ { "concat": [ "tcp", 8006 ] }, { "concat": [ "10.17.50.10", 8006 ] } ], [ { "concat": [ "tcp", 38247 ] }, { "concat": [ "10.17.10.31", 22 ] } ], [ { "concat": [ "udp", 48512 ] }, { "concat": [ "10.17.1.250", 48512 ] } ], [ { "concat": [ "udp", 24454 ] }, { "concat": [ "10.17.1.11", 24454 ] } ], [ { "concat": [ "udp", 18596 ] }, { "concat": [ "10.17.1.250", 18596 ] } ], [ { "concat": [ "tcp", 25565 ] }, { "concat": [ "10.17.1.11", 25565 ] } ], [ { "concat": [ "udp", 25565 ] }, { "concat": [ "10.17.1.11", 25565 ] } ] ] } }, { "rule": { "family": "ip", "table": "nat4", "chain": "prerouting", "handle": 4, "expr": [ { "match": { "op": "==", "left": { "fib": { "result": "type", "flags": [ "daddr" ] } }, "right": "local" } }, { "dnat": { "family": "ip", "addr": { "map": { "key": { "concat": [ { "meta": { "key": "l4proto" } }, { "payload": { "protocol": "th", "field": "dport" } } ] }, "data": "@port_forward" } } } } ] } }, { "rule": { "family": "ip", "table": "nat4", "chain": "postrouting", "handle": 6, "expr": [ { "match": { "op": "==", "left": { "meta": { "key": "oifname" } }, "right": "wan" } }, { "match": { "op": "==", "left": { "payload": { "protocol": "ip", "field": "saddr" } }, "right": { "set": [ { "prefix": { "addr": "10.0.0.0", "len": 8 } }, { "prefix": { "addr": "172.0.0.0", "len": 12 } }, { "prefix": { "addr": "192.168.0.0", "len": 16 } } ] } } }, { "masquerade": null } ] } } ] }