#!/usr/sbin/nft -f # vim: set ts=4 sw=4: # You can find examples in /usr/share/nftables/. define ra_prefix = 2a01:e0a:518:830::/64 define ra_prefix_max = 2a01:e0a:518:830::/56 define masr_prefix = 2a01:e0a:2b:2250::/64 define masr_ouaset = 2a01:e0a:2b:2250::b define masr_rhakotis = 2a01:e0a:2b:2250::c define serekh_ankh_prefix = 2a01:cb05:4bd:5000::/64 define serekh_ankh = 2a01:cb05:4bd:5000::d define serekh_prefix = fd42:507b:9d4d:71ea::/64 define logger_host = geb.ra.nemunai.re define ntp_host = geb.ra.nemunai.re # Clear all prior state flush ruleset table ip nat { chain prerouting { type nat hook prerouting priority 0; policy accept; ip daddr 82.64.151.41 tcp dport ssh dnat 192.168.0.52:22 ip daddr 82.64.151.41 tcp dport imaps dnat 192.168.0.3:imaps ip daddr 82.64.151.41 tcp dport pop3s dnat 192.168.0.3:pop3s ip daddr 82.64.151.41 tcp dport 2772 dnat 192.168.0.250:2772 ip daddr 192.168.0.2 tcp dport 2772 dnat 192.168.0.250:2772 ip daddr 82.64.151.41 tcp dport 3478 dnat 192.168.0.54:3478 ip daddr 82.64.151.41 udp dport 3478 dnat 192.168.0.54:3478 ip daddr 82.64.151.41 tcp dport 6224 dnat 192.168.0.4:22 } chain postrouting { type nat hook postrouting priority 0; policy accept; ip daddr 192.168.0.52 tcp dport ssh masquerade ip daddr 192.168.0.4 tcp dport imaps masquerade ip daddr 192.168.0.250 tcp dport 2772 masquerade ip daddr 192.168.0.54 tcp dport 3478 masquerade ip daddr 192.168.0.54 udp dport 3478 masquerade ip daddr 192.168.0.4 tcp dport ssh masquerade } } table ip6 nat { chain prerouting { type nat hook prerouting priority 0; policy accept; #tcp dport ssh dnat sekhmet2.ra.nemunai.re:22 #tcp dport 8448 dnat rhakotis.masr.nemunai.re:8448 } chain postrouting { type nat hook postrouting priority 0; policy accept; ip6 daddr sekhmet2.ra.nemunai.re tcp dport 22 masquerade #ip6 daddr rhakotis.masr.nemunai.re tcp dport 8448 masquerade } } table inet filter { chain input { type filter hook input priority 0; policy drop; iifname lo accept \ comment "Accept any localhost traffic" ct state { established, related } accept \ comment "Accept traffic originated from us" ct state invalid drop \ comment "Drop invalid connections" tcp dport 113 reject with icmpx type port-unreachable \ comment "Reject AUTH to make it fail fast" # ICMPv4 ip protocol icmp icmp type { echo-reply, # type 0 destination-unreachable, # type 3 echo-request, # type 8 time-exceeded, # type 11 parameter-problem, # type 12 } accept \ comment "Accept ICMP" # ICMPv6 ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, # type 1 packet-too-big, # type 2 time-exceeded, # type 3 parameter-problem, # type 4 echo-request, # type 128 echo-reply, # type 129 } accept \ comment "Accept basic IPv6 functionality" ip6 nexthdr icmpv6 icmpv6 type { nd-router-solicit, # type 133 nd-router-advert, # type 134 nd-neighbor-solicit, # type 135 nd-neighbor-advert, # type 136 } ip6 hoplimit 255 accept \ comment "Allow IPv6 SLAAC" ip6 nexthdr icmpv6 icmpv6 type { mld-listener-query, # type 130 mld-listener-report, # type 131 mld-listener-reduction, # type 132 mld2-listener-report, # type 143 } ip6 saddr fe80::/10 accept \ comment "Allow IPv6 multicast listener discovery on link-local" ip6 saddr fe80::/10 udp sport 547 udp dport 546 accept \ comment "Accept DHCPv6 replies from IPv6 link-local addresses" udp sport domain accept udp dport domain accept counter log prefix "Filtered INPUT " } chain forward { type filter hook forward priority 0; policy drop; ct state invalid counter log prefix "Filtered INVALID FORWARD " drop ct state { established, related } accept ip daddr . tcp dport { \ 192.168.0.52 . ssh, \ 192.168.0.3 . imaps, \ 192.168.0.52 . 3478, \ 192.168.0.4 . ssh \ } accept counter log prefix "Filtered FORWARD " } chain output { type filter hook output priority 0; policy accept; } } # The state of stateful objects saved on the nftables service stop. include "/var/lib/nftables/*.nft" # Rules include "/etc/nftables.d/*.nft"