История изменений

Исправление ptah_alexs, 03.05.24 09:36 (текущая версия) :

У меня такой конфиг (с iifname) работает нормально:

#!/usr/sbin/nft -f
flush ruleset
define base_interface = enp6s0
define income_interface = ppp0
define desktop_interface = enp4s0
table ip nat {
    chain prerouting {
        type nat hook prerouting priority -100; policy accept;
    }
    chain input {
        type nat hook input priority 100; policy accept;
    }
    chain output {
        type nat hook output priority -100; policy accept;
    }
    chain postrouting {
        type nat hook postrouting priority 100; policy accept;
        oifname $income_interface masquerade
    }
}
table inet filter {
    chain output {
        type filter hook output priority 0; policy accept;
    }
    chain input {
        type filter hook input priority 0; policy drop;
        ct state established,related accept
        ct state invalid drop
        tcp dport { 443, 2022 } accept
        udp dport { 2022, 4444 } accept
        iifname != $income_interface ct state new accept
    }
    chain forward {
        type filter hook forward priority 0; policy drop;
        meta l4proto tcp tcp flags & (syn|rst) == syn tcp option maxseg size set rt mtu
        iifname $income_interface oifname $desktop_interface ct state related,established accept
        iifname $desktop_interface oifname $income_interface accept
        iifname $base_interface oifname $income_interface reject with icmpx type host-unreachable
        iifname $income_interface oifname $income_interface reject with icmpx type host-unreachable
    }
}

Исходная версия ptah_alexs, 03.05.24 09:35:

У меня такой конфиг (с iifname) работает нормально:

[cut] [code]

#!/usr/sbin/nft -f flush ruleset define base_interface = enp6s0 define income_interface = ppp0 define desktop_interface = enp4s0 table ip nat { chain prerouting { type nat hook prerouting priority -100; policy accept; } chain input { type nat hook input priority 100; policy accept; } chain output { type nat hook output priority -100; policy accept; } chain postrouting { type nat hook postrouting priority 100; policy accept; oifname $income_interface masquerade } } table inet filter { chain output { type filter hook output priority 0; policy accept; } chain input { type filter hook input priority 0; policy drop; ct state established,related accept ct state invalid drop tcp dport { 443, 2022 } accept udp dport { 2022, 4444 } accept iifname != $income_interface ct state new accept } chain forward { type filter hook forward priority 0; policy drop; meta l4proto tcp tcp flags & (syn|rst) == syn tcp option maxseg size set rt mtu iifname $income_interface oifname $desktop_interface ct state related,established accept iifname $desktop_interface oifname $income_interface accept iifname $base_interface oifname $income_interface reject with icmpx type host-unreachable iifname $income_interface oifname $income_interface reject with icmpx type host-unreachable } }

[/code] [/cut]