65 lines
1.2 KiB
Plaintext
65 lines
1.2 KiB
Plaintext
|
#!/usr/bin/env nft -f
|
||
|
flush ruleset
|
||
|
|
||
|
table ip Inet4 {
|
||
|
chain NAT_in {
|
||
|
type nat hook prerouting priority -100
|
||
|
|
||
|
# Trusted hosts
|
||
|
tcp dport 443 ip saddr 192.168.1.96/29 redirect to 444
|
||
|
}
|
||
|
chain NAT_out {
|
||
|
type nat hook postrouting priority 100
|
||
|
ct status dnat masquerade
|
||
|
}
|
||
|
|
||
|
chain FilterIn {
|
||
|
type filter hook input priority 0
|
||
|
policy drop
|
||
|
|
||
|
# allow established/related connections
|
||
|
ct state {established, related} accept
|
||
|
|
||
|
# early drop of invalid connections
|
||
|
ct state invalid drop
|
||
|
|
||
|
# allow from loopback
|
||
|
meta iif lo accept
|
||
|
|
||
|
# allow icmp
|
||
|
ip protocol icmp accept
|
||
|
|
||
|
# trusted https
|
||
|
ct status dnat accept
|
||
|
|
||
|
# https
|
||
|
tcp dport 443 accept
|
||
|
|
||
|
# xmpp client
|
||
|
tcp dport 5222 accept
|
||
|
|
||
|
# xmpp server
|
||
|
tcp dport 5269 accept
|
||
|
|
||
|
# xmpp components
|
||
|
tcp dport 5347 accept
|
||
|
}
|
||
|
|
||
|
chain FilterOut {
|
||
|
type filter hook output priority 0
|
||
|
policy drop
|
||
|
|
||
|
ct state {established, related} accept
|
||
|
meta oif lo accept
|
||
|
|
||
|
# DNS
|
||
|
ip daddr 80.67.169.12 accept
|
||
|
ip daddr 80.67.169.40 accept
|
||
|
ip daddr 87.98.175.85 accept
|
||
|
ip daddr 5.135.183.146 accept
|
||
|
ip daddr 8.8.8.8 accept
|
||
|
|
||
|
meta skuid prosody accept
|
||
|
}
|
||
|
}
|