NoPaste

iptb Wireguard

von Alternativende

SNIPPET_TEXT:
  1. root@Home:~# fw3 print -S
  2. Section @rule[9] (Support-UDP-Traceroute) is disabled, ignoring section
  3. Section @include[0] is not marked as compatible with fw4, ignoring section
  4. Section @include[0] requires 'option fw4_compatible 1' to be considered compatible
  5. table inet fw4
  6. flush table inet fw4
  7.  
  8. table inet fw4 {
  9.         #
  10.         # Defines
  11.         #
  12.  
  13.         define lan_devices = { "br-lan" }
  14.         define lan_subnets = { 192.168.178.0/24, 2003:c7:4f28:c401::/64, fd3b:ec65:a318::/64 }
  15.  
  16.         define wan_devices = { "pppoe-wan" }
  17.         define wan_subnets = { 79.239.16.37, fe80::5c90:7c4:741:2acc, 2003:c7:4fff:290e::/64 }
  18.  
  19.         define VPN_devices = { "WG0" }
  20.         define VPN_subnets = { 192.168.20.0/24, fd42:42:42::/64, 2003:c7:4f28:c400::/64 }
  21.  
  22.  
  23.         #
  24.         # User includes
  25.         #
  26.  
  27.         include "/etc/nftables.d/*.nft"
  28.  
  29.  
  30.         #
  31.         # Filter rules
  32.         #
  33.  
  34.         chain input {
  35.                 type filter hook input priority filter; policy accept;
  36.  
  37.                 iifname "lo" accept comment "!fw4: Accept traffic from loopback"
  38.  
  39.                 ct state established,related accept comment "!fw4: Allow inbound established and related flows"
  40.                 tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets"
  41.                 iifname "br-lan" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
  42.                 iifname "pppoe-wan" jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
  43.                 iifname "WG0" jump input_VPN comment "!fw4: Handle VPN IPv4/IPv6 input traffic"
  44.         }
  45.  
  46.         chain forward {
  47.                 type filter hook forward priority filter; policy drop;
  48.  
  49.                 ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
  50.                 iifname "br-lan" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
  51.                 iifname "pppoe-wan" jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
  52.                 iifname "WG0" jump forward_VPN comment "!fw4: Handle VPN IPv4/IPv6 forward traffic"
  53.                 jump handle_reject
  54.         }
  55.  
  56.         chain output {
  57.                 type filter hook output priority filter; policy accept;
  58.  
  59.                 oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
  60.  
  61.                 ct state established,related accept comment "!fw4: Allow outbound established and related flows"
  62.                 oifname "br-lan" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
  63.                 oifname "pppoe-wan" jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
  64.                 oifname "WG0" jump output_VPN comment "!fw4: Handle VPN IPv4/IPv6 output traffic"
  65.         }
  66.  
  67.         chain prerouting {
  68.                 type filter hook prerouting priority filter; policy accept;
  69.                 iifname "br-lan" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
  70.         }
  71.  
  72.         chain handle_reject {
  73.                 meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
  74.                 reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
  75.         }
  76.  
  77.         chain syn_flood {
  78.                 limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
  79.                 drop comment "!fw4: Drop excess packets"
  80.         }
  81.  
  82.         chain input_lan {
  83.                 jump accept_from_lan
  84.         }
  85.  
  86.         chain output_lan {
  87.                 jump accept_to_lan
  88.         }
  89.  
  90.         chain forward_lan {
  91.                 jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
