updated nftables state

This commit is contained in:
Paul 2022-06-08 23:50:36 +02:00
parent 4999a9cd76
commit 4518388841

View File

@ -23,14 +23,16 @@ add rule ip filter INPUT {{ value.proto }} dport {{ value.port }} ct state estab
## IPv4 NAT ## IPv4 NAT
add table ip nat add table ip nat
add chain ip nat PREROUTING { type nat hook prerouting priority -1; policy accept; } add chain ip nat PREROUTING { type nat hook prerouting priority dstnat; policy accept; }
add chain ip nat INPUT { type nat hook input priority 1; policy accept; } add chain ip nat INPUT { type nat hook input priority 1; policy accept; }
add chain ip nat OUTPUT { type nat hook output priority -1; policy accept; } add chain ip nat OUTPUT { type nat hook output priority -100; policy accept; }
add chain ip nat POSTROUTING { type nat hook postrouting priority 1; policy accept; } add chain ip nat POSTROUTING { type nat hook postrouting priority srcnat; policy accept; }
add chain ip nat DOCKER add chain ip nat DOCKER
{%- for key, value in net.nats.items() %} {%- for key, value in net.nats.items() %}
add rule ip nat POSTROUTING ip saddr {{ value.ip }}/{{ value.mask }} counter masquerade add rule ip nat POSTROUTING ip saddr {{ value.ip }}/{{ value.mask }} counter masquerade
{%- endfor %} {%- endfor %}
add rule ip nat POSTROUTING oifname != "docker0" ip saddr 172.17.0.0/24 counter masquerade
add rule ip nat PREROUTING fib daddr type local counter jump DOCKER
add rule ip nat OUTPUT ip daddr != 127.0.0.0/8 fib daddr type local counter jump DOCKER add rule ip nat OUTPUT ip daddr != 127.0.0.0/8 fib daddr type local counter jump DOCKER
add rule ip nat DOCKER iifname "docker0" counter return add rule ip nat DOCKER iifname "docker0" counter return