################################
#define MX_PORTS = { 25, 110, 143, 465, 587, 993, 995 }
-define WS_PORTS = { 80, 443 }
################################
# reset nftables
################################
-create table ip efg_filter
-create table ip efg_nat
-create table ip6 efg_filter
+create table ip efg-filter
+create table ip efg-nat
+create table ip6 efg-filter
-create chain ip efg_filter input { type filter hook input priority 0; policy drop; }
-create chain ip efg_filter forward { type filter hook forward priority 0; policy drop; }
-create chain ip efg_filter output { type filter hook output priority 0; policy drop; }
-create chain ip efg_nat prerouting { type nat hook prerouting priority 0; policy accept; }
-create chain ip efg_nat postrouting { type nat hook postrouting priority 0; policy accept; }
-create chain ip6 efg_filter input { type filter hook input priority 0; policy accept; }
-create chain ip6 efg_filter forward { type filter hook forward priority 0; policy drop; }
-create chain ip6 efg_filter output { type filter hook output priority 0; policy accept; }
+create chain ip efg-filter input { type filter hook input priority 0; policy drop; }
+create chain ip efg-filter forward { type filter hook forward priority 0; policy drop; }
+create chain ip efg-filter output { type filter hook output priority 0; policy drop; }
+create chain ip efg-nat prerouting { type nat hook prerouting priority 0; policy accept; }
+create chain ip efg-nat postrouting { type nat hook postrouting priority 0; policy accept; }
+create chain ip6 efg-filter input { type filter hook input priority 0; policy accept; }
+create chain ip6 efg-filter forward { type filter hook forward priority 0; policy drop; }
+create chain ip6 efg-filter output { type filter hook output priority 0; policy accept; }
################################
# NAT prerouting rules
################################
-add rule ip efg_nat prerouting \
+add rule ip efg-nat prerouting \
iifname $EXTERNAL_ACE_IF \
ip daddr $PUBLIC_ACE_VPN_IPV4 udp dport 1194 \
counter dnat $VPN_INTERNAL_IPV4 comment "Incoming VPN traffic"
-#add rule ip efg_nat prerouting \
+#add rule ip efg-nat prerouting \
# iifname $EXTERNAL_ACE_IF \
# ip daddr $PUBLIC_ACE_MX_IPV4 tcp dport $MX_PORTS \
# counter dnat $MX_PERIMETER_IPV4 comment "Incoming MX traffic"
-add rule ip efg_nat prerouting \
+add rule ip efg-nat prerouting \
iifname $EXTERNAL_ACE_IF udp sport 1024-65535 \
ip daddr $PUBLIC_ACE_NS_IPV4 udp dport 53 \
counter dnat $ENS_PERIMETER_IPV4 comment "Incoming DNS requests (udp)"
-add rule ip efg_nat prerouting \
+add rule ip efg-nat prerouting \
iifname $EXTERNAL_ACE_IF tcp sport 1024-65535 \
ip daddr $PUBLIC_ACE_NS_IPV4 tcp dport 53 \
counter dnat $ENS_PERIMETER_IPV4 comment "Incoming DNS requests (tcp)"
-add rule ip efg_nat prerouting \
+add rule ip efg-nat prerouting \
iifname $EXTERNAL_ACE_IF tcp sport 1024-65535 \
- ip daddr $PUBLIC_ACE_WS_IPV4 tcp dport $WS_PORTS \
+ ip daddr $PUBLIC_ACE_WS_IPV4 tcp dport { http, https } \
counter dnat $WS_PERIMETER_IPV4 comment "Incoming http(s) requests"
# FILTER input rules
################################
-add rule ip efg_filter input \
+add rule ip efg-filter input \
ct state established \
iifname $PERIMETER_IF ip saddr $PNS_PERIMETER_IPV4 udp sport 53 \
ip daddr $EFG_PERIMETER_IPV4 udp dport 1024-65535 \
counter accept comment "DNS replies"
-add rule ip6 efg_filter input \
+add rule ip6 efg-filter input \
ct state established \
iifname $PERIMETER_IF ip6 saddr $PNS_PERIMETER_IPV6 udp sport 53 \
ip6 daddr $EFG_PERIMETER_IPV6 udp dport 1024-65535 \
counter accept comment "DNS replies"
-add rule ip efg_filter input \
+add rule ip efg-filter input \
ip protocol icmp \
counter accept comment "ICMP"
-add rule ip6 efg_filter input \
+add rule ip6 efg-filter input \
icmpv6 type { destination-unreachable, \
echo-reply, \
echo-request, \
time-exceeded } \
counter accept comment "ICMPv6"