  92.                 jump accept_to_lan
  93.         }
  94.  
  95.         chain helper_lan {
  96.         }
  97.  
  98.         chain accept_from_lan {
  99.                 iifname "br-lan" counter accept comment "!fw4: accept lan IPv4/IPv6 traffic"
  100.         }
  101.  
  102.         chain accept_to_lan {
  103.                 oifname "br-lan" counter accept comment "!fw4: accept lan IPv4/IPv6 traffic"
  104.         }
  105.  
  106.         chain input_wan {
  107.                 meta nfproto ipv4 udp dport 68 counter accept comment "!fw4: Allow-DHCP-Renew"
  108.                 meta nfproto ipv4 icmp type 8 counter accept comment "!fw4: Allow-Ping"
  109.                 meta nfproto ipv4 meta l4proto igmp counter accept comment "!fw4: Allow-IGMP"
  110.                 ip6 saddr fc00::/6 ip6 daddr fc00::/6 udp dport 546 counter accept comment "!fw4: Allow-DHCPv6"
  111.                 ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { 130 . 0, 131 . 0, 132 . 0, 143 . 0 } counter accept comment "!fw4: Allow-MLD"
  112.                 meta nfproto ipv6 icmpv6 type { 128, 129, 1, 3, 133, 134 } limit rate 1000/second counter accept comment "!fw4: Allow-ICMPv6-Input"
  113.                 meta nfproto ipv6 icmpv6 type . icmpv6 code { 2 . 0, 4 . 0, 4 . 1, 135 . 0, 136 . 0 } limit rate 1000/second counter accept comment "!fw4: Allow-ICMPv6-Input"
  114.                 ct status dnat accept comment "!fw4: Accept port redirections"
  115.                 jump reject_from_wan
  116.         }
  117.  
  118.         chain output_wan {
  119.                 jump accept_to_wan
  120.         }
  121.  
  122.         chain forward_wan {
  123.                 meta nfproto ipv6 icmpv6 type { 128, 129, 1, 3 } limit rate 1000/second counter accept comment "!fw4: Allow-ICMPv6-Forward"
  124.                 meta nfproto ipv6 icmpv6 type . icmpv6 code { 2 . 0, 4 . 0, 4 . 1 } limit rate 1000/second counter accept comment "!fw4: Allow-ICMPv6-Forward"
  125.                 meta l4proto esp counter jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
  126.                 udp dport 500 counter jump accept_to_lan comment "!fw4: Allow-ISAKMP"
  127.                 ct status dnat accept comment "!fw4: Accept port forwards"
  128.                 jump reject_to_wan
  129.         }
  130.  
  131.         chain accept_to_wan {
  132.                 oifname "pppoe-wan" counter accept comment "!fw4: accept wan IPv4/IPv6 traffic"
  133.         }
  134.  
  135.         chain reject_from_wan {
  136.                 iifname "pppoe-wan" counter jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
  137.         }
  138.  
  139.         chain reject_to_wan {
  140.                 oifname "pppoe-wan" counter jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
  141.         }
  142.  
  143.         chain input_VPN {
  144.                 ct status dnat accept comment "!fw4: Accept port redirections"
  145.                 jump accept_from_VPN
  146.         }
  147.  
  148.         chain output_VPN {
  149.                 jump accept_to_VPN
  150.         }
  151.  
  152.         chain forward_VPN {
  153.                 jump accept_to_lan comment "!fw4: Accept VPN to lan forwarding"
  154.                 jump accept_to_wan comment "!fw4: Accept VPN to wan forwarding"
  155.                 ct status dnat accept comment "!fw4: Accept port forwards"
  156.                 jump reject_to_VPN
  157.         }
  158.  
  159.         chain accept_from_VPN {
  160.                 iifname "WG0" counter accept comment "!fw4: accept VPN IPv4/IPv6 traffic"
  161.         }
  162.  
  163.         chain accept_to_VPN {
  164.                 oifname "WG0" counter accept comment "!fw4: accept VPN IPv4/IPv6 traffic"
  165.         }
  166.  
  167.         chain reject_to_VPN {
  168.                 oifname "WG0" counter jump handle_reject comment "!fw4: reject VPN IPv4/IPv6 traffic"
  169.         }
  170.  
