Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ###
- ### uci config
- ###
- config defaults
- option input 'ACCEPT'
- option output 'ACCEPT'
- option forward 'REJECT'
- option syn_flood '1'
- option synflood_rate '55/s'
- option synflood_protect '1'
- config zone
- option name 'lan'
- option input 'ACCEPT'
- option output 'ACCEPT'
- option forward 'ACCEPT'
- option network 'lan vpn'
- config zone
- option name 'wan'
- option input 'REJECT'
- option output 'ACCEPT'
- option forward 'REJECT'
- option masq '1'
- option mtu_fix '1'
- option masq_allow_invalid '1'
- option network 'wan wan6'
- option log 0
- config zone
- option name 'foo'
- option input 'ACCEPT'
- option output 'ACCEPT'
- option forward 'ACCEPT'
- option extra_src '-i foo'
- option extra_dest '-o foo'
- option subnet '192.168.123.123/24'
- option network 'wg'
- config forwarding
- option src 'lan'
- option dest 'wan'
- config rule
- option name 'Allow-DHCP-Renew'
- option src 'wan'
- option proto 'udp'
- option dest_port '68'
- option target 'ACCEPT'
- option family 'ipv4'
- config rule
- option name 'Allow-Ping'
- option src 'wan'
- option proto 'icmp'
- list icmp_type 'echo-request'
- option family 'ipv4'
- option target 'ACCEPT'
- config rule
- option name 'Allow-DHCPv6'
- option src 'wan'
- option proto 'udp'
- option src_ip 'fe80::/10'
- option src_port '547'
- option dest_ip 'fe80::/10'
- option dest_port '546'
- option family 'ipv6'
- option target 'ACCEPT'
- config rule
- option name 'Allow-ICMPv6-Input'
- option src 'wan'
- option proto 'icmp'
- list icmp_type 'echo-request'
- list icmp_type 'echo-reply'
- list icmp_type 'destination-unreachable'
- list icmp_type 'packet-too-big'
- list icmp_type 'time-exceeded'
- list icmp_type 'bad-header'
- list icmp_type 'unknown-header-type'
- list icmp_type 'router-solicitation'
- list icmp_type 'neighbour-solicitation'
- list icmp_type 'router-advertisement'
- list icmp_type 'neighbour-advertisement'
- option limit '1000/sec'
- option family 'ipv6'
- option target 'ACCEPT'
- config rule
- option name 'Allow-ICMPv6-Forward'
- option src 'wan'
- option dest '*'
- option proto 'icmp'
- list icmp_type 'echo-request'
- list icmp_type 'echo-reply'
- list icmp_type 'destination-unreachable'
- list icmp_type 'packet-too-big'
- list icmp_type 'time-exceeded'
- list icmp_type 'bad-header'
- list icmp_type 'unknown-header-type'
- option limit '1000/sec'
- option family 'ipv6'
- option target 'ACCEPT'
- config include
- option path '/etc/firewall.user'
- config rule
- option target 'ACCEPT'
- option src 'wan'
- option proto 'tcp'
- option dest_port '22'
- option name 'SSH'
- config rule
- option target 'ACCEPT'
- option src 'wan'
- option dest 'lan'
- option name 'SSH via IPv6'
- option family 'ipv6'
- option proto 'tcp'
- option dest_port '22'
- config ipset
- option name 'domain-filter-ipv4'
- option match 'dest_ip'
- option storage 'hash'
- option family 'IPv4'
- config ipset
- option name 'domain-filter-ipv6'
- option match 'dest_ip'
- option storage 'hash'
- option family 'IPv6'
- config rule
- option src 'lan'
- option target 'MARK'
- option set_mark '0x1'
- option name 'Tag Domain Filter Traffic'
- option family 'IPv4'
- option ipset 'domain-filter-ipv4'
- option proto 'tcp udp icmp'
- config rule
- option src 'lan'
- option target 'MARK'
- option set_mark '0x1'
- option name 'Tag Domain Filter Traffic'
- option family 'IPv6'
- option ipset 'domain-filter-ipv6'
- option proto 'tcp udp icmp'
- config redirect2
- option name 'Divert DNS'
- option src_dport '53'
- option target 'DNAT'
- option proto 'udp tcp'
- option src 'lan'
- config redirect
- option name 'SSH J400'
- option src 'wan'
- option dest 'lan'
