· 5 years ago · Dec 10, 2019, 01:02 PM
1>>> cat /etc/nftables.conf
2#!/usr/sbin/nft -f
3
4
5
6flush ruleset
7
8table inet filter {
9 chain input {
10 type filter hook input priority 0; policy drop;
11
12 # accept any localhost traffic
13 iif lo accept
14
15 # accept traffic originated from us
16 ct state established,related accept
17
18 # drop invalid packets
19 ct state invalid counter drop
20
21 # accept http, and https from anywhere
22 tcp dport { 80, 443 } accept
23
24 # accept ssh only from these IPs
25 tcp dport ssh ip saddr 85.13.68.41 accept
26 tcp dport ssh ip saddr 85.13.68.42 accept
27
28 # accept MariaDB from anywhere
29 tcp dport { 13306, 23306} accept
30
31 # accept DNS queries only from these IPs
32 tcp dport 53 ip saddr 192.168.1.12 accept
33 udp dport 53 ip saddr 192.168.1.12 accept
34
35 tcp dport 53 ip saddr 192.168.1.13 accept
36 udp dport 53 ip saddr 192.168.1.13 accept
37
38
39 # accept icmp
40 ip protocol icmp accept
41
42 # accept all icmpv6
43 ip6 nexthdr icmpv6 accept
44
45 # count and reject everything else
46 counter reject with icmpx type admin-prohibited
47 }
48
49
50 # allow packets from LAN to WAN, and WAN to LAN if LAN initiated the connection
51 # wan = ens192, lan = ens224
52 chain forward {
53 type filter hook forward priority 0; policy drop;
54 iifname "ens224" oifname "ens192" accept
55 iifname "ens192" oifname "ens224" ct state related,established accept
56 }
57
58 chain output {
59 type filter hook output priority 0; policy accept;
60 }
61
62}
63
64table ip nat {
65 chain prerouting {
66 type nat hook prerouting priority 100; policy accept;
67 iif "ens192" tcp dport 13306 dnat to 192.168.1.12:mysql
68 iif "ens192" tcp dport 23306 dnat to 192.168.1.13:mysql
69 }
70
71 chain postrouting {
72 type nat hook postrouting priority 100; policy accept;
73 ip saddr 192.168.1.12 oif "ens192" masquerade
74 ip saddr 192.168.1.13 oif "ens192" masquerade
75 }
76}