Nft-5: Unterschied zwischen den Versionen

Aus Xinux Wiki
Zur Navigation springen Zur Suche springen
(Die Seite wurde neu angelegt: „<pre> table ip filter { chain INPUT { type filter hook input priority filter; policy drop; ct state established,related counter packets 244 bytes 16520 ac…“)
 
 
Zeile 3: Zeile 3:
 
chain INPUT {
 
chain INPUT {
 
type filter hook input priority filter; policy drop;
 
type filter hook input priority filter; policy drop;
ct state established,related counter packets 244 bytes 16520 accept
+
ct state established,related accept
iifname "lo" ct state new counter packets 0 bytes 0 accept
+
iifname "lo" ct state new accept
tcp dport 22 ct state new counter packets 0 bytes 0 accept
+
tcp dport 22 ct state new accept
icmp type echo-request ct state new counter packets 2 bytes 192 accept
+
icmp type echo-request ct state new accept
counter packets 20 bytes 1332 log prefix "--iptables-drop-in--"
+
log prefix "--iptables-drop-in--"
 +
}
 +
 
 +
chain FORWARD {
 +
type filter hook forward priority filter; policy drop;
 +
ct state established,related accept
 +
icmp type echo-request jump lan-to-wan
 +
tcp dport 53 jump lan-to-wan
 +
udp dport 53 jump lan-to-wan
 +
iifname "eth0" oifname "ens19" ip daddr 10.82.243.11 tcp dport 80 accept
 +
iifname "eth0" oifname "ens19" ip daddr 10.82.243.11 tcp dport 22 accept
 +
tcp dport { 25, 80, 143, 443, 465, 993 } jump lan-to-wan
 +
log prefix "--iptables-drop-for--"
 
}
 
}
  
 
chain OUTPUT {
 
chain OUTPUT {
 
type filter hook output priority filter; policy drop;
 
type filter hook output priority filter; policy drop;
ct state established,related counter packets 155 bytes 15764 accept
+
ct state established,related accept
ct state new counter packets 3 bytes 228 accept
+
ct state new accept
counter packets 0 bytes 0 log prefix "--iptables-drop-out--"
+
log prefix "--iptables-drop-out--"
}
 
 
 
chain FORWARD {
 
type filter hook forward priority filter; policy drop;
 
ct state established,related counter packets 0 bytes 0 accept
 
icmp type echo-request counter packets 0 bytes 0 jump lan-to-wan
 
tcp dport 53 counter packets 0 bytes 0 jump lan-to-wan
 
udp dport 53 counter packets 0 bytes 0 jump lan-to-wan
 
iifname "eth0" oifname "ens19" ip daddr 10.82.243.11 tcp dport 80 counter packets 0 bytes 0 accept
 
iifname "eth0" oifname "ens19" ip daddr 10.82.243.11 tcp dport 22 counter packets 0 bytes 0 accept
 
tcp dport { 25, 80, 143, 443, 465, 993 } counter packets 0 bytes 0 jump lan-to-wan
 
counter packets 0 bytes 0 log prefix "--iptables-drop-for--"
 
 
}
 
}
  
 
chain lan-to-wan {
 
chain lan-to-wan {
iifname "ens19" oifname "eth0" ip saddr 10.82.243.0/24 ct state new counter packets 0 bytes 0 accept
+
iifname "ens19" oifname "eth0" ip saddr 10.82.243.0/24 ct state new accept
 
}
 
}
 
}
 
}
 
table ip nat {
 
table ip nat {
chain POSTROUTING {
 
type nat hook postrouting priority srcnat; policy accept;
 
oifname "eth0" ip saddr 10.82.243.0/24 counter packets 0 bytes 0 snat to 10.82.227.12
 
}
 
 
 
chain PREROUTING {
 
chain PREROUTING {
 
type nat hook prerouting priority dstnat; policy accept;
 
type nat hook prerouting priority dstnat; policy accept;
ip daddr 10.82.227.12 tcp dport 80 counter packets 0 bytes 0 dnat to 10.82.243.11
+
ip daddr 10.82.227.12 tcp dport 80 dnat to 10.82.243.11
ip daddr 10.82.227.12 tcp dport 9922 counter packets 0 bytes 0 dnat to 10.82.243.11:22
+
ip daddr 10.82.227.12 tcp dport 9922 dnat to 10.82.243.11:22
 
}
 
}
  
Zeile 51: Zeile 46:
 
chain OUTPUT {
 
chain OUTPUT {
 
type nat hook output priority -100; policy accept;
 
type nat hook output priority -100; policy accept;
 +
}
 +
 +
chain POSTROUTING {
 +
type nat hook postrouting priority srcnat; policy accept;
 +
oifname "eth0" ip saddr 10.82.243.0/24 snat to 10.82.227.12
 
}
 
}
 
}
 
}
  
 
</pre>
 
</pre>

Aktuelle Version vom 13. September 2022, 18:09 Uhr

table ip filter {
	chain INPUT {
		type filter hook input priority filter; policy drop;
		ct state established,related accept
		iifname "lo" ct state new accept
		tcp dport 22 ct state new accept
		icmp type echo-request ct state new accept
		log prefix "--iptables-drop-in--"
	}

	chain FORWARD {
		type filter hook forward priority filter; policy drop;
		ct state established,related accept
		icmp type echo-request jump lan-to-wan
		tcp dport 53 jump lan-to-wan
		udp dport 53 jump lan-to-wan
		iifname "eth0" oifname "ens19" ip daddr 10.82.243.11 tcp dport 80 accept
		iifname "eth0" oifname "ens19" ip daddr 10.82.243.11 tcp dport 22 accept
		tcp dport { 25, 80, 143, 443, 465, 993 } jump lan-to-wan
		log prefix "--iptables-drop-for--"
	}

	chain OUTPUT {
		type filter hook output priority filter; policy drop;
		ct state established,related accept
		ct state new accept
		log prefix "--iptables-drop-out--"
	}

	chain lan-to-wan {
		iifname "ens19" oifname "eth0" ip saddr 10.82.243.0/24 ct state new accept
	}
}
table ip nat {
	chain PREROUTING {
		type nat hook prerouting priority dstnat; policy accept;
		ip daddr 10.82.227.12 tcp dport 80 dnat to 10.82.243.11
		ip daddr 10.82.227.12 tcp dport 9922 dnat to 10.82.243.11:22
	}

	chain INPUT {
		type nat hook input priority 100; policy accept;
	}

	chain OUTPUT {
		type nat hook output priority -100; policy accept;
	}

	chain POSTROUTING {
		type nat hook postrouting priority srcnat; policy accept;
		oifname "eth0" ip saddr 10.82.243.0/24 snat to 10.82.227.12
	}
}
Abgerufen von „http://wiki.ixheim.de/index.php?title=Nft-5&oldid=35401