#!/usr/bin/nft -f flush ruleset define DEV_PRIVATE = { tun0, br0 } define DEV_WORLD = { ppp0, enp1s0 } define DEV_WG = wg0 define NET_PRIVATE = 192.168.0.0/16 # 封禁列表 define BANNED_MAC = { f4:1c:71:1f:59:e8 } table inet router { # Flowtable 设置 flowtable ft { hook ingress priority 0; devices = { eno1, enp1s0, enp2s0, enp4s0 }; } #################### # Inbound 规则链 #################### chain inbound { type filter hook input priority filter; policy drop; iifname "lo" accept ct state established,related accept # 跳转到具体规则链 iifname $DEV_PRIVATE jump inbound_private iifname $DEV_WG jump inbound_wireguard iifname $DEV_WORLD jump inbound_world counter jump handle_reject } chain inbound_private { # 如果来自私有网络且 MAC 地址在封禁列表中,则丢弃 # ether saddr $BANNED_MAC counter drop counter accept } chain inbound_wireguard { counter accept } chain inbound_world { meta nfproto ipv4 udp dport 68 counter accept # Allow-DHCP-Renew meta nfproto ipv4 icmp type 8 counter accept # Allow-Ping meta nfproto ipv4 meta l4proto igmp counter accept # Allow-IGMP meta nfproto ipv6 udp dport 546 counter accept # Allow-DHCPv6 ip6 saddr fe80::/10 icmpv6 type . icmpv6 code { 130 . 0, 131 . 0, 132 . 0, 143 . 0 } counter accept # Allow-MLD meta nfproto ipv6 icmpv6 type { 128, 129, 1, 3, 133, 134 } limit rate 1000/second counter accept # Allow-ICMPv6-Input meta nfproto ipv6 icmpv6 type . icmpv6 code { 2 . 0, 4 . 0, 4 . 1, 135 . 0, 136 . 0 } limit rate 1000/second counter accept # Allow-ICMPv6-Input tcp dport 22 counter accept # Allow-SSH udp dport 6699 counter accept # Allow-WireGuard counter jump handle_reject } #################### # Forward 规则链 #################### chain forward { type filter hook forward priority filter; policy drop; meta l4proto { tcp, udp } flow offload @ft; ct state established,related accept iifname $DEV_PRIVATE jump forward_private iifname $DEV_WG jump forward_wireguard iifname $DEV_WORLD jump forward_world counter jump handle_reject } chain forward_private { oifname $DEV_WG counter accept oifname $DEV_WORLD counter accept } chain forward_wireguard { oifname $DEV_PRIVATE counter accept } chain forward_world { meta nfproto ipv6 icmpv6 type { 128, 129, 1, 3 } limit rate 1000/second counter accept # Allow-ICMPv6-Forward meta nfproto ipv6 icmpv6 type . icmpv6 code { 2 . 0, 4 . 0, 4 . 1 } limit rate 1000/second counter accept # Allow-ICMPv6-Forward meta l4proto esp counter oifname $DEV_PRIVATE counter accept # Allow-IPSec-ESP udp dport 500 counter oifname $DEV_PRIVATE counter accept # Allow-ISAKMP # meta nfproto ipv6 oifname $DEV_PRIVATE counter accept # 暴露内部网络设备 IPv6 到公网 oifname $DEV_WORLD counter jump handle_reject } #################### # Outbound 规则链 #################### chain outbound { type filter hook output priority filter; policy accept; oifname "lo" accept ct state established,related accept oifname $DEV_WORLD jump outbound_world oifname $DEV_PRIVATE jump outbound_private oifname $DEV_WG jump outbound_wireguard } chain outbound_world { # 防止 NAT 泄漏 meta nfproto ipv4 ct state invalid counter drop counter accept } chain outbound_private { counter accept } chain outbound_wireguard { counter accept } #################### # 拒绝处理 #################### chain handle_reject { meta l4proto tcp reject with tcp reset reject } #################### # Nat 规则链 #################### chain dstnat { type nat hook prerouting priority dstnat; policy accept; } chain srcnat { type nat hook postrouting priority srcnat; policy accept; # 对 IPv4 外部流量进行伪装,将源地址转换为出口接口的公共 IP 地址 oifname $DEV_WORLD meta nfproto ipv4 masquerade } #################### # Raw 规则链 (notrack) #################### chain raw_prerouting { type filter hook prerouting priority raw; policy accept; } chain raw_output { type filter hook output priority raw; policy accept; } #################### # Mangle 规则链 #################### chain mangle_prerouting { type filter hook prerouting priority mangle; policy accept; # meta iifname $DEV_WORLD return } chain mangle_postrouting { type filter hook postrouting priority mangle; policy accept; # MTU 钳制 oifname $DEV_WORLD tcp flags syn / syn,fin,rst tcp option maxseg size set rt mtu } chain mangle_input { type filter hook input priority mangle; policy accept; } chain mangle_output { type route hook output priority mangle; policy accept; } chain mangle_forward { type filter hook forward priority mangle; policy accept; # MTU 钳制 iifname $DEV_WORLD tcp flags syn / syn,fin,rst tcp option maxseg size set rt mtu } }