ini 适用于strongSwan vpn road warrior配置的Nftables

Posted 2021-05-24

tags:

篇首语：本文由小常识网(cha138.com)小编为大家整理，主要介绍了ini 适用于strongSwan vpn road warrior配置的Nftables相关的知识，希望对你有一定的参考价值。

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
        chain base_checks {
                # allow established connections
                ct state {established, related} accept

                # early drop of invalid connections
                ct state invalid drop
        }
        chain input {
                type filter hook input priority 0; policy drop

                jump base_checks

                # allow from loopback
                iifname lo accept

                # accept traffic originated from us
                ct state related,established counter accept

                # activate the following line to accept common local services
                tcp dport { 22, 80, 443 } ct state new accept
                # strongswan vpn
                udp dport { 500,4500} counter accept

                #allow icmp
                ip protocol icmp icmp type {echo-request, echo-reply, time-exceeded, parameter-problem, destination-unreachable } accept
                # accept neighbour discovery otherwise IPv6 connectivity breaks.
                #ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit,  nd-router-advert, nd-neighbor-advert } accept

                # allow encapsulated trafic
                iifname eth0 ip protocol {ah, esp} accept
                # count and drop any other traffic
                reject with icmpx type port-unreachable
        }

        
        chain forward {
                type filter hook forward priority 0; policy drop
                jump base_checks

                ## allow comming out of the vpn
                ip saddr 172.16.252.0/24 accept
        }
        chain output {
                type filter hook output priority 0; policy accept;
                oifname eth0 ip protocol {ah, esp} accept
        }
}

table ip nat {
        chain prerouting {
                type nat hook prerouting priority 0; policy accept;
                #tcp dport dnat
                #udp dport dnat
        }
        chain postrouting {
                type nat hook postrouting priority 100; policy accept;
                #oifname eth0 ip daddr 10.10.10.0/24 accept
                ip saddr 172.16.252.0/24 oif eth0 masquerade
                #masquerade
        }
}

table ip admin-filter {
    include "/etc/white.nft"
	set admin_ip {
		type ipv4_addr;  flags interval;
		#elements = $admin_ip_list 
		elements = {
			p.q.r.0/22, 
			x.y.z.0/20, 
			a.b.0.0/19, 
			m.n.o.0/21
		}
	}
	chain input {
	    type filter hook input priority 200; policy accept
	    ct state related,established counter accept
	    tcp dport { 22 } ip saddr @admin_ip ct state new accept
	    tcp dport { 22 } reject
	}
}

include "/etc/nftables/fail2ban.conf"

以上是关于ini 适用于strongSwan vpn road warrior配置的Nftables的主要内容，如果未能解决你的问题，请参考以下文章

ini StrongSwan公路战士配置

strongswan 配置文件 /etc/ipsec.conf 速查手册1

Openswan 和 strongSwan 相比，各有啥特点

修改mtu解决拨入strongswan后某些网页无法打开

ini 适用于lighthttpd的PIHOLE配置

ini 适用于A +级的Nginx SSL配置