41 lines
1.0 KiB
Plaintext
41 lines
1.0 KiB
Plaintext
#!/usr/sbin/nft -f
|
|
|
|
# example configuration for a router
|
|
|
|
define loop_interface = "lo"
|
|
define wan_interface = "enp0s0"
|
|
define lan_interface = "enp1s0"
|
|
define local_network = 192.168.1.0/24
|
|
|
|
flush ruleset
|
|
|
|
table ip routing {
|
|
chain masquerading {
|
|
type nat hook postrouting priority 100; policy accept;
|
|
ip saddr { $local_network } ip daddr != { $local_network } oifname { $wan_interface } masquerade
|
|
}
|
|
}
|
|
|
|
table inet filter {
|
|
chain input {
|
|
type filter hook input priority 0; policy drop;
|
|
iif { $loop_interface } accept
|
|
iif { $lan_interface } accept
|
|
ct state { related, established } accept
|
|
ct state invalid drop
|
|
meta l4proto icmp accept
|
|
icmp type echo-request limit rate 5/second accept
|
|
}
|
|
|
|
chain output {
|
|
type filter hook output priority 0; policy accept;
|
|
}
|
|
|
|
chain forward {
|
|
type filter hook forward priority 0; policy drop;
|
|
ct state { related, established } accept
|
|
ct state invalid drop
|
|
iif { $lan_interface } accept
|
|
}
|
|
}
|