99 lines
4.3 KiB
Plaintext
99 lines
4.3 KiB
Plaintext
table inet fwl {
|
|
|
|
# ── let rfc1918 ──────────────────────────────────────────────────────────
|
|
set rfc1918 {
|
|
type ipv4_addr
|
|
flags interval
|
|
elements = {
|
|
10.0.0.0/8,
|
|
172.16.0.0/12,
|
|
192.168.0.0/16
|
|
}
|
|
}
|
|
|
|
# ── let open_ports : Set<Port> ───────────────────────────────────────────
|
|
set open_ports {
|
|
type inet_service
|
|
elements = { 22 }
|
|
}
|
|
|
|
# ── let forwards_v6 : Set<(Protocol, IP, Port)> ──────────────────────────
|
|
set forwards_v6 {
|
|
type inet_proto . ipv6_addr . inet_service
|
|
elements = {
|
|
tcp . 2001:db8::1 . 22000
|
|
}
|
|
}
|
|
|
|
# ── let forwards : Map<(Protocol, Port), (IP, Port)> ────────────────────
|
|
map forwards {
|
|
type inet_proto . inet_service : ipv4_addr . inet_service
|
|
elements = {
|
|
tcp . 8080 : 10.0.0.10 . 80
|
|
}
|
|
}
|
|
|
|
# ── zone lan_zone = { lan } ──────────────────────────────────────────────
|
|
# Zones compile to anonymous sets wherever referenced in iifname/oifname.
|
|
# With a single member the set degenerates to a plain string match,
|
|
# but we keep the set form so the compiler output is uniform regardless
|
|
# of zone size.
|
|
set lan_zone {
|
|
type ifname
|
|
elements = { "lan" }
|
|
}
|
|
|
|
# ── policy input ─────────────────────────────────────────────────────────
|
|
chain input {
|
|
type filter hook input priority filter; policy drop;
|
|
|
|
ct state { established, related } accept
|
|
iifname "lo" accept
|
|
meta nfproto ipv6 ip6 nexthdr ipv6-icmp ip6 saddr fe80::/10 accept
|
|
meta nfproto ipv4 meta l4proto tcp tcp dport @open_ports accept
|
|
meta nfproto ipv4 meta l4proto udp udp dport 51944 accept
|
|
}
|
|
|
|
# ── policy forward ───────────────────────────────────────────────────────
|
|
chain forward {
|
|
type filter hook forward priority filter; policy drop;
|
|
|
|
ct state { established, related } accept
|
|
ct status dnat accept
|
|
|
|
# | Frame(iif in lan_zone -> wan, _) -> Allow
|
|
meta iifname @lan_zone meta oifname "wan" accept
|
|
|
|
# | Frame(wan -> iif in lan_zone, IPv4 TCP|UDP) if (proto,dport) in forwards
|
|
meta iifname "wan" meta oifname @lan_zone \
|
|
meta nfproto ipv4 meta l4proto { tcp, udp } \
|
|
meta l4proto . th dport @forwards accept
|
|
|
|
# | Frame(wan -> iif in lan_zone, IPv6 TCP|UDP) if (proto,dst,dport) in forwards_v6
|
|
meta iifname "wan" meta oifname @lan_zone \
|
|
meta nfproto ipv6 meta l4proto { tcp, udp } \
|
|
meta l4proto . ip6 daddr . th dport @forwards_v6 accept
|
|
}
|
|
|
|
# ── policy output ────────────────────────────────────────────────────────
|
|
chain output {
|
|
type filter hook output priority filter; policy accept;
|
|
}
|
|
|
|
# ── policy nat_prerouting ────────────────────────────────────────────────
|
|
chain nat_prerouting {
|
|
type nat hook prerouting priority dstnat; policy accept;
|
|
|
|
meta nfproto ipv4 meta l4proto { tcp, udp } \
|
|
fib daddr type local \
|
|
dnat ip to meta l4proto . th dport map @forwards
|
|
}
|
|
|
|
# ── policy nat_postrouting ───────────────────────────────────────────────
|
|
chain nat_postrouting {
|
|
type nat hook postrouting priority srcnat; policy accept;
|
|
|
|
meta oifname "wan" meta nfproto ipv4 ip saddr @rfc1918 masquerade
|
|
}
|
|
}
|