- option src_dport '22014'
- option dest_port '22'
- option dest_ip '10.11.12.14'
- list reflection_zone 'lan'
- list reflection_zone 'foo'
- config redirect
- option target 'DNAT'
- option src 'wan'
- option dest 'lan'
- option proto 'tcp udp'
- option src_dport '51413'
- option dest_ip '10.11.12.14'
- option dest_port '51413'
- option name 'Transmission Laptop'
- config redirect
- option target 'DNAT'
- option src 'wan'
- option dest 'lan'
- option proto 'tcp udp'
- option src_dport '51414'
- option dest_port '51414'
- option name 'Transmission Desktop'
- option dest_ip '10.11.12.7'
- config include
- option path '/etc/firewall.freifunk'
- config redirect
- option target 'DNAT'
- option src 'wan'
- option dest 'lan'
- option proto 'tcp'
- option src_dport '22007'
- option dest_ip '10.11.12.7'
- option dest_port '22'
- option name 'SSH J7'
- config redirect
- option dest_port '443'
- option src 'wan'
- option name 'Mir3G HTTPS'
- option src_dport '44377'
- option target 'DNAT'
- option dest_ip '10.11.12.177'
- option dest 'lan'
- option proto 'tcp'
- config redirect
- option dest_port '22'
- option src 'wan'
- option name 'Mir3G SSH'
- option src_dport '22177'
- option target 'DNAT'
- option dest_ip '10.11.12.177'
- option dest 'lan'
- option proto 'tcp udp'
- config include 'miniupnpd'
- option type 'script'
- option path '/usr/share/miniupnpd/firewall.include'
- option family 'any'
- option reload '1'
- config redirect
- option target 'DNAT'
- option name 'Wrt3200ACM'
- list proto 'tcp'
- option src 'wan'
- option src_dport '22032'
- option dest 'lan'
- option dest_ip '10.11.12.32'
- option dest_port '22'
- config redirect
- option target 'DNAT'
- option name 'Wrt3200ACM HTTP'
- list proto 'tcp'
- option src 'wan'
- option src_dport '44332'
- option dest 'lan'
- option dest_ip '10.11.12.32'
- option dest_port '443'
- config redirect 'adblock_dns_53'
- option name 'Adblock DNS, port 53'
- option src 'lan'
- option proto 'tcp udp'
- option src_dport '53'
- option dest_port '53'
- option target 'DNAT'
- config redirect 'adblock_dns_853'
- option name 'Adblock DNS, port 853'
- option src 'lan'
- option proto 'tcp udp'
- option src_dport '853'
- option dest_port '853'
- option target 'DNAT'
- config redirect 'adblock_dns_5353'
- option name 'Adblock DNS, port 5353'
- option src 'lan'
- option proto 'tcp udp'
- option src_dport '5353'
- option dest_port '5353'
- option target 'DNAT'
- config ipset
- option name testset
- list match ip
- list match port
- list match ip
- list entry '1.1.1.1 22 2.2.2.2'
- list entry 'foo'
- list entry '4.4.4.4 33 5.0.0.1'
- config rule
- option name SETMATCH
- option ipset 'testset dst,dest src'
- option proto all
- option target accept
- ###
- ### nftables ruleset
- ###
- table inet fw4
- flush table inet fw4
- table inet fw4 {
- #
- # Set definitions
- #
- set domain-filter-ipv4 {
- type ipv4_addr
- }
- set domain-filter-ipv6 {
- type ipv6_addr
- }
- set testset {
- type ipv4_addr . inet_service . ipv4_addr
- elements = {
- 1.1.1.1 . 22 . 2.2.2.2,
- 4.4.4.4 . 33 . 5.0.0.1,
- }
- }
- #
- # Filter rules
- #
- chain input {
- type filter hook input priority filter; policy accept;
- iifname "lo" accept comment "!fw4: Accept traffic from loopback"
- ct state established,related accept comment "!fw4: Allow inbound established and related flows"
- tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets"
- iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
- iifname "eth1" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
- meta nfproto ipv4 ip saddr 192.168.123.0/24 jump input_foo comment "!fw4: Handle foo IPv4 input traffic"
- }
- chain forward {
- type filter hook forward priority filter; policy drop;
- ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
- iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
- iifname "eth1" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
- meta nfproto ipv4 ip saddr 192.168.123.0/24 jump forward_foo comment "!fw4: Handle foo IPv4 forward traffic"
- jump handle_reject
- }
- chain output {
- type filter hook output priority filter; policy accept;
- oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
- ct state established,related accept comment "!fw4: Allow outbound established and related flows"
- meta nfproto ipv4 meta l4proto tcp ip daddr . tcp dport . ip saddr @testset accept comment "!fw4: SETMATCH"
- meta nfproto ipv4 meta l4proto udp ip daddr . udp dport . ip saddr @testset accept comment "!fw4: SETMATCH"
- oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
- oifname "eth1" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
- meta nfproto ipv4 ip daddr 192.168.123.0/24 jump output_foo comment "!fw4: Handle foo IPv4 output traffic"
- }
- chain handle_reject {
- meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
- reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
- }
- chain syn_flood {
- tcp flags & (fin | syn | rst | ack) == syn limit rate 55/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
- drop comment "!fw4: Drop excess packets"
- }
- chain input_lan {
- meta nfproto ipv4 meta l4proto igmp accept comment "!fw4: ubus:igmpproxy[instance1] rule 3"
- ct status dnat accept comment "!fw4: Accept port redirections"
- jump accept_from_lan
- }
- chain output_lan {
- jump accept_to_lan
- }
- chain forward_lan {
- jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
- ct status dnat accept comment "!fw4: Accept port forwards"
- jump accept_to_lan
- }
- chain accept_from_lan {
- iifname "br-lan" accept comment "!fw4: accept lan IPv4/IPv6 traffic"
- }
- chain accept_to_lan {
- oifname "br-lan" accept comment "!fw4: accept lan IPv4/IPv6 traffic"
- }
- chain drop_to_lan {
- oifname "br-lan" drop comment "!fw4: drop lan IPv4/IPv6 traffic"
- }
- chain input_wan {
- meta nfproto ipv4 meta l4proto igmp accept comment "!fw4: ubus:igmpproxy[instance1] rule 0"
- meta nfproto ipv4 udp dport 68 accept comment "!fw4: Allow-DHCP-Renew"
- meta nfproto ipv4 icmp type 8 accept comment "!fw4: Allow-Ping"
- ip6 saddr fe80::/10 ip6 daddr fe80::/10 udp sport 547 udp dport 546 accept comment "!fw4: Allow-DHCPv6"
- meta nfproto ipv6 icmpv6 type { 128, 129, 1, 3, 133, 134 } limit rate 1000/second accept comment "!fw4: Allow-ICMPv6-Input"
- meta nfproto ipv6 icmpv6 type . icmpv6 code { 2 . 0, 4 . 0, 4 . 1, 135 . 0, 136 . 0 } limit rate 1000/second accept comment "!fw4: Allow-ICMPv6-Input"
- tcp dport 22 accept comment "!fw4: SSH"
- ct status dnat accept comment "!fw4: Accept port redirections"
- jump reject_from_wan
- }
- chain output_wan {
- jump accept_to_wan
- }
- chain forward_wan {
- meta l4proto udp ip daddr 239.255.255.250 jump drop_to_lan comment "!fw4: ubus:igmpproxy[instance1] rule 1"
- meta l4proto udp ip daddr 224.0.0.0/4 jump accept_to_lan comment "!fw4: ubus:igmpproxy[instance1] rule 2"
- meta nfproto ipv6 icmpv6 type { 128, 129, 1, 3 } limit rate 1000/second accept comment "!fw4: Allow-ICMPv6-Forward"
- meta nfproto ipv6 icmpv6 type . icmpv6 code { 2 . 0, 4 . 0, 4 . 1 } limit rate 1000/second accept comment "!fw4: Allow-ICMPv6-Forward"
- meta nfproto ipv6 tcp dport 22 jump accept_to_lan comment "!fw4: SSH via IPv6"
- ct status dnat accept comment "!fw4: Accept port forwards"
- jump reject_to_wan
- }
- chain accept_to_wan {
- oifname "eth1" accept comment "!fw4: accept wan IPv4/IPv6 traffic"
- }
- chain reject_from_wan {
