root@horus:~# ip rule show; ip -6 rule show; nft list ruleset
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
0: from all lookup local
32766: from all lookup main
4200000000: from 2804:7f0:7a00:6346::1/64 iif eth1 unreachable
table inet banIP {
counter cnt_icmpflood {
packets 2033 bytes 2282145
}
counter cnt_udpflood {
packets 682 bytes 54989
}
counter cnt_synflood {
packets 26 bytes 1040
}
counter cnt_tcpinvalid {
packets 0 bytes 0
}
counter cnt_ctinvalid {
packets 44019 bytes 2123173
}
set allowlist.v4MAC {
type ether_addr . ipv4_addr
policy memory
flags interval
auto-merge
}
set allowlist.v6MAC {
type ether_addr . ipv6_addr
policy memory
flags interval
auto-merge
}
set allowlist.v4 {
type ipv4_addr
policy memory
flags interval
auto-merge
elements = { 191.255.136.242 }
}
set allowlist.v6 {
type ipv6_addr
policy memory
flags interval
auto-merge
elements = { 2804:7f0:703c:113d::/64,
fd60:58e4:c0c8:1::/64 }
}
set blocklist.v4MAC {
type ether_addr . ipv4_addr
policy memory
flags interval
auto-merge
}
set blocklist.v6MAC {
type ether_addr . ipv6_addr
policy memory
flags interval
auto-merge
}
set blocklist.v4 {
type ipv4_addr
policy memory
flags interval,timeout
auto-merge
}
set blocklist.v6 {
type ipv6_addr
policy memory
flags interval,timeout
auto-merge
}
chain pre-routing {
type filter hook prerouting priority -175; policy accept;
iifname != "pppoe-wan" counter packets 38938385 bytes 13324622657 accept
ct state invalid counter name "cnt_ctinvalid" drop
meta nfproto . meta l4proto { ipv4 . icmp, ipv6 . ipv6-icmp } limit rate over 25/second burst 5 packets counter name "cnt_icmpflood" drop
meta l4proto udp ct state new limit rate over 100/second burst 5 packets counter name "cnt_udpflood" drop
tcp flags & (fin | syn | rst | ack) == syn limit rate over 10/second burst 5 packets counter name "cnt_synflood" drop
tcp flags & (fin | syn) == fin | syn counter name "cnt_tcpinvalid" drop
tcp flags & (syn | rst) == syn | rst counter name "cnt_tcpinvalid" drop
tcp flags & (fin | syn | rst | psh | ack | urg) < fin counter name "cnt_tcpinvalid" drop
tcp flags & (fin | syn | rst | psh | ack | urg) == fin | psh | urg counter name "cnt_tcpinvalid" drop
}
chain wan-input {
type filter hook input priority -100; policy accept;
iifname != "pppoe-wan" counter packets 4091408 bytes 1970916976 accept
ct state established,related counter packets 6233337 bytes 3149580995 accept
meta nfproto ipv4 udp sport 67-68 udp dport 67-68 counter packets 0 bytes 0 accept
meta nfproto ipv6 udp sport 547 udp dport 546 counter packets 24 bytes 5088 accept
icmpv6 type { nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 hoplimit 1 counter packets 0 bytes 0 accept
icmpv6 type { nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } ip6 hoplimit 255 counter packets 433 bytes 45032 accept
counter packets 235830 bytes 12149406 jump _inbound
}
chain wan-forward {
type filter hook forward priority -100; policy accept;
iifname != "pppoe-wan" counter packets 34672336 bytes 11299956051 accept
ct state established,related counter packets 108220709 bytes 133772993963 accept
counter packets 110610 bytes 9183143 jump _inbound
}
chain lan-forward {
type filter hook forward priority -100; policy accept;
oifname != "pppoe-wan" counter packets 108337189 bytes 133784900238 accept
ct state established,related counter packets 34128121 bytes 11176557354 accept
counter packets 538345 bytes 120675565 jump _outbound
}
chain _inbound {
ip saddr @allowlist.v4 counter packets 13 bytes 2385 accept
ip6 saddr @allowlist.v6 counter packets 13 bytes 2645 accept
