diff --git a/ipv4-filter.nft b/ipv4-filter.nft index a918e44..cdb0707 100644 --- a/ipv4-filter.nft +++ b/ipv4-filter.nft @@ -1,5 +1,6 @@ table filter { - chain input { type filter hook input priority 0;policy accept;} + set http_ratelimit { type ipv4_addr; timeout 1s; flags dynamic; } + chain input { type filter hook input priority 0;policy drop;} chain forward { type filter hook forward priority 0; iifname wg0 accept; iifname home accept; @@ -9,7 +10,7 @@ table filter { chain output { type filter hook output priority 0; } } -table inet t_nat { +table nat { chain prerouting { type nat hook prerouting priority -100; policy accept;} chain postrouting { type nat hook postrouting priority 100; iifname wg0 oifname eno1 masquerade; @@ -18,4 +19,3 @@ table inet t_nat { iifname eno1 oifname home masquerade; } } - diff --git a/modules/module-rate-limit-web-port-forward.sh b/modules/module-rate-limit-web-port-forward.sh index 39e3598..bd9a3ee 100644 --- a/modules/module-rate-limit-web-port-forward.sh +++ b/modules/module-rate-limit-web-port-forward.sh @@ -16,6 +16,6 @@ $NFT add rule ip filter input ct state new tcp dport 443 update @http_ratelimit $NFT add rule ip filter input ct state new tcp dport 80 update @http_ratelimit { ip saddr limit rate $1/second } accept -$NFT add rule ip forward prerouting tcp dport 80 dnat to 192.168.0.55 -$NFT add rule ip forward prerouting tcp dport 443 dnat to 192.168.0.55 -$NFT add rule ip forward postrouting ip daddr 192.168.0.55 masquerade +$NFT add rule ip nat prerouting tcp dport 80 ip saddr 192.168.0.0/24 dnat to 192.168.0.55 +$NFT add rule ip nat prerouting tcp dport 443 ip saddr 192.168.0.0/24 dnat to 192.168.0.55 +$NFT add rule ip nat postrouting ip daddr 192.168.0.55 masquerade