Kategorie:server Kategorie:firewall

Beispiel

Ein Host verwaltet virtuelle Maschinen, die per Firewall Serverdienste anbieten:

#!/usr/sbin/nft -f
# interfaces:
define IF_INET = eth0
define IF_LOCAL = bridge0
define IF_DMZ = eth1

define NET_LOCAL  = 10.10.10.0/8
define NET_DMZ = 172.16.0.0/12

define HOST_FW = 88.77.22.11
define HOST_ALFA = 10.10.10.100
define HOST_BETA = 10.10.10.101

define FW_ACCEPTED { 80, 443, 22 }

# BANNED
add rule filter input meta iifname IF_INET ip saddr 121.12.242.43 drop;

# Drop locals from internet
add rule filter input meta iifname IF_INET ip saddr \
        { 192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12 } drop;

# Drop invalid
add rule filter input ct state invalid drop;

add rule filter input meta iif lo ct state new accept;

add rule filter input meta iif IF_DMZ ip saddr NET_DMZ ct state new accept;
add rule filter input meta iif IF_LOCAL ip saddr NET_LOCAL ct state new accept;

# Accept for firewall only:
add rule filter input meta iifname IP_INET ip protocol tcp ct state new tcp dport FW_ACCEPTED accept;

# Allow ping:
add rule inet filter input meta nfproto ipv4 icmp type { echo-request } counter accept
add rule inet filter input meta nfproto ipv6 icmpv6 type echo-request counter accept 

# Port forwarding:
add rule nat prerouting meta iifname IF_INET tcp dport 10100 dnat HOST_ALFA:22
add rule nat prerouting meta iifname IF_INET tcp dport 10101 dnat HOST_BETA:22

# Policies
add rule filter input drop;
add rule filter forward drop;
add rule filter output accept;