flush table inet fw4
table inet fw4 {
- #
- # Set definitions
- #
-
-
#
# Defines
#
define test1_devices = { "zone1" }
+ define test1_subnets = { }
+
define test2_devices = { "zone2" }
+ define test2_subnets = { }
+
define test3_devices = { "zone3" }
+ define test3_subnets = { }
+
#
# User includes
iifname "lo" accept comment "!fw4: Accept traffic from loopback"
- ct state established,related accept comment "!fw4: Allow inbound established and related flows"
+ ct state vmap { established : accept, related : accept } comment "!fw4: Handle inbound flows"
iifname "zone1" jump input_test1 comment "!fw4: Handle test1 IPv4/IPv6 input traffic"
iifname "zone2" jump input_test2 comment "!fw4: Handle test2 IPv4/IPv6 input traffic"
iifname "zone3" jump input_test3 comment "!fw4: Handle test3 IPv4/IPv6 input traffic"
chain forward {
type filter hook forward priority filter; policy drop;
- ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
+ ct state vmap { established : accept, related : accept } comment "!fw4: Handle forwarded flows"
iifname "zone1" jump forward_test1 comment "!fw4: Handle test1 IPv4/IPv6 forward traffic"
iifname "zone2" jump forward_test2 comment "!fw4: Handle test2 IPv4/IPv6 forward traffic"
iifname "zone3" jump forward_test3 comment "!fw4: Handle test3 IPv4/IPv6 forward traffic"
oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
- ct state established,related accept comment "!fw4: Allow outbound established and related flows"
+ ct state vmap { established : accept, related : accept } comment "!fw4: Handle outbound flows"
oifname "zone1" jump output_test1 comment "!fw4: Handle test1 IPv4/IPv6 output traffic"
oifname "zone2" jump output_test2 comment "!fw4: Handle test2 IPv4/IPv6 output traffic"
oifname "zone3" jump output_test3 comment "!fw4: Handle test3 IPv4/IPv6 output traffic"
}
+ chain prerouting {
+ type filter hook prerouting priority filter; policy accept;
+ }
+
chain handle_reject {
meta l4proto tcp reject with tcp reset comment "!fw4: Reject TCP traffic"
reject with icmpx type port-unreachable comment "!fw4: Reject any other traffic"
}
chain accept_to_test1 {
+ meta nfproto ipv4 oifname "zone1" ct state invalid counter drop comment "!fw4: Prevent NAT leakage"
oifname "zone1" counter accept comment "!fw4: accept test1 IPv4/IPv6 traffic"
}
#
- # Raw rules (notrack & helper)
+ # Raw rules (notrack)
#
chain raw_prerouting {
type filter hook prerouting priority mangle; policy accept;
}
+ chain mangle_postrouting {
+ type filter hook postrouting priority mangle; policy accept;
+ }
+
+ chain mangle_input {
+ type filter hook input priority mangle; policy accept;
+ }
+
chain mangle_output {
- type filter hook output priority mangle; policy accept;
+ type route hook output priority mangle; policy accept;
}
chain mangle_forward {