CaZzzer/fwl
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2705f18e0f97a2c216b712bc22324640fe1443d0
fwl/doc/ref/ruleset.nft
Yuri Tatishchev 0549a54e34 add nft ruleset ref
2026-05-01 13:50:54 -07:00

89 lines
2.9 KiB
Plaintext
Raw Blame History

table inet firewall {
set port_forward_v6 {
type inet_proto . ipv6_addr . inet_service
elements = { tcp . 2600:1700:115f:300f::11:1 . 22000,
udp . 2600:1700:115f:300f::11:1 . 22000 }
}
set cloudflare_forward_v6 {
type ipv6_addr
elements = { 2600:1700:115f:300f::11:1 }
}
chain input {
type filter hook input priority filter; policy drop;
iifname "wan" ip6 saddr fe80::be24:11ff:fe83:d8de icmpv6 type nd-router-advert log prefix "self radvt: " drop
ct state established,related accept
ip6 nexthdr ipv6-icmp ip6 saddr { 2600:1700:115f:3000::/60, fe80::/10 } accept
ip6 nexthdr ipv6-icmp ip6 daddr fe80::/10 accept
iif "lo" accept
ip6 daddr { fe80::/10, ff02::/16 } th dport { 546, 547 } accept
tcp dport 22 accept
udp dport 51944 accept
iifname "wan" jump zone_wan_input
iifname { "wg0", "lan", "lan.10", "lan.20", "lan.30", "lan.40", "lan.50" } jump zone_lan_input
ip6 saddr { 2600:1700:115f:3000::/64, 2600:1700:115f:300d::/64 } jump zone_lan_input
}
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept
iifname "wan" jump zone_wan_forward
iifname { "wg0", "lan", "lan.10", "lan.20", "lan.30", "lan.40", "lan.50" } jump zone_lan_forward
ip6 saddr { 2600:1700:115f:3000::/64, 2600:1700:115f:300d::/64 } jump zone_lan_forward
}
chain zone_wan_input {
}
chain zone_wan_forward {
ct status dnat accept
meta l4proto . ip6 daddr . th dport @port_forward_v6 accept
ip6 saddr { 2400:cb00::/32, 2405:8100::/32, 2405:b500::/32, 2606:4700::/32, 2803:f800::/32, 2a06:98c0::/29, 2c0f:f248::/32 } ip6 daddr @cloudflare_forward_v6 th dport 443 accept
}
chain zone_lan_input {
ip6 nexthdr ipv6-icmp accept
ip protocol icmp accept
tcp dport { 22, 443 } accept
udp dport { 53, 67, 443, 547 } accept
}
chain zone_lan_forward {
oifname "wan" ip6 saddr fd00::/8 drop
oifname "wan" accept
oifname { "wg0", "lan", "lan.10", "lan.20", "lan.30", "lan.40", "lan.50" } accept
}
chain output {
type filter hook output priority filter; policy accept;
}
}
table ip nat4 {
map port_forward {
type inet_proto . inet_service : ipv4_addr . inet_service
elements = { udp . 35848 : 10.17.1.250 . 35848,
udp . 37138 : 10.17.10.31 . 37138,
udp . 40993 : 10.17.1.250 . 40993,
udp . 45608 : 10.17.1.250 . 45608,
udp . 48425 : 10.17.1.250 . 48425,
tcp . 8006 : 10.17.50.10 . 8006,
tcp . 38247 : 10.17.10.31 . 22,
udp . 48512 : 10.17.1.250 . 48512,
udp . 24454 : 10.17.1.11 . 24454,
udp . 18596 : 10.17.1.250 . 18596,
tcp . 25565 : 10.17.1.11 . 25565,
udp . 25565 : 10.17.1.11 . 25565 }
}
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
fib daddr type local dnat ip to meta l4proto . th dport map @port_forward
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oifname "wan" ip saddr { 10.0.0.0/8, 172.0.0.0/12, 192.168.0.0/16 } masquerade
}
}
Reference in New Issue View Git Blame Copy Permalink