  171.  
  172.         #
  173.         # NAT rules
  174.         #
  175.  
  176.         chain dstnat {
  177.                 type nat hook prerouting priority dstnat; policy accept;
  178.                 iifname "pppoe-wan" jump dstnat_wan comment "!fw4: Handle wan IPv4/IPv6 dstnat traffic"
  179.                 iifname "WG0" jump dstnat_VPN comment "!fw4: Handle VPN IPv4/IPv6 dstnat traffic"
  180.         }
  181.  
  182.         chain srcnat {
  183.                 type nat hook postrouting priority srcnat; policy accept;
  184.                 oifname "br-lan" jump srcnat_lan comment "!fw4: Handle lan IPv4/IPv6 srcnat traffic"
  185.                 oifname "pppoe-wan" jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
  186.                 oifname "WG0" jump srcnat_VPN comment "!fw4: Handle VPN IPv4/IPv6 srcnat traffic"
  187.         }
  188.  
  189.         chain srcnat_lan {
  190.                 ip saddr 192.168.20.0/24 masquerade comment "!fw4: VPN"
  191.         }
  192.  
  193.         chain dstnat_wan {
  194.                 meta nfproto ipv4 tcp dport 51902 counter dnat 192.168.178.1:51902 comment "!fw4: WIREGUARD"
  195.                 meta nfproto ipv4 udp dport 51902 counter dnat 192.168.178.1:51902 comment "!fw4: WIREGUARD"
  196.         }
  197.  
  198.         chain srcnat_wan {
  199.                 meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
  200.         }
  201.  
  202.         chain dstnat_VPN {
  203.                 ip saddr 192.168.20.0/24 ip daddr 79.239.16.37 tcp dport 51902 dnat 192.168.178.1:51902 comment "!fw4: WIREGUARD (reflection)"
  204.                 ip saddr 192.168.20.0/24 ip daddr 79.239.16.37 udp dport 51902 dnat 192.168.178.1:51902 comment "!fw4: WIREGUARD (reflection)"
  205.         }
  206.  
  207.         chain srcnat_VPN {
  208.                 ip saddr 192.168.20.0/24 ip daddr 192.168.178.1 tcp dport 51902 snat 192.168.20.1 comment "!fw4: WIREGUARD (reflection)"
  209.                 ip saddr 192.168.20.0/24 ip daddr 192.168.178.1 udp dport 51902 snat 192.168.20.1 comment "!fw4: WIREGUARD (reflection)"
  210.                 meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 VPN traffic"
  211.         }
  212.  
  213.  
  214.         #
  215.         # Raw rules (notrack)
  216.         #
  217.  
  218.         chain raw_prerouting {
  219.                 type filter hook prerouting priority raw; policy accept;
  220.         }
  221.  
  222.         chain raw_output {
  223.                 type filter hook output priority raw; policy accept;
  224.         }
  225.  
  226.  
  227.         #
  228.         # Mangle rules
  229.         #
  230.  
  231.         chain mangle_prerouting {
  232.                 type filter hook prerouting priority mangle; policy accept;
  233.         }
  234.  
  235.         chain mangle_postrouting {
  236.                 type filter hook postrouting priority mangle; policy accept;
  237.         }
  238.  
  239.         chain mangle_input {
  240.                 type filter hook input priority mangle; policy accept;
  241.         }
  242.  
  243.         chain mangle_output {
  244.                 type route hook output priority mangle; policy accept;
  245.         }
  246.  
  247.         chain mangle_forward {
  248.                 type filter hook forward priority mangle; policy accept;
  249.                 iifname "pppoe-wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
  250.                 oifname "pppoe-wan" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
  251.                 iifname "WG0" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone VPN IPv4/IPv6 ingress MTU fixing"
  252.                 oifname "WG0" tcp flags syn tcp option maxseg size set rt mtu comment "!fw4: Zone VPN IPv4/IPv6 egress MTU fixing"
  253.         }
  254. }

Quellcode

Hier kannst du den Code kopieren und ihn in deinen bevorzugten Editor einfügen. PASTEBIN_DOWNLOAD_SNIPPET_EXPLAIN