-add rule ip efg_filter input \
+add rule ip efg-filter input \
ip protocol gre \
counter accept comment "GRE"
-add rule ip efg_filter input \
+add rule ip efg-filter input \
counter log prefix "INPUT"
-add rule ip6 efg_filter input \
+add rule ip6 efg-filter input \
counter log prefix "INPUT"
# FILTER forward rules
################################
-add rule ip efg_filter forward \
+add rule ip efg-filter forward \
ct state established, related \
iifname $EXTERNAL_ACE_IF \
oifname $PERIMETER_IF ip daddr $INTERNAL_IPV4_NETS \
counter accept comment "Established sessions (ACE)"
-add rule ip6 efg_filter forward \
+add rule ip6 efg-filter forward \
ct state established, related \
iifname $EXTERNAL_ACE_IF \
oifname $PERIMETER_IF ip6 daddr $INTERNAL_IPV6_NET \
counter accept comment "Established sessions (ACE)"
-add rule ip efg_filter forward \
+add rule ip efg-filter forward \
ct state established, related \
iifname $EXTERNAL_TELEKOM_IF \
oifname $PERIMETER_IF ip daddr $INTERNAL_IPV4_NETS \
counter accept comment "Established sessions (TELEKOM)"
-add rule ip efg_filter forward \
+add rule ip efg-filter forward \
iifname $PERIMETER_IF ip saddr $INTERNAL_IPV4_NETS \
oifname $EXTERNAL_ACE_IF \
counter accept comment "Internet access (ACE)"
-add rule ip6 efg_filter forward \
+add rule ip6 efg-filter forward \
iifname $PERIMETER_IF ip6 saddr $INTERNAL_IPV6_NET \
oifname $EXTERNAL_ACE_IF \
counter accept comment "Internet access (ACE)"
-add rule ip efg_filter forward \
+add rule ip efg-filter forward \
iifname $PERIMETER_IF ip saddr $INTERNAL_IPV4_NETS \
oifname $EXTERNAL_TELEKOM_IF \
counter accept comment "Internet access (TELEKOM)"
-add rule ip efg_filter forward \
+add rule ip efg-filter forward \
iifname $EXTERNAL_ACE_IF \
oifname $PERIMETER_IF ip daddr $VPN_INTERNAL_IPV4 udp dport 1194 \
counter accept comment "Incoming VPN traffic (ACE)"
-add rule ip efg_filter forward \
+add rule ip efg-filter forward \
iifname $EXTERNAL_TELEKOM_IF \
oifname $PERIMETER_IF ip daddr $VPN_INTERNAL_IPV4 udp dport 1194 \
counter accept comment "Incoming VPN traffic (TELEKOM)"
-add rule ip efg_filter forward \
+add rule ip efg-filter forward \
iifname $EXTERNAL_ACE_IF tcp sport 1024-65535 \
- oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport $WS_PORTS \
+ oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport { http, https } \
counter accept comment "Incoming http(s) requests (ACE)"
-add rule ip efg_filter forward \
+add rule ip efg-filter forward \
iifname $EXTERNAL_TELEKOM_IF tcp sport 1024-65535 \
- oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport $WS_PORTS \
+ oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport { http, https } \
counter accept comment "Incoming http(s) requests (TELEKOM)"
-add rule ip efg_filter forward \
+add rule ip efg-filter forward \
ct state established \
- iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport $WS_PORTS \
+ iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport { http, https } \
oifname $EXTERNAL_ACE_IF tcp dport 1024-65535 \
counter accept comment "Outgoing http(s) replies (ACE)"
-add rule ip efg_filter forward \
+add rule ip efg-filter forward \
ct state established \
- iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport $WS_PORTS \
+ iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport { http, https } \
oifname $EXTERNAL_TELEKOM_IF tcp dport 1024-65535 \
counter accept comment "Outgoing http(s) replies (TELEKOM)"
-add rule ip efg_filter forward \
+add rule ip efg-filter forward \
iifname $EXTERNAL_ACE_IF udp sport 1024-65535 \
oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IPV4 udp dport 53 \
counter accept comment "Incoming DNS requests/notifications (udp) (ACE)"
-add rule ip efg_filter forward \
+add rule ip efg-filter forward \
iifname $EXTERNAL_TELEKOM_IF udp sport 1024-65535 \
oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IPV4 udp dport 53 \