- iifname "eth1" jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
- }
- chain reject_to_wan {
- oifname "eth1" jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
- }
- chain input_foo {
- jump accept_from_foo
- }
- chain output_foo {
- jump accept_to_foo
- }
- chain forward_foo {
- jump accept_to_foo
- }
- chain accept_from_foo {
- meta nfproto ipv4 ip saddr 192.168.123.0/24 accept comment "!fw4: accept foo IPv4 traffic"
- }
- chain accept_to_foo {
- meta nfproto ipv4 ip daddr 192.168.123.0/24 accept comment "!fw4: accept foo IPv4 traffic"
- }
- #
- # NAT rules
- #
- chain dstnat {
- type nat hook prerouting priority dstnat; policy accept;
- iifname "br-lan" jump dstnat_lan comment "!fw4: Handle lan IPv4/IPv6 dstnat traffic"
- iifname "eth1" jump dstnat_wan comment "!fw4: Handle wan IPv4/IPv6 dstnat traffic"
- }
- chain srcnat {
- type nat hook postrouting priority srcnat; policy accept;
- iifname "br-lan" jump srcnat_lan comment "!fw4: Handle lan IPv4/IPv6 srcnat traffic"
- iifname "eth1" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
- }
- chain dstnat_lan {
- ip saddr 192.168.1.0/24 ip daddr 72.1.1.1 tcp dport 22014 dnat 10.11.12.14:22 comment "!fw4: SSH J400 (reflection)"
- ip saddr 192.168.1.0/24 ip daddr 72.1.1.1 udp dport 22014 dnat 10.11.12.14:22 comment "!fw4: SSH J400 (reflection)"
- ip saddr 192.168.1.0/24 ip daddr 72.1.1.1 tcp dport 51413 dnat 10.11.12.14:51413 comment "!fw4: Transmission Laptop (reflection)"
- ip saddr 192.168.1.0/24 ip daddr 72.1.1.1 udp dport 51413 dnat 10.11.12.14:51413 comment "!fw4: Transmission Laptop (reflection)"
- ip saddr 192.168.1.0/24 ip daddr 72.1.1.1 tcp dport 51414 dnat 10.11.12.7:51414 comment "!fw4: Transmission Desktop (reflection)"
- ip saddr 192.168.1.0/24 ip daddr 72.1.1.1 udp dport 51414 dnat 10.11.12.7:51414 comment "!fw4: Transmission Desktop (reflection)"
- ip saddr 192.168.1.0/24 ip daddr 72.1.1.1 tcp dport 22007 dnat 10.11.12.7:22 comment "!fw4: SSH J7 (reflection)"
- ip saddr 192.168.1.0/24 ip daddr 72.1.1.1 tcp dport 44377 dnat 10.11.12.177:443 comment "!fw4: Mir3G HTTPS (reflection)"
- ip saddr 192.168.1.0/24 ip daddr 72.1.1.1 tcp dport 22177 dnat 10.11.12.177:22 comment "!fw4: Mir3G SSH (reflection)"
- ip saddr 192.168.1.0/24 ip daddr 72.1.1.1 udp dport 22177 dnat 10.11.12.177:22 comment "!fw4: Mir3G SSH (reflection)"
- ip saddr 192.168.1.0/24 ip daddr 72.1.1.1 tcp dport 22032 dnat 10.11.12.32:22 comment "!fw4: Wrt3200ACM (reflection)"
- ip saddr 192.168.1.0/24 ip daddr 72.1.1.1 tcp dport 44332 dnat 10.11.12.32:443 comment "!fw4: Wrt3200ACM HTTP (reflection)"
- meta nfproto ipv4 tcp dport 53 redirect to 53 comment "!fw4: Adblock DNS, port 53"
- meta nfproto ipv4 udp dport 53 redirect to 53 comment "!fw4: Adblock DNS, port 53"
- meta nfproto ipv4 tcp dport 853 redirect to 853 comment "!fw4: Adblock DNS, port 853"
- meta nfproto ipv4 udp dport 853 redirect to 853 comment "!fw4: Adblock DNS, port 853"
- meta nfproto ipv4 tcp dport 5353 redirect to 5353 comment "!fw4: Adblock DNS, port 5353"
- meta nfproto ipv4 udp dport 5353 redirect to 5353 comment "!fw4: Adblock DNS, port 5353"
- }
- chain srcnat_lan {
- ip saddr 192.168.1.0/24 ip daddr 10.11.12.14 tcp dport 22 snat 192.168.1.1 comment "!fw4: SSH J400 (reflection)"
- ip saddr 192.168.1.0/24 ip daddr 10.11.12.14 udp dport 22 snat 192.168.1.1 comment "!fw4: SSH J400 (reflection)"
- ip saddr 192.168.1.0/24 ip daddr 10.11.12.14 tcp dport 51413 snat 192.168.1.1 comment "!fw4: Transmission Laptop (reflection)"
- ip saddr 192.168.1.0/24 ip daddr 10.11.12.14 udp dport 51413 snat 192.168.1.1 comment "!fw4: Transmission Laptop (reflection)"
- ip saddr 192.168.1.0/24 ip daddr 10.11.12.7 tcp dport 51414 snat 192.168.1.1 comment "!fw4: Transmission Desktop (reflection)"