ip saddr @blocklist.v4 counter packets 0 bytes 0 drop
ip6 saddr @blocklist.v6 counter packets 0 bytes 0 drop
}
chain _outbound {
ether saddr . ip saddr @allowlist.v4MAC counter packets 0 bytes 0 accept
ether saddr . ip6 saddr @allowlist.v6MAC counter packets 0 bytes 0 accept
ip daddr @allowlist.v4 counter packets 0 bytes 0 accept
ip6 daddr @allowlist.v6 counter packets 0 bytes 0 accept
ether saddr . ip saddr @blocklist.v4MAC counter packets 0 bytes 0 goto _reject
ether saddr . ip6 saddr @blocklist.v6MAC counter packets 0 bytes 0 goto _reject
ip daddr @blocklist.v4 counter packets 0 bytes 0 goto _reject
ip6 daddr @blocklist.v6 counter packets 0 bytes 0 goto _reject
}
chain _reject {
iifname != "pppoe-wan" meta l4proto tcp reject with tcp reset
reject with icmpx host-unreachable
}
}
table inet fw4 {
chain input {
type filter hook input priority filter; policy drop;
iif "lo" accept comment "!fw4: Accept traffic from loopback"
ct state vmap { invalid : drop, established : accept, related : accept } comment "!fw4: Handle inbound flows"
tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets"
iifname "tun*" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
iifname "eth1" jump input_lan comment "!fw4: Handle lan IPv4/IPv6 input traffic"
iifname { "eth0", "pppoe-wan" } jump input_wan comment "!fw4: Handle wan IPv4/IPv6 input traffic"
iifname "wireguard" jump input_wireguard comment "!fw4: Handle wireguard IPv4/IPv6 input traffic"
}
chain forward {
type filter hook forward priority filter; policy drop;
ct state vmap { invalid : drop, established : accept, related : accept } comment "!fw4: Handle forwarded flows"
iifname "tun*" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
iifname "eth1" jump forward_lan comment "!fw4: Handle lan IPv4/IPv6 forward traffic"
iifname { "eth0", "pppoe-wan" } jump forward_wan comment "!fw4: Handle wan IPv4/IPv6 forward traffic"
iifname "wireguard" jump forward_wireguard comment "!fw4: Handle wireguard IPv4/IPv6 forward traffic"
jump upnp_forward comment "Hook into miniupnpd forwarding chain"
}
chain output {
type filter hook output priority filter; policy accept;
oif "lo" accept comment "!fw4: Accept traffic towards loopback"
ct state vmap { invalid : drop, established : accept, related : accept } comment "!fw4: Handle outbound flows"
oifname "tun*" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
oifname "eth1" jump output_lan comment "!fw4: Handle lan IPv4/IPv6 output traffic"
oifname { "eth0", "pppoe-wan" } jump output_wan comment "!fw4: Handle wan IPv4/IPv6 output traffic"
oifname "wireguard" jump output_wireguard comment "!fw4: Handle wireguard IPv4/IPv6 output traffic"
}
chain prerouting {
type filter hook prerouting priority filter; policy accept;
iifname "tun*" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
iifname "eth1" jump helper_lan comment "!fw4: Handle lan IPv4/IPv6 helper assignment"
}
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject comment "!fw4: Reject any other traffic"
}
chain syn_flood {
limit rate 25/second burst 50 packets return comment "!fw4: Accept SYN packets below rate-limit"
drop comment "!fw4: Drop excess packets"
}
chain input_lan {
ct status dnat accept comment "!fw4: Accept port redirections"
jump accept_from_lan
}
chain output_lan {
jump accept_to_lan
}
chain forward_lan {
jump accept_to_wan comment "!fw4: Accept lan to wan forwarding"
jump accept_to_wireguard comment "!fw4: Accept lan to wireguard forwarding"
ct status dnat accept comment "!fw4: Accept port forwards"
jump accept_to_lan
}
chain helper_lan {
}
chain accept_from_lan {
