1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
|
#!/bin/bash
RULESET="table inet uni {
chain gtfo {
reject with icmpx type host-unreachable
drop
}
chain filter_in_tcp {
tcp dport vmap {
80 : accept,
81 : accept,
443 : accept,
931 : accept,
5001 : accept,
5201 : accept,
}
tcp dport vmap {
6800-6999 : accept,
33434-33499 : accept,
}
drop
}
chain filter_in_udp {
udp dport vmap {
53 : accept,
123 : accept,
846 : accept,
849 : accept,
5001 : accept,
5201 : accept,
}
udp dport vmap {
5300-5399 : accept,
6800-6999 : accept,
33434-33499 : accept,
}
drop
}
chain filter_in {
type filter hook input priority 0; policy drop;
ct state vmap {
invalid : drop,
established : accept,
related : accept,
untracked : accept,
}
ct status vmap {
dnat : accept,
snat : accept,
}
iif lo accept
meta iifgroup {100-199} accept
meta l4proto tcp goto filter_in_tcp
meta l4proto udp goto filter_in_udp
icmp type vmap {
echo-request : accept,
}
ip6 nexthdr icmpv6 icmpv6 type vmap {
echo-request : accept,
}
}
chain filter_fwd_ifgroup {
meta iifgroup . oifgroup vmap {
100 . 10 : accept,
100 . 100 : accept,
100 . 101 : accept,
101 . 101 : accept,
}
goto gtfo
}
chain filter_fwd {
type filter hook forward priority 0; policy drop;
fib daddr type broadcast drop
ct state vmap {
invalid : drop,
established : accept,
related : accept,
untracked : accept,
}
ct status vmap {
dnat : accept,
snat : accept,
}
meta iifgroup {100-199} goto filter_fwd_ifgroup
}
chain nat_fwd_tun {
meta l4proto tcp redirect to :15
udp dport 53 redirect to :13
goto gtfo
}
chain nat_dns_dnstc { meta l4proto udp redirect to :5300 ; drop ; }
chain nat_dns_this_5301 { meta l4proto udp redirect to :5301 ; drop ; }
chain nat_dns_moon_5301 { meta nfproto ipv4 meta l4proto udp dnat to 240.0.1.2:5301 ; drop ; }
chain nat_dns_moon_5302 { meta nfproto ipv4 meta l4proto udp dnat to 240.0.1.2:5302 ; drop ; }
chain nat_dns_moon_5303 { meta nfproto ipv4 meta l4proto udp dnat to 240.0.1.2:5303 ; drop ; }
chain nat_dns_acme {
udp length 47-63 @th,160,128 0x0e373135363130333131303735353203 \
goto nat_dns_dnstc
udp length 62-78 @th,160,128 0x0e31393032383939353831343037320e \
goto nat_dns_this_5301
udp length 62-78 @th,160,128 0x0e31363436323733373931323934300e \
goto nat_dns_moon_5301
udp length 62-78 @th,160,128 0x0e32393535373539353636383732310e \
goto nat_dns_moon_5302
udp length 62-78 @th,160,128 0x0e38353439353637323038363633390e \
goto nat_dns_moon_5303
drop
}
chain nat_prerouting {
type nat hook prerouting priority -100; policy accept;
iifgroup 10 udp dport 53 goto nat_dns_acme
iifgroup 10 accept
ip daddr 198.19.0.0/16 goto nat_fwd_tun
ip6 daddr fc00::/8 goto nat_fwd_tun
tcp dport 53 redirect to :25302
udp dport 53 redirect to :25302
}
chain nat_output {
type nat hook output priority -100; policy accept;
ip daddr 198.19.0.0/16 goto nat_fwd_tun
ip6 daddr fc00::/8 goto nat_fwd_tun
}
chain nat_postrouting {
type nat hook postrouting priority 100; policy accept;
oif != lo masquerade
}
chain mangle_forward {
type filter hook forward priority -150; policy accept;
tcp flags & (syn | rst) == syn tcp option maxseg size set rt mtu
}
}"
$NFT -o -c -f - <<< $RULESET
|
