mirror of
https://github.com/speatzle/nfsense.git
synced 2025-05-10 10:38:20 +00:00
48 lines
1.3 KiB
Cheetah
48 lines
1.3 KiB
Cheetah
#!/usr/sbin/nft -f
|
|
|
|
flush ruleset
|
|
|
|
# Address object ipsets
|
|
{{template "addresses.tmpl" .}}
|
|
|
|
# nfsense nftables inet (ipv4 + ipv6) table
|
|
table inet nfsense_inet {
|
|
|
|
# Inbound Rules
|
|
chain inbound {
|
|
type filter hook input priority 0; policy drop;
|
|
|
|
# Allow traffic from established and related packets, drop invalid
|
|
ct state vmap { established : accept, related : accept, invalid : drop }
|
|
|
|
# allow loopback traffic, anything else jump to chain for further evaluation
|
|
iifname vmap { lo : accept, $DEV_WORLD : jump inbound_world, $DEV_PRIVATE : jump inbound_private }
|
|
|
|
{{template "inbound_rules.tmpl" .}}
|
|
}
|
|
|
|
# Forward Rules
|
|
chain forward {
|
|
type filter hook forward priority 0; policy drop;
|
|
|
|
# Allow traffic from established and related packets, drop invalid
|
|
ct state vmap { established : accept, related : accept, invalid : drop }
|
|
|
|
{{template "forward_rules.tmpl" .}}
|
|
}
|
|
|
|
# Destination NAT Rules
|
|
chain prerouting {
|
|
type nat hook prerouting priority -100; policy accept;
|
|
|
|
{{template "destination_nat_rules.tmpl" .}}
|
|
}
|
|
|
|
# Source NAT Rules
|
|
chain postrouting {
|
|
type nat hook postrouting priority 100; policy accept;
|
|
|
|
{{template "source_nat_rules.tmpl" .}}
|
|
}
|
|
}
|
|
|