IPv6 Firewall Router: Unterschied zwischen den Versionen
(Die Seite wurde neu angelegt: „<pre> #!/usr/sbin/nft -f define local_tcp_ports = { 22 } define webserver = "2a02:24d8:71:2445::102" define wandev = ens4 define landev = ens5 define transit_…“) |
|||
| Zeile 1: | Zeile 1: | ||
| + | =Simple IPv4 Firwall | ||
| + | </pre> | ||
| + | table ip filter { | ||
| + | chain input { | ||
| + | type filter hook input priority filter; policy drop; | ||
| + | ct state established,related accept | ||
| + | ct state new iif "ens4" tcp dport 22 accept | ||
| + | ct state new iif "ens5" accept | ||
| + | ct state new iifname "lo" accept | ||
| + | log prefix "--nftables-drop-input--" | ||
| + | } | ||
| + | |||
| + | chain forward { | ||
| + | type filter hook forward priority filter; policy drop; | ||
| + | ct state established,related accept | ||
| + | ct state new iif "ens5" oif "ens4" accept | ||
| + | log prefix "--nftables-drop-forward--" | ||
| + | } | ||
| + | |||
| + | chain output { | ||
| + | type filter hook output priority filter; policy drop; | ||
| + | ct state established,related accept | ||
| + | ct state new accept | ||
| + | log prefix "--nftables-drop-output--" | ||
| + | } | ||
| + | } | ||
| + | table ip nat { | ||
| + | chain postrouting { | ||
| + | type nat hook postrouting priority srcnat; policy accept; | ||
| + | oif "ens4" masquerade | ||
| + | } | ||
| + | } | ||
| + | <pre> | ||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
<pre> | <pre> | ||
#!/usr/sbin/nft -f | #!/usr/sbin/nft -f | ||
Version vom 14. Januar 2024, 06:48 Uhr
=Simple IPv4 Firwall
table ip filter { chain input { type filter hook input priority filter; policy drop; ct state established,related accept ct state new iif "ens4" tcp dport 22 accept ct state new iif "ens5" accept ct state new iifname "lo" accept log prefix "--nftables-drop-input--" }
chain forward { type filter hook forward priority filter; policy drop; ct state established,related accept ct state new iif "ens5" oif "ens4" accept log prefix "--nftables-drop-forward--" }
chain output { type filter hook output priority filter; policy drop; ct state established,related accept ct state new accept log prefix "--nftables-drop-output--" } } table ip nat { chain postrouting { type nat hook postrouting priority srcnat; policy accept; oif "ens4" masquerade } }
<pre>
#!/usr/sbin/nft -f
define local_tcp_ports = { 22 }
define webserver = "2a02:24d8:71:2445::102"
define wandev = ens4
define landev = ens5
define transit_4 = "192.168.44.0/24"
define transit_6 = "2a02:24d8:71:2444::/64"
define lan_4 = 192.168.45.0/24
define lan_6 = "2a02:24d8:71:2445::/64"
flush ruleset
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
ct state established,related accept
ct state new tcp dport $local_tcp_ports accept
ct state new iifname "lo" accept
ct state new icmp type echo-request accept
ip6 nexthdr icmpv6 accept
log prefix "--nftables-drop-input--"
}
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept
ct state new iif $landev oif $wandev accept
ct state new iif $wandev oif $landev ip6 daddr $webserver tcp dport 80 accept
log prefix "--nftables-drop-forward--"
}
chain output {
type filter hook output priority filter; policy drop;
ct state established,related accept
ip6 nexthdr icmpv6 accept
ct state new accept
log prefix "--nftables-drop-output--"
}
}
table ip nat {
chain postrouting {
type nat hook postrouting priority 100;
oif ens4 masquerade
}
}