1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
|
#!/bin/bash
set -e
RULESET='define addrv4_vpnnet = 10.1.0.0/16
define wan = "eth0"
define lan = "eth1"
define vpn = "tun0"
define server = "10.10.10.1"
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
}
chain forward {
type filter hook forward priority 1; policy drop;
iifname $lan oifname $lan accept;
iifname $lan oifname $wan ct state new accept
iifname $lan oifname $wan ct state {established, related} accept
iifname $wan oifname $lan ct state {established, related} accept
iifname $vpn oifname $wan accept
iifname $wan oifname $vpn accept
iifname $lan oifname $vpn accept
iifname $vpn oifname $lan accept
iifname $lan oifname $server accept
iifname $server oifname $lan accept
iifname $server oifname $wan accept
iifname $wan oifname $server accept
}
chain output {
type filter hook output priority 0; policy drop;
}
}
table nat {
chain prerouting {
type nat hook prerouting priority -100; policy accept;
iifname $wan tcp dport 10000 dnat to $server:10000;
}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
ip saddr $addrv4_vpnnet counter masquerade fully-random comment "masquerade ipv4"
oifname $vpn masquerade
oifname $wan masquerade
}
}'
$NFT -c -o -f - <<< $RULESET
|
