mirror of
https://github.com/speatzle/nfsense.git
synced 2025-05-10 18:38:22 +00:00
44 lines
1.1 KiB
Cheetah
44 lines
1.1 KiB
Cheetah
#!/usr/sbin/nft -f
|
|
|
|
flush ruleset
|
|
|
|
# Address object ipsets
|
|
{{template "addresses.tmpl" .}}
|
|
|
|
# nfsense nftables inet (ipv4 + ipv6) table
|
|
table inet nfsense_inet {
|
|
|
|
# Inbound Rules
|
|
chain inbound {
|
|
type filter hook input priority 0; policy drop;
|
|
|
|
# Allow traffic from established and related packets, drop invalid
|
|
ct state vmap { established : accept, related : accept, invalid : drop }
|
|
|
|
# allow loopback traffic
|
|
iifname lo accept
|
|
{{template "inbound_rules.tmpl" .}}
|
|
}
|
|
|
|
# Forward Rules
|
|
chain forward {
|
|
type filter hook forward priority 0; policy drop;
|
|
|
|
# Allow traffic from established and related packets, drop invalid
|
|
ct state vmap { established : accept, related : accept, invalid : drop }
|
|
{{template "forward_rules.tmpl" .}}
|
|
}
|
|
|
|
# Destination NAT Rules
|
|
chain prerouting {
|
|
type nat hook prerouting priority -100; policy accept;
|
|
{{template "destination_nat_rules.tmpl" .}}
|
|
}
|
|
|
|
# Source NAT Rules
|
|
chain postrouting {
|
|
type nat hook postrouting priority 100; policy accept;
|
|
{{template "source_nat_rules.tmpl" .}}
|
|
}
|
|
}
|
|
|