Maurice/alpine-server-setup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
20dd97aafaa028aa76a51573211007068a1e034d
alpine-server-setup/services/firewall/firewall.nft
Maurice 20dd97aafa Getting started with NFTables - long way to go
2025-09-29 15:52:06 +02:00

58 lines
2.4 KiB
Plaintext
Raw Blame History

flush ruleset
define wan = eth0
define vpn = wg0
define vpn_net = 10.0.0.0/24
define lan_net = 192.168.2.0/24
# Without the nd-* ones ipv6 will not work.
define allowed_icmpv6 = { destination-unreachable, echo-reply, echo-request, nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert, packet-too-big, parameter-problem, time-exceeded }
define allowed_icmp = { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded }
table inet firewall {
chain postrouting {
type nat hook postrouting priority 100;
# Masquerade WireGuard VPN traffic to LAN subnet
oifname $wan ip saddr $vpn_net masquerade
}
chain incoming {
# This line set what traffic the chain will handle, the priority and default policy.
# The priority comes in when you in another table have a chain set to "hook input" and want to specify in what order they should run.
type filter hook input priority 0; policy drop;
ct state invalid drop # early drop of invalid packets
ct state {established, related} accept # allow established/related connections
iif lo accept # allow traffic from loopback interface
# Limit and accept ICMP packets
ip protocol icmp icmp type @allowed_icmp limit rate 1/second burst 5 packets accept
ip6 nexthdr icmpv6 icmpv6 type @allowed_icmpv6 limit rate 1/second burst 5 packets accept
# Rules for all interfaces
tcp dport { 80, 443 } accept # Allow http and https for all interfaces
udp dport 443 accept # Allow quic (http/3) for all interfaces
# Rules for WAN interface only
iifname $wan tcp dport 22 limit rate 10/minute accept # Rate limit SSH (port 22) to 10 connections per minute
iifname $wan udp dport 51820 accept # Allow Wireguard incoming from WAN
# Rules for VPN interface only
iifname $vpn udp dport 53 accept # Allow DNS traffic from VPN
}
chain forward {
type filter hook forward priority 0; policy drop;
ct state invalid drop # early drop of invalid packets
ct state {established, related} accept # allow established/related connections
iifname $vpn oifname $wan accept # Allow VPN traffic to access WAN
}
chain outgoing {
type filter hook output priority 0; policy accept;
}
}
Reference in New Issue View Git Blame Copy Permalink