nftables/nat.nft
Phil Sutter 2ee3b20fcf nftables-1.0.4-1.el8
* Tue May 30 2023 Phil Sutter <psutter@redhat.com> [1.0.4-1.el8]
- Synchronize patch level with nftables-1.0.4-10.el9 (Phil Sutter) [2211076]
- Rebase onto version 1.0.4 (Phil Sutter) [2211076]
Resolves: rhbz#2211076
2023-05-30 22:13:56 +02:00

39 lines
1.0 KiB
Plaintext

# Sample configuration snippet for nftables service.
# Meant to be included by main.nft, not for direct use.
# dedicated table for IPv4
table ip nftables_svc {
# interfaces to masquerade traffic from
set masq_interfaces {
type ifname
elements = { "virbr0" }
}
# networks to masquerade traffic from
# 'interval' flag is required to support subnets
set masq_ips {
type ipv4_addr
flags interval
elements = { 192.168.122.0/24 }
}
# force port randomization for non-locally originated connections using
# suspicious port values to prevent port-shadow attacks, i.e.
# accidental matching of new inbound connections vs. existing ones
chain do_masquerade {
meta iif > 0 th sport < 16384 th dport >= 32768 masquerade random
masquerade
}
# base-chain to manipulate conntrack in postrouting,
# will see packets for new or related traffic only
chain POSTROUTING {
type nat hook postrouting priority srcnat + 20
policy accept
iifname @masq_interfaces oifname != @masq_interfaces jump do_masquerade
ip saddr @masq_ips jump do_masquerade
}
}