iifname "tun*" counter packets 55 bytes 21519 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
iifname "eth1" counter packets 5007 bytes 401307 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
}
chain accept_to_lan {
oifname "tun*" counter packets 73 bytes 22851 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
oifname "eth1" counter packets 1151 bytes 173425 accept comment "!fw4: accept lan IPv4/IPv6 traffic"
}
chain input_wan {
meta nfproto ipv4 udp dport 68 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCP-Renew"
icmp type echo-request counter packets 44 bytes 2912 accept comment "!fw4: Allow-Ping"
meta nfproto ipv4 meta l4proto igmp counter packets 62 bytes 1984 accept comment "!fw4: Allow-IGMP"
meta nfproto ipv6 udp dport 546 counter packets 0 bytes 0 accept comment "!fw4: Allow-DHCPv6"
ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { mld-listener-query . 0, mld-listener-report . 0, mld-listener-done . 0, mld2-listener-report . 0 } counter packets 15 bytes 1140 accept comment "!fw4: Allow-MLD"
icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply, nd-router-solicit, nd-router-advert } limit rate 1000/second burst 5 packets counter packets 6 bytes 464 accept comment "!fw4: Allow-ICMPv6-Input"
icmpv6 type . icmpv6 code { packet-too-big . 0, parameter-problem . 0, nd-neighbor-solicit . 0, nd-neighbor-advert . 0, parameter-problem . 1 } limit rate 1000/second burst 5 packets counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Input"
udp dport 1195 counter packets 0 bytes 0 accept comment "!fw4: Alow_Wireguard"
tcp dport 1111 counter packets 0 bytes 0 accept comment "!fw4: Allow-Transmission"
udp dport 1111 counter packets 0 bytes 0 accept comment "!fw4: Allow-Transmission"
udp dport 1194 counter packets 1 bytes 42 accept comment "!fw4: Allow-OpenVPN"
ct status dnat accept comment "!fw4: Accept port redirections"
jump reject_from_wan
}
chain output_wan {
jump accept_to_wan
}
chain forward_wan {
icmpv6 type { destination-unreachable, time-exceeded, echo-request, echo-reply } limit rate 1000/second burst 5 packets counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
icmpv6 type . icmpv6 code { packet-too-big . 0, parameter-problem . 0, parameter-problem . 1 } limit rate 1000/second burst 5 packets counter packets 0 bytes 0 accept comment "!fw4: Allow-ICMPv6-Forward"
meta l4proto esp counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-IPSec-ESP"
udp dport 500 counter packets 0 bytes 0 jump accept_to_lan comment "!fw4: Allow-ISAKMP"
ct status dnat accept comment "!fw4: Accept port forwards"
jump reject_to_wan
}
chain accept_to_wan {
oifname { "eth0", "pppoe-wan" } counter packets 19491 bytes 5597254 accept comment "!fw4: accept wan IPv4/IPv6 traffic"
}
chain reject_from_wan {
iifname { "eth0", "pppoe-wan" } counter packets 520 bytes 26105 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
}
chain reject_to_wan {
oifname { "eth0", "pppoe-wan" } counter packets 0 bytes 0 jump handle_reject comment "!fw4: reject wan IPv4/IPv6 traffic"
}
chain input_wireguard {
jump accept_from_wireguard
}
chain output_wireguard {
jump accept_to_wireguard
}
chain forward_wireguard {
jump accept_to_lan comment "!fw4: Accept wireguard to lan forwarding"
jump accept_to_wan comment "!fw4: Accept wireguard to wan forwarding"
jump accept_to_wireguard
}
chain accept_from_wireguard {
iifname "wireguard" counter packets 0 bytes 0 accept comment "!fw4: accept wireguard IPv4/IPv6 traffic"
}
chain accept_to_wireguard {
oifname "wireguard" counter packets 0 bytes 0 accept comment "!fw4: accept wireguard IPv4/IPv6 traffic"
