DSL-Modem im Bridging-Modus betreiben

Funktion steht nur registrierten Nutzern zur Verfügung!

Newsletter

Funktion steht nur registrierten Nutzern zur Verfügung!

Lesezeichen hinzufügen

Do, 16. Februar 2017, 15:00

Workshops::DSL-Modem im Bridging-Modus betreiben

Von wogri

Mit diesem Regelwerk sollte die einfachste Variante von nft, nämlich ein simples NAT, erledigt sein. Wer ein Beispiel mit mehr Komplexität in seinen Regeln braucht, hier meine Konfiguration, inkl. IPv6:

#!/usr/sbin/nft -f

define server_net = 1.2.3.0/28
define my_phone = 192.168.1.100

# ipv6
define dovecot_ip6 = 2001:dead:beef:2::143
define server_net_ip6 = 2001:dead:beef::/64

flush ruleset

table inet filter {
  chain input {
    type filter hook input priority 0;
    iifname lo accept
    iifname lan accept
    iifname servlan accept
    iifname ipsec0 accept
    iifname ppp0 jump input_ppp0
    drop
  }
  chain input_ppp0 { # rules applicable to public interface
    ct state {established,related} counter accept
    ct state invalid counter drop
    ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate 10/second counter accept
    ip6 nexthdr icmpv6 icmpv6 type {
      destination-unreachable, packet-too-big, time-exceeded, \
      parameter-problem, nd-router-advert, nd-neighbor-solicit, \
      nd-neighbor-advert } counter accept
    ip protocol icmp icmp type echo-request limit rate 10/second counter accept
    ip6 daddr fe80::/64 udp dport dhcpv6-client counter accept
    ip6 saddr $server_net_ip6 tcp dport {22} counter accept
    # letsencrypt
    ip saddr 0.0.0.0/0 tcp dport {80,443} counter accept
    ip6 saddr ::/0 tcp dport {80,443} counter accept
    # ipsec
    ip protocol esp accept
    ip saddr 0.0.0.0/0 udp dport {500,4500} counter accept
    log
    drop
  }
  chain ouput {
    type filter hook output priority 0;
    accept
  }
  chain forward {
    type filter hook forward priority 0;
    iifname ppp0 counter jump from_internet
  }
  chain from_internet {
    ct state {established,related} counter accept
    ct state invalid counter drop
    ip6 daddr $dovecot_ip6 jump to_dovecot
    log
    drop
  }
  chain to_dovecot {
    ip6 saddr $server_net_ip6 tcp dport {22} counter accept
  }
}

table ip nat {
  chain prerouting {
    type nat hook prerouting priority 0;
    iifname ppp0 counter jump dnat_from_internet 
  }
  chain dnat_from_internet {
    udp dport { sip, 16384-16400 } counter dnat $my_phone
  }
  chain postrouting {
    type nat hook postrouting priority 0;
    oifname ppp0 counter masquerade
  }
}

In diesem Artikel: