--- nftables.conf 2023-06-10 01:16:58.000000000 +0200 +++ /etc/nftables.conf 2024-03-30 18:04:11.549553009 +0100 @@ -1,5 +1,6 @@ #!/usr/sbin/nft -f flush ruleset +include "/etc/nftables.d/blocklist.nft" # SET TO WIREGUARD INTERFACE IP define SNAT = 192.168.1.1 @@ -22,6 +23,11 @@ table inet filter { + set blocklist { + type ipv4_addr + flags interval + elements = { $blocklist } + } chain forward { type filter hook forward priority filter; policy drop; @@ -32,12 +38,15 @@ # Accept LAN<->WAN traffic meta iifname $LAN meta oifname $WAN accept meta iifname $WAN meta oifname $LAN accept - udp dport 80 log prefix "Dropped (UDP/80): " drop - udp dport 443 log prefix "Dropped (UDP/443): " drop ct state related,established accept log prefix "Packet discarded by policy: " } chain noforward { + udp dport 80 log prefix "Dropped (UDP/80): " drop + udp dport 443 log prefix "Dropped (UDP/443): " drop + meta iifname $LAN ip daddr @blocklist log prefix "Dropped (BLOCKED IP): " drop + meta iifname $LAN ip saddr @blocklist log prefix "Dropped (BLOCKED IP): " drop + # Block all DNS resolvers beside the router th dport 53 ip saddr $LANRANGE ip daddr != 192.168.1.1 log prefix "Dropped (DNS): " reject # Block access to the SLiRP gateway @@ -48,6 +57,12 @@ } table inet nat { + set blocklist { + type ipv4_addr + flags interval + elements = { $blocklist } + } + chain postrouting { type nat hook postrouting priority srcnat; policy accept; meta iifname $LAN meta oifname $WAN ip saddr $LANRANGE snat ip to $SNAT @@ -55,7 +70,7 @@ chain prerouting { type nat hook prerouting priority dstnat; policy accept; # Uncomment for E2Guardian - # iifname $LAN ip daddr != 192.168.1.0/24 tcp dport 80 redirect to :8080 - # iifname $LAN ip daddr != 192.168.1.0/24 tcp dport 443 redirect to :8443 + iifname $LAN ip daddr != $LANRANGE ip daddr != @blocklist tcp dport 80 redirect to :8080 + iifname $LAN ip daddr != $LANRANGE ip daddr != @blocklist tcp dport 443 redirect to :8443 } }