}
chain dstnat {
type nat hook prerouting priority dstnat; policy accept;
iifname "tun*" jump dstnat_lan comment "!fw4: Handle lan IPv4/IPv6 dstnat traffic"
iifname "eth1" jump dstnat_lan comment "!fw4: Handle lan IPv4/IPv6 dstnat traffic"
iifname { "eth0", "pppoe-wan" } jump dstnat_wan comment "!fw4: Handle wan IPv4/IPv6 dstnat traffic"
jump upnp_prerouting comment "Hook into miniupnpd prerouting chain"
}
chain srcnat {
type nat hook postrouting priority srcnat; policy accept;
oifname "tun*" jump srcnat_lan comment "!fw4: Handle lan IPv4/IPv6 srcnat traffic"
oifname "eth1" jump srcnat_lan comment "!fw4: Handle lan IPv4/IPv6 srcnat traffic"
oifname { "eth0", "pppoe-wan" } jump srcnat_wan comment "!fw4: Handle wan IPv4/IPv6 srcnat traffic"
oifname "wireguard" jump srcnat_wireguard comment "!fw4: Handle wireguard IPv4/IPv6 srcnat traffic"
jump upnp_postrouting comment "Hook into miniupnpd postrouting chain"
}
chain dstnat_lan {
ip saddr 192.168.15.0/24 ip daddr { 191.255.136.242, 192.168.1.2 } udp dport 45000-65535 dnat ip to 192.168.15.30:45000-65535 comment "!fw4: NintendoSwitch-NAT_A (reflection)"
ip saddr 192.168.15.0/24 ip daddr { 191.255.136.242, 192.168.1.2 } tcp dport 1111 dnat ip to 192.168.15.1:1111 comment "!fw4: Transmission (reflection)"
ip saddr 192.168.15.0/24 ip daddr { 191.255.136.242, 192.168.1.2 } udp dport 1111 dnat ip to 192.168.15.1:1111 comment "!fw4: Transmission (reflection)"
tcp dport 53 counter packets 0 bytes 0 redirect to :53 comment "!fw4: Adguard Home"
udp dport 53 counter packets 9165 bytes 715376 redirect to :53 comment "!fw4: Adguard Home"
}
chain srcnat_lan {
ip saddr 192.168.15.0/24 ip daddr 192.168.15.30 udp dport 45000-65535 snat ip to 192.168.15.1 comment "!fw4: NintendoSwitch-NAT_A (reflection)"
ip saddr 192.168.15.0/24 ip daddr 192.168.15.1 tcp dport 1111 snat ip to 192.168.15.1 comment "!fw4: Transmission (reflection)"
ip saddr 192.168.15.0/24 ip daddr 192.168.15.1 udp dport 1111 snat ip to 192.168.15.1 comment "!fw4: Transmission (reflection)"
}
chain dstnat_wan {
meta nfproto ipv4 udp dport 45000-65535 counter packets 40 bytes 3204 dnat ip to 192.168.15.30:45000-65535 comment "!fw4: NintendoSwitch-NAT_A"
meta nfproto ipv4 tcp dport 1111 counter packets 0 bytes 0 dnat ip to 192.168.15.1:1111 comment "!fw4: Transmission"
meta nfproto ipv4 udp dport 1111 counter packets 0 bytes 0 dnat ip to 192.168.15.1:1111 comment "!fw4: Transmission"
}
chain srcnat_wan {
meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wan traffic"
}
chain srcnat_wireguard {
meta nfproto ipv4 masquerade comment "!fw4: Masquerade IPv4 wireguard traffic"
}
chain raw_prerouting {
type filter hook prerouting priority raw; policy accept;
}
chain raw_output {
type filter hook output priority raw; policy accept;
}
chain mangle_prerouting {
type filter hook prerouting priority mangle; policy accept;
}
chain mangle_postrouting {
type filter hook postrouting priority mangle; policy accept;
oifname { "eth0", "pppoe-wan" } tcp flags & (fin | syn | rst) == syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 egress MTU fixing"
}
chain mangle_input {
type filter hook input priority mangle; policy accept;
}
chain mangle_output {
type route hook output priority mangle; policy accept;
}
chain mangle_forward {
type filter hook forward priority mangle; policy accept;
iifname { "eth0", "pppoe-wan" } tcp flags & (fin | syn | rst) == syn tcp option maxseg size set rt mtu comment "!fw4: Zone wan IPv4/IPv6 ingress MTU fixing"
}
chain upnp_forward {
}
chain upnp_prerouting {
}
chain upnp_postrouting {
}
}
root@horus:~#