Nftables 接受特定 IP 和端口转发 [关闭]

问题描述 投票:0回答:0

我有以下用于家庭网络的路由器 nftables。 广域网 IP eth0 - 192.168.0.88 家庭IP eth1 10.0.1.1 邮件服务器:10.0.1.80 List_external_IP: {12.34.56.78, 123,233,122,111}

#!/usr/sbin/nft -f

# Clear out any existing rules
flush ruleset

define WANLINK = eth0 # NIC1
define LANLINK = eth1 # NIC4

define PORTFORWARDS = { http, https }

define BOGONS4 = { 0.0.0.0/8, 10.0.0.0/8, 10.64.0.0/10, 127.0.0.0/8 }

table inet filter {
    chain inbound_world {
                ip saddr { $BOGONS4 } drop
    }
    chain inbound_private {
        ip protocol . th dport vmap { tcp . 22 : accept, udp . 53 : accept, tcp . 53 : accept, udp . 67 : accept }
    }
    chain inbound {
                type filter hook input priority 0; policy drop;
                ct state vmap { established : accept, related : accept, invalid : drop} counter

        ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } limit rate 5/second accept
        iifname "lo" ip daddr != 127.0.0.0/8 drop

                iifname vmap { lo: accept, $WANLINK : jump inbound_world, $LANLINK : jump inbound_private }
    }
    chain forward {
        type filter hook forward priority 0; policy drop;
        ct state vmap { established : accept, related : accept, invalid : drop }
        iifname { lo, $LANLINK } accept
        tcp dport { $PORTFORWARDS } counter
    }
}

table ip nat {
        chain  prerouting {
        type nat hook prerouting priority -100;
        iifname $WANLINK tcp dport { $PORTFORWARDS } dnat to 10.199.200.10
        }
    chain postrouting {
        type nat hook postrouting priority 100; policy accept;
        oif $WANLINK masquerade
    }
}

现在我想允许 List_external_IP 可以访问服务器“eth0” 同时将端口 80、443 从 WAN (eth0) 转发到邮件服务器:10.0.1.80 任何帮助将非常感激 谢谢

port forwarding nftables
© www.soinside.com 2019 - 2024. All rights reserved.