Fix patch

2024-03-30 12:56:27 -04:00 · 2024-03-30 12:56:27 -04:00 · 98bd0b6f63
commit 98bd0b6f63
parent 609bd0d57e
1 changed files with 41 additions and 7 deletions
--- a/nftables.patch
+++ b/nftables.patch
@ -1,5 +1,5 @@
--- nftables.conf       2023-06-09 19:16:58.000000000 -0400
-+++ nftables.conf.2     2024-02-12 12:35:17.175626420 -0500
+--- nftables.conf       2023-06-10 01:16:58.000000000 +0200
+++ nftables.conf.2     2024-03-30 17:53:25.967805988 +0100
@@ -1,5 +1,6 @@
 #!/usr/sbin/nft -f
 flush ruleset
@ -19,12 +19,46 @@

         chain forward {
                 type filter hook forward priority filter; policy drop;
-@@ -34,6 +40,8 @@
+@@ -32,12 +38,16 @@
+                 # Accept LAN<->WAN traffic
+                 meta iifname $LAN meta oifname $WAN accept
                 meta iifname $WAN meta oifname $LAN accept
-                 udp dport 80 log prefix "Dropped (UDP/80): " drop
-                 udp dport 443 log prefix "Dropped (UDP/443): " drop
-+                meta iifname $LAN ip daddr @blocklist log prefix "Dropped (BLOCKED IP): " drop
-+                meta iifname $LAN ip saddr @blocklist log prefix "Dropped (BLOCKED IP): " drop
+-                udp dport 80 log prefix "Dropped (UDP/80): " drop
+-                udp dport 443 log prefix "Dropped (UDP/443): " drop
                 ct state related,established accept
                 log prefix "Packet discarded by policy: "
         }
+         chain noforward {
+                udp dport 80 log prefix "Dropped (UDP/80): " drop
+                udp dport 443 log prefix "Dropped (UDP/443): " drop
+                meta iifname $LAN ip daddr @blocklist log prefix "Dropped (BLOCKED IP): " drop
+                meta iifname $LAN ip saddr @blocklist log prefix "Dropped (BLOCKED IP): " drop
+
+
+                # Block all DNS resolvers beside the router
+                 th dport 53 ip saddr $LANRANGE ip daddr != 192.168.1.1 log prefix "Dropped (DNS): " reject
+                # Block access to the SLiRP gateway
+@@ -48,6 +58,13 @@
+ }
+
+ table inet nat {
+        set blocklist {
+          type ipv4_addr
+          flags interval
+          elements = { $blocklist }
+        }
+
+
+         chain postrouting {
+                 type nat hook postrouting priority srcnat; policy accept;
+                 meta iifname $LAN meta oifname $WAN ip saddr $LANRANGE snat ip to $SNAT
+@@ -55,7 +72,7 @@
+         chain prerouting {
+                 type nat hook prerouting priority dstnat; policy accept;
+                 # Uncomment for E2Guardian
+-                # iifname $LAN ip daddr != 192.168.1.0/24 tcp dport 80 redirect to :8080
+-                # iifname $LAN ip daddr != 192.168.1.0/24 tcp dport 443 redirect to :8443
+                iifname $LAN ip daddr != $LANRANGE ip daddr != @blocklist tcp dport 80 redirect to :8080
+                iifname $LAN ip daddr != $LANRANGE ip daddr != @blocklist tcp dport 443 redirect to :8443
+         }
+ }