Fix patch (2)
This commit is contained in:
root
parent
98bd0b6f63
commit
e72af51b01
2 changed files with 13 additions and 14 deletions
|
|
@ -197,4 +197,5 @@ define blocklist = {
|
||||||
199.229.252.121,
|
199.229.252.121,
|
||||||
86.162.6.84,
|
86.162.6.84,
|
||||||
87.3.215.35,
|
87.3.215.35,
|
||||||
|
141.8.192.26,
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,5 @@
|
||||||
--- nftables.conf 2023-06-10 01:16:58.000000000 +0200
|
--- nftables.conf 2023-06-10 01:16:58.000000000 +0200
|
||||||
+++ nftables.conf.2 2024-03-30 17:53:25.967805988 +0100
|
+++ /etc/nftables.conf 2024-03-30 18:04:11.549553009 +0100
|
||||||
@@ -1,5 +1,6 @@
|
@@ -1,5 +1,6 @@
|
||||||
#!/usr/sbin/nft -f
|
#!/usr/sbin/nft -f
|
||||||
flush ruleset
|
flush ruleset
|
||||||
|
|
@ -19,7 +19,7 @@
|
||||||
|
|
||||||
chain forward {
|
chain forward {
|
||||||
type filter hook forward priority filter; policy drop;
|
type filter hook forward priority filter; policy drop;
|
||||||
@@ -32,12 +38,16 @@
|
@@ -32,12 +38,15 @@
|
||||||
# Accept LAN<->WAN traffic
|
# Accept LAN<->WAN traffic
|
||||||
meta iifname $LAN meta oifname $WAN accept
|
meta iifname $LAN meta oifname $WAN accept
|
||||||
meta iifname $WAN meta oifname $LAN accept
|
meta iifname $WAN meta oifname $LAN accept
|
||||||
|
|
@ -33,12 +33,11 @@
|
||||||
+ udp dport 443 log prefix "Dropped (UDP/443): " drop
|
+ udp dport 443 log prefix "Dropped (UDP/443): " drop
|
||||||
+ meta iifname $LAN ip daddr @blocklist log prefix "Dropped (BLOCKED IP): " drop
|
+ meta iifname $LAN ip daddr @blocklist log prefix "Dropped (BLOCKED IP): " drop
|
||||||
+ meta iifname $LAN ip saddr @blocklist log prefix "Dropped (BLOCKED IP): " drop
|
+ meta iifname $LAN ip saddr @blocklist log prefix "Dropped (BLOCKED IP): " drop
|
||||||
+
|
|
||||||
+
|
+
|
||||||
# Block all DNS resolvers beside the router
|
# Block all DNS resolvers beside the router
|
||||||
th dport 53 ip saddr $LANRANGE ip daddr != 192.168.1.1 log prefix "Dropped (DNS): " reject
|
th dport 53 ip saddr $LANRANGE ip daddr != 192.168.1.1 log prefix "Dropped (DNS): " reject
|
||||||
# Block access to the SLiRP gateway
|
# Block access to the SLiRP gateway
|
||||||
@@ -48,6 +58,13 @@
|
@@ -48,6 +57,12 @@
|
||||||
}
|
}
|
||||||
|
|
||||||
table inet nat {
|
table inet nat {
|
||||||
|
|
@ -47,12 +46,11 @@
|
||||||
+ flags interval
|
+ flags interval
|
||||||
+ elements = { $blocklist }
|
+ elements = { $blocklist }
|
||||||
+ }
|
+ }
|
||||||
+
|
|
||||||
+
|
+
|
||||||
chain postrouting {
|
chain postrouting {
|
||||||
type nat hook postrouting priority srcnat; policy accept;
|
type nat hook postrouting priority srcnat; policy accept;
|
||||||
meta iifname $LAN meta oifname $WAN ip saddr $LANRANGE snat ip to $SNAT
|
meta iifname $LAN meta oifname $WAN ip saddr $LANRANGE snat ip to $SNAT
|
||||||
@@ -55,7 +72,7 @@
|
@@ -55,7 +70,7 @@
|
||||||
chain prerouting {
|
chain prerouting {
|
||||||
type nat hook prerouting priority dstnat; policy accept;
|
type nat hook prerouting priority dstnat; policy accept;
|
||||||
# Uncomment for E2Guardian
|
# Uncomment for E2Guardian
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue