IPv6 Firewall Router: Unterschied zwischen den Versionen
Zur Navigation springen
Zur Suche springen
| (Eine dazwischenliegende Version desselben Benutzers wird nicht angezeigt) | |||
| Zeile 42: | Zeile 42: | ||
type filter hook input priority filter; policy drop; | type filter hook input priority filter; policy drop; | ||
ct state established,related accept | ct state established,related accept | ||
| − | ct state new iif " | + | ct state new iif "ens3" tcp dport 22 accept |
| − | ct state new iif " | + | ct state new iif "ens4" accept |
ct state new iifname "lo" accept | ct state new iifname "lo" accept | ||
| − | |||
ip6 nexthdr ipv6-icmp accept | ip6 nexthdr ipv6-icmp accept | ||
log prefix "--nftables-drop-input--" | log prefix "--nftables-drop-input--" | ||
| Zeile 53: | Zeile 52: | ||
type filter hook forward priority filter; policy drop; | type filter hook forward priority filter; policy drop; | ||
ct state established,related accept | ct state established,related accept | ||
| − | + | ct state new iif "ens4" oif "ens3" accept | |
| − | ct state new iif "ens4" oif " | ||
log prefix "--nftables-drop-forward--" | log prefix "--nftables-drop-forward--" | ||
} | } | ||
| Zeile 69: | Zeile 67: | ||
chain postrouting { | chain postrouting { | ||
type nat hook postrouting priority srcnat; policy accept; | type nat hook postrouting priority srcnat; policy accept; | ||
| − | oif " | + | oif "ens3" masquerade |
} | } | ||
} | } | ||
Aktuelle Version vom 31. Januar 2024, 10:55 Uhr
Simple IPv4 Firwall
table ip filter {
chain input {
type filter hook input priority filter; policy drop;
ct state established,related accept
ct state new iif "ens4" tcp dport 22 accept
ct state new iif "ens5" accept
ct state new iifname "lo" accept
log prefix "--nftables-drop-input--"
}
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept
ct state new iif "ens5" oif "ens4" accept
log prefix "--nftables-drop-forward--"
}
chain output {
type filter hook output priority filter; policy drop;
ct state established,related accept
ct state new accept
log prefix "--nftables-drop-output--"
}
}
table ip nat {
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oif "ens4" masquerade
}
}
Simple Dual Stack Firewall
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
ct state established,related accept
ct state new iif "ens3" tcp dport 22 accept
ct state new iif "ens4" accept
ct state new iifname "lo" accept
ip6 nexthdr ipv6-icmp accept
log prefix "--nftables-drop-input--"
}
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept
ct state new iif "ens4" oif "ens3" accept
log prefix "--nftables-drop-forward--"
}
chain output {
type filter hook output priority filter; policy drop;
ct state established,related accept
ip6 nexthdr ipv6-icmp accept
ct state new accept
log prefix "--nftables-drop-output--"
}
}
table ip nat {
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oif "ens3" masquerade
}
}