counter accept comment "Incoming DNS requests/notifications (udp) (TELEKOM)"
-add rule ip efg_filter forward \
+add rule ip efg-filter forward \
ct state established, related \
iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IPV4 udp sport 53 \
oifname $EXTERNAL_ACE_IF udp dport 1024-65535 \
counter accept comment "Outgoing DNS replies (udp) (ACE)"
-add rule ip efg_filter forward \
+add rule ip efg-filter forward \
ct state established, related \
iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IPV4 udp sport 53 \
oifname $EXTERNAL_TELEKOM_IF udp dport 1024-65535 \
counter accept comment "Outgoing DNS replies (udp) (TELEKOM)"
-add rule ip efg_filter forward \
+add rule ip efg-filter forward \
iifname $EXTERNAL_ACE_IF tcp sport 1024-65535 \
oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IPV4 tcp dport 53 \
counter accept comment "Incoming DNS requests (tcp) (ACE)"
-add rule ip efg_filter forward \
+add rule ip efg-filter forward \
iifname $EXTERNAL_TELEKOM_IF tcp sport 1024-65535 \
oifname $PERIMETER_IF ip daddr $ENS_PERIMETER_IPV4 tcp dport 53 \
counter accept comment "Incoming DNS requests (tcp) (TELEKOM)"
-add rule ip efg_filter forward \
+add rule ip efg-filter forward \
ct state established, related \
iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IPV4 tcp sport 53 \
oifname $EXTERNAL_ACE_IF tcp dport 1024-65535 \
counter accept comment "Outgoing DNS replies (tcp) (ACE)"
-add rule ip efg_filter forward \
+add rule ip efg-filter forward \
ct state established, related \
iifname $PERIMETER_IF ip saddr $ENS_PERIMETER_IPV4 tcp sport 53 \
oifname $EXTERNAL_TELEKOM_IF tcp dport 1024-65535 \
counter accept comment "Outgoing DNS replies (tcp) (TELEKOM)"
-add rule ip efg_filter forward \
+add rule ip efg-filter forward \
iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } udp sport 1024-65535 \
oifname $EXTERNAL_ACE_IF udp dport 53 \
counter accept comment "Outgoing DNS requests/notifications (udp) (ACE)"
-add rule ip efg_filter forward \
+add rule ip efg-filter forward \
iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } udp sport 1024-65535 \
oifname $EXTERNAL_TELEKOM_IF udp dport 53 \
counter accept comment "Outgoing DNS requests/notifications (udp) (TELEKOM)"
-add rule ip efg_filter forward \
+add rule ip efg-filter forward \
ct state established, related \
iifname $EXTERNAL_ACE_IF udp sport 53 \
oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } udp dport 1024-65535 \
counter accept comment "Incoming DNS replies (udp) (ACE)"
-add rule ip efg_filter forward \
+add rule ip efg-filter forward \
ct state established, related \
iifname $EXTERNAL_TELEKOM_IF udp sport 53 \
oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } udp dport 1024-65535 \
counter accept comment "Incoming DNS replies (udp) (TELEKOM)"
-add rule ip efg_filter forward \
+add rule ip efg-filter forward \
iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp sport 1024-65535 \
oifname $EXTERNAL_ACE_IF tcp dport 53 \
counter accept comment "Outgoing DNS requests (tcp) (ACE)"
-add rule ip efg_filter forward \
+add rule ip efg-filter forward \
iifname $PERIMETER_IF ip saddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp sport 1024-65535 \
oifname $EXTERNAL_TELEKOM_IF tcp dport 53 \
counter accept comment "Outgoing DNS requests (tcp) (TELEKOM)"
-add rule ip efg_filter forward \
+add rule ip efg-filter forward \
ct state established, related \
iifname $EXTERNAL_ACE_IF tcp sport 53 \
oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp dport 1024-65535 \
counter accept comment "Incoming DNS replies (tcp) (ACE)"
-add rule ip efg_filter forward \
+add rule ip efg-filter forward \
ct state established, related \
iifname $EXTERNAL_TELEKOM_IF tcp sport 53 \
oifname $PERIMETER_IF ip daddr { $ENS_PERIMETER_IPV4, $PNS_PERIMETER_IPV4 } tcp dport 1024-65535 \
counter accept comment "Incoming DNS replies (tcp) (TELEKOM)"
-add rule ip efg_filter forward \
- iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport 1024-65535 \
- oifname $EXTERNAL_ACE_IF tcp dport $WS_PORTS \
- counter accept comment "Outgoing let's encrypt requests (ACE)"
-
-add rule ip efg_filter forward \
- iifname $PERIMETER_IF ip saddr $WS_PERIMETER_IPV4 tcp sport 1024-65535 \
- oifname $EXTERNAL_TELEKOM_IF tcp dport $WS_PORTS \
- counter accept comment "Outgoing let's encrypt requests (TELEKOM)"
-
-add rule ip efg_filter forward \
- ct state established \
- iifname $EXTERNAL_ACE_IF tcp sport $WS_PORTS \
- oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \
- counter accept comment "Incoming let's encrypt replies (ACE)"
-
-add rule ip efg_filter forward \
- ct state established \
- iifname $EXTERNAL_TELEKOM_IF tcp sport $WS_PORTS \
- oifname $PERIMETER_IF ip daddr $WS_PERIMETER_IPV4 tcp dport 1024-65535 \
- counter accept comment "Incoming let's encrypt replies (TELEKOM)"
-
-add rule ip efg_filter forward \
+add rule ip efg-filter forward \
ip protocol icmp \
counter accept comment "ICMP"
-add rule ip6 efg_filter forward \
+add rule ip6 efg-filter forward \
icmpv6 type { destination-unreachable, \
echo-reply, \
echo-request, \
time-exceeded } \
counter accept comment "ICMPv6"
-add rule ip efg_filter forward \
+add rule ip efg-filter forward \
counter log prefix "FORWARD"
-add rule ip6 efg_filter forward \
+add rule ip6 efg-filter forward \
counter log prefix "FORWARD"
# FILTER output rules
################################
-add rule ip efg_filter output \
+add rule ip efg-filter output \
ct state new \
ip saddr $EFG_PERIMETER_IPV4 udp sport 1024-65535 \
oifname $PERIMETER_IF ip daddr $PNS_PERIMETER_IPV4 udp dport 53 \
counter accept comment "DNS requests"
-add rule ip6 efg_filter output \
+add rule ip6 efg-filter output \
ct state new \
ip6 saddr $EFG_PERIMETER_IPV6 udp sport 1024-65535 \
oifname $PERIMETER_IF ip6 daddr $PNS_PERIMETER_IPV6 udp dport 53 \
counter accept comment "DNS requests"
-add rule ip efg_filter output \
+add rule ip efg-filter output \
ip protocol icmp \
counter accept comment "ICMP"
-add rule ip6 efg_filter output \
+add rule ip6 efg-filter output \
icmpv6 type { destination-unreachable, \
echo-reply, \
echo-request, \
time-exceeded } \
counter accept comment "ICMPv6"
-add rule ip efg_filter output \
+add rule ip efg-filter output \
counter log prefix "OUTPUT"
-add rule ip6 efg_filter output \
+add rule ip6 efg-filter output \
counter log prefix "OUTPUT"
# NAT postrouting rules
################################
-add rule ip efg_nat postrouting \
+add rule ip efg-nat postrouting \
oifname $EXTERNAL_ACE_IF ip saddr $VPN_INTERNAL_IPV4 \
counter snat $PUBLIC_ACE_VPN_IPV4 comment "Outgoing VPN traffic"
-add rule ip efg_nat postrouting \
+add rule ip efg-nat postrouting \
oifname $EXTERNAL_ACE_IF ip saddr $INTERNAL_IPV4_NETS \
counter snat $PUBLIC_ACE_EFG_IPV4 comment "Outgoing internal traffic"
-add rule ip efg_nat postrouting \
+add rule ip efg-nat postrouting \
oifname $EXTERNAL_TELEKOM_IF ip saddr $INTERNAL_IPV4_NETS \
counter snat $PUBLIC_TELEKOM_EFG_IPV4 comment "Outgoing internal traffic (TELEKOM)"
-#add rule ip efg_nat postrouting \
+#add rule ip efg-nat postrouting \
# oifname $EXTERNAL_ACE_IF ip saddr $MX_PERIMETER_IPV4 \
# counter snat $PUBLIC_ACE_MX_IPV4 comment "Outgoing MX traffic"
-add rule ip efg_nat postrouting \
+add rule ip efg-nat postrouting \
oifname $EXTERNAL_ACE_IF ip saddr $ENS_PERIMETER_IPV4 \
counter snat $PUBLIC_ACE_NS_IPV4 comment "Outgoing external DNS traffic"
-add rule ip efg_nat postrouting \
+add rule ip efg-nat postrouting \
oifname $EXTERNAL_ACE_IF ip saddr $PNS_PERIMETER_IPV4 \
counter snat $PUBLIC_ACE_EFG_IPV4 comment "Outgoing perimeter DNS traffic"
-add rule ip efg_nat postrouting \
+add rule ip efg-nat postrouting \
oifname $EXTERNAL_ACE_IF ip saddr $WS_PERIMETER_IPV4 \
counter snat $PUBLIC_ACE_WS_IPV4 comment "Outgoing WS traffic"
https://git.useribm.hu / user-lxc.git / commitdiff