2024-03-30 13:06:47 -04:00
|
|
|
--- nftables.conf 2023-06-10 01:16:58.000000000 +0200
|
|
|
|
+++ /etc/nftables.conf 2024-03-30 18:04:11.549553009 +0100
|
2024-02-12 12:40:43 -05:00
|
|
|
@@ -1,5 +1,6 @@
|
|
|
|
#!/usr/sbin/nft -f
|
|
|
|
flush ruleset
|
|
|
|
+include "/etc/nftables.d/blocklist.nft"
|
2024-03-30 13:06:47 -04:00
|
|
|
|
2024-02-12 12:40:43 -05:00
|
|
|
# SET TO WIREGUARD INTERFACE IP
|
|
|
|
define SNAT = 192.168.1.1
|
|
|
|
@@ -22,6 +23,11 @@
|
2024-03-30 13:06:47 -04:00
|
|
|
|
|
|
|
|
2024-02-12 12:40:43 -05:00
|
|
|
table inet filter {
|
|
|
|
+ set blocklist {
|
|
|
|
+ type ipv4_addr
|
|
|
|
+ flags interval
|
|
|
|
+ elements = { $blocklist }
|
|
|
|
+ }
|
2024-03-30 13:06:47 -04:00
|
|
|
|
2024-02-12 12:40:43 -05:00
|
|
|
chain forward {
|
|
|
|
type filter hook forward priority filter; policy drop;
|
2024-03-30 13:06:47 -04:00
|
|
|
@@ -32,12 +38,15 @@
|
2024-03-30 12:56:27 -04:00
|
|
|
# Accept LAN<->WAN traffic
|
|
|
|
meta iifname $LAN meta oifname $WAN accept
|
2024-02-12 12:40:43 -05:00
|
|
|
meta iifname $WAN meta oifname $LAN accept
|
2024-03-30 12:56:27 -04:00
|
|
|
- udp dport 80 log prefix "Dropped (UDP/80): " drop
|
|
|
|
- udp dport 443 log prefix "Dropped (UDP/443): " drop
|
2024-02-12 12:40:43 -05:00
|
|
|
ct state related,established accept
|
|
|
|
log prefix "Packet discarded by policy: "
|
|
|
|
}
|
2024-03-30 12:56:27 -04:00
|
|
|
chain noforward {
|
|
|
|
+ udp dport 80 log prefix "Dropped (UDP/80): " drop
|
|
|
|
+ udp dport 443 log prefix "Dropped (UDP/443): " drop
|
|
|
|
+ meta iifname $LAN ip daddr @blocklist log prefix "Dropped (BLOCKED IP): " drop
|
|
|
|
+ meta iifname $LAN ip saddr @blocklist log prefix "Dropped (BLOCKED IP): " drop
|
|
|
|
+
|
2024-03-30 13:06:47 -04:00
|
|
|
# Block all DNS resolvers beside the router
|
2024-03-30 12:56:27 -04:00
|
|
|
th dport 53 ip saddr $LANRANGE ip daddr != 192.168.1.1 log prefix "Dropped (DNS): " reject
|
2024-03-30 13:06:47 -04:00
|
|
|
# Block access to the SLiRP gateway
|
|
|
|
@@ -48,6 +57,12 @@
|
2024-03-30 12:56:27 -04:00
|
|
|
}
|
2024-03-30 13:06:47 -04:00
|
|
|
|
2024-03-30 12:56:27 -04:00
|
|
|
table inet nat {
|
|
|
|
+ set blocklist {
|
|
|
|
+ type ipv4_addr
|
|
|
|
+ flags interval
|
|
|
|
+ elements = { $blocklist }
|
|
|
|
+ }
|
|
|
|
+
|
|
|
|
chain postrouting {
|
|
|
|
type nat hook postrouting priority srcnat; policy accept;
|
|
|
|
meta iifname $LAN meta oifname $WAN ip saddr $LANRANGE snat ip to $SNAT
|
2024-03-30 13:06:47 -04:00
|
|
|
@@ -55,7 +70,7 @@
|
2024-03-30 12:56:27 -04:00
|
|
|
chain prerouting {
|
|
|
|
type nat hook prerouting priority dstnat; policy accept;
|
|
|
|
# Uncomment for E2Guardian
|
|
|
|
- # iifname $LAN ip daddr != 192.168.1.0/24 tcp dport 80 redirect to :8080
|
|
|
|
- # iifname $LAN ip daddr != 192.168.1.0/24 tcp dport 443 redirect to :8443
|
|
|
|
+ iifname $LAN ip daddr != $LANRANGE ip daddr != @blocklist tcp dport 80 redirect to :8080
|
|
|
|
+ iifname $LAN ip daddr != $LANRANGE ip daddr != @blocklist tcp dport 443 redirect to :8443
|
|
|
|
}
|
|
|
|
}
|