4PbmMZ6u

· 5 years ago · Dec 10, 2019, 01:26 PM
1>>> cat /etc/nftables.conf
2#!/usr/sbin/nft -f
3
4
5
6flush ruleset
7
8table inet filter {
9	chain input {
10		type filter hook input priority 0; policy drop;
11
12		# accept any localhost traffic
13		iif lo accept
14
15		# accept traffic originated from us
16		ct state established,related accept
17
18		# drop invalid packets
19		ct state invalid counter drop
20
21		# accept http, and https from anywhere
22		tcp dport { 80, 443 } accept
23
24		# accept ssh only from these IPs
25		tcp dport ssh ip saddr 85.13.68.14 accept
26		tcp dport ssh ip saddr 85.13.68.15 accept
27	
28		# MariaDB - server db01
29		tcp dport 13306 ip saddr 85.13.68.14 accept
30		tcp dport 13306 ip saddr 85.13.68.15 accept
31
32		# MariaDB - server db02
33		tcp dport 23306 ip saddr 85.13.68.14 accept
34		tcp dport 23306 ip saddr 85.13.68.15 accept
35
36
37		# accept DNS queries from these IPs
38		tcp dport 53 ip saddr 192.168.1.12 accept
39		udp dport 53 ip saddr 192.168.1.12 accept
40
41		tcp dport 53 ip saddr 192.168.1.13 accept
42		udp dport 53 ip saddr 192.168.1.13 accept
43
44
45		# accept icmp
46		ip protocol icmp accept
47
48		# accept all icmpv6
49		ip6 nexthdr icmpv6 accept
50
51		# count and reject everything else
52		counter reject with icmpx type admin-prohibited
53	}
54
55
56        # allow packets from LAN to WAN, and WAN to LAN if LAN initiated the connection + allow DNAT from WAN
57        # wan = ens192, lan = ens224
58	chain forward {
59		type filter hook forward priority 0; policy drop;
60		iifname "ens224" oifname "ens192" accept
61		iifname "ens192" oifname "ens224" ct state related,established accept
62		iifname "ens192" ct status dnat accept
63	}
64
65	chain output {
66		type filter hook output priority 0; policy accept;
67	}
68
69}
70
71table ip nat {
72	chain prerouting {
73		type nat hook prerouting priority 100; policy accept;
74		iif "ens192" tcp dport 13306 dnat to 192.168.1.12:mysql
75		iif "ens192" tcp dport 23306 dnat to 192.168.1.13:mysql
76	}
77
78	chain postrouting {
79		type nat hook postrouting priority 100; policy accept;
80		ip saddr 192.168.1.12 oif "ens192" masquerade
81		ip saddr 192.168.1.13 oif "ens192" masquerade
82	}
83}