我有以下用于家庭网络的路由器 nftables。 广域网 IP eth0 - 192.168.0.88 家庭IP eth1 10.0.1.1 邮件服务器:10.0.1.80 List_external_IP: {12.34.56.78, 123,233,122,111}
#!/usr/sbin/nft -f
# Clear out any existing rules
flush ruleset
define WANLINK = eth0 # NIC1
define LANLINK = eth1 # NIC4
define PORTFORWARDS = { http, https }
define BOGONS4 = { 0.0.0.0/8, 10.0.0.0/8, 10.64.0.0/10, 127.0.0.0/8 }
table inet filter {
chain inbound_world {
ip saddr { $BOGONS4 } drop
}
chain inbound_private {
ip protocol . th dport vmap { tcp . 22 : accept, udp . 53 : accept, tcp . 53 : accept, udp . 67 : accept }
}
chain inbound {
type filter hook input priority 0; policy drop;
ct state vmap { established : accept, related : accept, invalid : drop} counter
ip protocol icmp icmp type { destination-unreachable, echo-reply, echo-request, source-quench, time-exceeded } limit rate 5/second accept
iifname "lo" ip daddr != 127.0.0.0/8 drop
iifname vmap { lo: accept, $WANLINK : jump inbound_world, $LANLINK : jump inbound_private }
}
chain forward {
type filter hook forward priority 0; policy drop;
ct state vmap { established : accept, related : accept, invalid : drop }
iifname { lo, $LANLINK } accept
tcp dport { $PORTFORWARDS } counter
}
}
table ip nat {
chain prerouting {
type nat hook prerouting priority -100;
iifname $WANLINK tcp dport { $PORTFORWARDS } dnat to 10.199.200.10
}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oif $WANLINK masquerade
}
}
现在我想允许 List_external_IP 可以访问服务器“eth0” 同时将端口 80、443 从 WAN (eth0) 转发到邮件服务器:10.0.1.80 任何帮助将非常感激 谢谢