- ip saddr 192.168.1.0/24 ip daddr 10.11.12.7 udp dport 51414 snat 192.168.1.1 comment "!fw4: Transmission Desktop (reflection)"
- ip saddr 192.168.1.0/24 ip daddr 10.11.12.7 tcp dport 22 snat 192.168.1.1 comment "!fw4: SSH J7 (reflection)"
- ip saddr 192.168.1.0/24 ip daddr 10.11.12.177 tcp dport 443 snat 192.168.1.1 comment "!fw4: Mir3G HTTPS (reflection)"
- ip saddr 192.168.1.0/24 ip daddr 10.11.12.177 tcp dport 22 snat 192.168.1.1 comment "!fw4: Mir3G SSH (reflection)"
- ip saddr 192.168.1.0/24 ip daddr 10.11.12.177 udp dport 22 snat 192.168.1.1 comment "!fw4: Mir3G SSH (reflection)"
- ip saddr 192.168.1.0/24 ip daddr 10.11.12.32 tcp dport 22 snat 192.168.1.1 comment "!fw4: Wrt3200ACM (reflection)"
- ip saddr 192.168.1.0/24 ip daddr 10.11.12.32 tcp dport 443 snat 192.168.1.1 comment "!fw4: Wrt3200ACM HTTP (reflection)"
- }
- chain dstnat_wan {
- meta nfproto ipv4 tcp dport 22014 dnat 10.11.12.14:22 comment "!fw4: SSH J400"
- meta nfproto ipv4 udp dport 22014 dnat 10.11.12.14:22 comment "!fw4: SSH J400"
- meta nfproto ipv4 tcp dport 51413 dnat 10.11.12.14:51413 comment "!fw4: Transmission Laptop"
- meta nfproto ipv4 udp dport 51413 dnat 10.11.12.14:51413 comment "!fw4: Transmission Laptop"
- meta nfproto ipv4 tcp dport 51414 dnat 10.11.12.7:51414 comment "!fw4: Transmission Desktop"
- meta nfproto ipv4 udp dport 51414 dnat 10.11.12.7:51414 comment "!fw4: Transmission Desktop"
- meta nfproto ipv4 tcp dport 22007 dnat 10.11.12.7:22 comment "!fw4: SSH J7"
- meta nfproto ipv4 tcp dport 44377 dnat 10.11.12.177:443 comment "!fw4: Mir3G HTTPS"
- meta nfproto ipv4 tcp dport 22177 dnat 10.11.12.177:22 comment "!fw4: Mir3G SSH"
- meta nfproto ipv4 udp dport 22177 dnat 10.11.12.177:22 comment "!fw4: Mir3G SSH"
- meta nfproto ipv4 tcp dport 22032 dnat 10.11.12.32:22 comment "!fw4: Wrt3200ACM"
- meta nfproto ipv4 tcp dport 44332 dnat 10.11.12.32:443 comment "!fw4: Wrt3200ACM HTTP"
- }
- chain srcnat_wan {
- meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
- }
- #
- # Raw rules (notrack & helper)
- #
- chain raw_prerouting {
- type filter hook prerouting priority raw; policy accept;
- iifname "br-lan" jump helper_lan comment "!fw4: lan IPv4/IPv6 CT helper assignment"
- meta nfproto ipv4 ip saddr 192.168.123.0/24 jump helper_foo comment "!fw4: foo IPv4 CT helper assignment"
- }
- chain raw_output {
- type filter hook output priority raw; policy accept;
- }
- chain helper_lan {
- }
- chain helper_foo {
- }
- #
- # Mangle rules
- #
- chain mangle_prerouting {
- type filter hook prerouting priority mangle; policy accept;
- meta nfproto ipv4 meta l4proto tcp ip daddr @domain-filter-ipv4 meta mark set 0x1 comment "!fw4: Tag Domain Filter Traffic"
- meta nfproto ipv4 meta l4proto udp ip daddr @domain-filter-ipv4 meta mark set 0x1 comment "!fw4: Tag Domain Filter Traffic"
- meta nfproto ipv4 meta l4proto icmp ip daddr @domain-filter-ipv4 meta mark set 0x1 comment "!fw4: Tag Domain Filter Traffic"
- meta nfproto ipv6 meta l4proto tcp ip6 daddr @domain-filter-ipv6 meta mark set 0x1 comment "!fw4: Tag Domain Filter Traffic"
- meta nfproto ipv6 meta l4proto udp ip6 daddr @domain-filter-ipv6 meta mark set 0x1 comment "!fw4: Tag Domain Filter Traffic"
- meta nfproto ipv6 meta l4proto ipv6-icmp ip6 daddr @domain-filter-ipv6 meta mark set 0x1 comment "!fw4: Tag Domain Filter Traffic"
- }
- chain mangle_output {
- type filter hook output priority mangle; policy accept;
- }
- chain mangle_forward {
- type filter hook forward priority mangle; policy accept;
- iifname "eth1" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
- oifname "eth1" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement