Do you mind sharing an example config?
sure, mind that splitting the config into separate files is just my workflow preference, essential all can go into /etc/nftables.config instead. That file needs to be created manually as it is not done automatically when installing kmod-nft-core
and nftables
.
Mind you this example has not been tested on TO and just lifted off one my other L nodes as basic template.
/etc/nftables.config
#!/usr/sbin/nft -f
flush ruleset
include "/etc/fw/rules"
include "/etc/fw/defines"
# include "/etc/fw/sets"
include "/etc/fw/global"
include "/etc/fw/lan"
include "/etc/fw/wan"
include "/etc/fw/meter"
/etc/fw/rules
# NETDEV
table netdev filter {
chain nic {
type filter hook ingress device ens3 priority 0;
}
}
# NAT
table nat {
chain prerouting {
type nat hook prerouting priority 0;
}
chain postrouting {
type nat hook postrouting priority 100;
}
}
# BRIDGE
table bridge filter {
chain input {
type filter hook input priority -200;
}
chain forward {
type filter hook forward priority -200;
}
chain output {
type filter hook output priority -200;
}
}
# ROUTE
# ARP
table arp filter {
chain input {
type filter hook input priority 0;
}
chain output {
type filter hook output priority 0;
}
}
# RAW
table raw {
chain prerouting {
type filter hook prerouting priority -300;
}
chain postrouting {
type filter hook postrouting priority 100;
}
}
table inet filter {
chain input {
type filter hook input priority 0;
}
chain forward {
type filter hook forward priority 0;
}
chain output {
type filter hook output priority 0;
}
}
/etc/fw/defines
# VARIABLES
# interfaces
define nic = ens3
# network ranks
define opvn = 172.25.120.1/24
/etc/fw/meter
table netdev filter {
chain nic {
# global
meter global-meter { ip saddr limit rate 50/second burst 25 packets } continue
# ssh wan
# tcp dport 51030 meter ssh-meter { ip saddr limit rate 10/minute burst 3 packets } accept
# vpn
udp dport 61023 meter ovpn-meter { ip saddr limit rate 10/minute burst 7 packets } accept
}
}
table inet filter {
chain input {
}
chain forward {
}
chain output {
}
}
/etc/fw/wan
table nat {
chain prerouting {
# vpn
ip daddr xxx.xxx.xxx.xxx udp dport xxxxx dnat to 172.25.120.2
# ssh wan
# ip daddr xxx.xxx.xxx.xxx tcp dport xxxxx dnat to 172.23.120.98:56009
}
chain postrouting {
meta oifname $nic masquerade
}
}
table inet filter {
chain input {
}
chain forward {
}
chain output {
}
}
/etc/fw/lan
table bridge filter {
chain input {
}
chain forward {
}
chain output {
}
}
table inet filter {
chain input {
# lo
meta iifname lo accept
# bridge zones
meta iifname br* accept
}
chain forward {
# bridge
meta oifname br* accept
meta iifname br* accept
}
}
1 Like
That is not true and needs to be corrected as apparently it is split into 7 kernel modules.