IPv6 Firewall Router
=Simple IPv4 Firwall
table ip filter { chain input { type filter hook input priority filter; policy drop; ct state established,related accept ct state new iif "ens4" tcp dport 22 accept ct state new iif "ens5" accept ct state new iifname "lo" accept log prefix "--nftables-drop-input--" }
chain forward { type filter hook forward priority filter; policy drop; ct state established,related accept ct state new iif "ens5" oif "ens4" accept log prefix "--nftables-drop-forward--" }
chain output { type filter hook output priority filter; policy drop; ct state established,related accept ct state new accept log prefix "--nftables-drop-output--" } } table ip nat { chain postrouting { type nat hook postrouting priority srcnat; policy accept; oif "ens4" masquerade } }
<pre>
#!/usr/sbin/nft -f
define local_tcp_ports = { 22 }
define webserver = "2a02:24d8:71:2445::102"
define wandev = ens4
define landev = ens5
define transit_4 = "192.168.44.0/24"
define transit_6 = "2a02:24d8:71:2444::/64"
define lan_4 = 192.168.45.0/24
define lan_6 = "2a02:24d8:71:2445::/64"
flush ruleset
table inet filter {
chain input {
type filter hook input priority filter; policy drop;
ct state established,related accept
ct state new tcp dport $local_tcp_ports accept
ct state new iifname "lo" accept
ct state new icmp type echo-request accept
ip6 nexthdr icmpv6 accept
log prefix "--nftables-drop-input--"
}
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept
ct state new iif $landev oif $wandev accept
ct state new iif $wandev oif $landev ip6 daddr $webserver tcp dport 80 accept
log prefix "--nftables-drop-forward--"
}
chain output {
type filter hook output priority filter; policy drop;
ct state established,related accept
ip6 nexthdr icmpv6 accept
ct state new accept
log prefix "--nftables-drop-output--"
}
}
table ip nat {
chain postrouting {
type nat hook postrouting priority 100;
oif ens4 masquerade
}
}