-
Notifications
You must be signed in to change notification settings - Fork 5
Pi hole, Unbound & Wireguard
Welcome to the raspbian10-buster wiki!
Moving from iptables to nftables
Source: https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables
user@pihole2:~ $ cat rules.iptables
# Generated by xtables-save v1.8.2 on Sat Jun 29 14:35:52 2019
*filter
:INPUT DROP [375439:69623082]
:FORWARD DROP [2:700]
:OUTPUT ACCEPT [55890:8805566]
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p icmp -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 68 -j ACCEPT
-A FORWARD -i eth0 -o wg0 -j ACCEPT
-A FORWARD -i wg0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Sat Jun 29 14:35:52 2019
# Generated by xtables-save v1.8.2 on Sat Jun 29 14:35:52 2019
*nat
:PREROUTING ACCEPT [377948:69767380]
:INPUT ACCEPT [2742:165526]
:POSTROUTING ACCEPT [10784:805542]
:OUTPUT ACCEPT [10784:805542]
-A POSTROUTING -o wg0 -j MASQUERADE
COMMIT
# Completed on Sat Jun 29 14:35:52 2019
user@pihole2:~ $ cat rules.nft
# Translated by iptables-restore-translate v1.8.2 on Sat Jun 29 14:36:34 2019
add table ip filter
add chain ip filter INPUT { type filter hook input priority 0; policy drop; }
add chain ip filter FORWARD { type filter hook forward priority 0; policy drop; }
add chain ip filter OUTPUT { type filter hook output priority 0; policy accept; }
add rule ip filter INPUT iifname "lo" counter accept
add rule ip filter INPUT iifname "eth0" ip protocol icmp counter accept
add rule ip filter INPUT iifname "eth0" tcp dport 22 counter accept
add rule ip filter INPUT ct state related,established counter accept
add rule ip filter INPUT iifname "eth0" tcp dport 80 counter accept
add rule ip filter INPUT iifname "eth0" tcp dport 53 counter accept
add rule ip filter INPUT iifname "eth0" udp dport 53 counter accept
add rule ip filter INPUT iifname "eth0" udp dport 67 counter accept
add rule ip filter INPUT iifname "eth0" udp dport 68 counter accept
add rule ip filter FORWARD iifname "eth0" oifname "wg0" counter accept
add rule ip filter FORWARD iifname "wg0" oifname "eth0" ct state related,established counter accept
add table ip nat
add chain ip nat PREROUTING { type nat hook prerouting priority -100; policy accept; }
add chain ip nat INPUT { type nat hook input priority 100; policy accept; }
add chain ip nat POSTROUTING { type nat hook postrouting priority 100; policy accept; }
add chain ip nat OUTPUT { type nat hook output priority -100; policy accept; }
add rule ip nat POSTROUTING oifname "wg0" counter masquerade
# Completed on Sat Jun 29 14:36:34 2019