2 ################################################
3 ### Managed by someone's ansible provisioner ###
4 ################################################
5 # Part of: https://git.somenet.org/root/pub/somesible.git
6 # 2017-2024 by someone <someone@somenet.org>
12 # ct helper ftp-standard { type "ftp" protocol tcp; }
15 # type filter hook prerouting priority raw; policy accept;
17 # # accept any inside traffic.
18 # iifname "lo" counter accept
20 # # accept all other traffic, by policy.
24 type filter hook prerouting priority -150; policy accept;
26 # accept any inside traffic.
27 iifname "lo" counter accept
29 # incoming, public facing traffic.
30 counter jump PRE_outside
32 # accept any other traffic - should not happen.
33 counter log prefix "NFT:PRE:ACCEPT-unk; " accept
37 # mark outside-initiated incoming connections.
38 ct state new meta mark set 2 ct mark set meta mark
40 # accept neighbour discovery otherwise IPv6 connectivity breaks.
41 ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} counter accept
42 ip protocol icmp icmp type { echo-request} counter accept
44 # accept connections to these services.
45 tcp dport 2 counter accept
47 # switch to something better than ftp, ssh/sftp for example, but if you must, use the ftp conntrack helper.
48 # tcp dport 21 ct state new ct helper set "ftp-standard" counter accept
50 # accept traffic originated from us.
51 ct state established,related counter accept
53 # accept any other traffic.
55 # counter log prefix "NFT:PRE_outside:ACCEPT-all; " accept
59 # type filter hook input priority 0; policy accept;
63 # type filter hook forward priority 0; policy accept;
67 # type filter hook output priority 0; policy accept;
72 type filter hook postrouting priority 150; policy accept;
74 # accept any inside traffic.
75 oifname "lo" counter accept
77 # outgoing, public facing traffic.
78 counter jump POST_outside
80 # accept any other traffic - should not happen.
81 counter log prefix "NFT:POST:ACCEPT-unk; " accept
85 # mark inside-initiated outgoing traffic.
86 ct mark 0 meta mark set 1 ct mark set meta mark
90 # counter log prefix "NFT:POST_outside:ACCEPT-all; " accept
97 # type nat hook prerouting priority dstnat; policy accept;
98 # meta l4proto tcp ip daddr 127.0.0.1 tcp dport 80 counter redirect to :1080
99 # meta l4proto tcp ip daddr 127.0.0.1 tcp dport 443 counter redirect to :10443
102 # type nat hook postrouting priority 100; policy accept;
103 # oifname "eth0" counter masquerade fully-random,persistent