-
Notifications
You must be signed in to change notification settings - Fork 0
/
nftables.conf
238 lines (209 loc) · 19.3 KB
/
nftables.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
#!/usr/sbin/nft -f
flush ruleset
# Local directly connected interfaces
define SWITCH-MGMT-ZONE = ae0.99
define WLAN-MGMT-ZONE = br40
define P-WLAN-ZONE = ae0.41
define W-WLAN-ZONE = ae0.42
define IOT-ZONE = br43
define LAN-ZONE = ae0.10
define INTERNET-ZONE = ae0.400
define VM-ZONE = { ovsbr0, br2000, br-servers }
# REX CLIENT VPN
define REX-ZONE = rex-wg
# Other sites
define A44-ZONE = rex-a44-wg
define DIGI-ZONE = rex-digi-ptp
define APOPHIS-ZONE = { apophis-wg, apophis-vx }
define SOKAR-ZONE = { sokar-wg, vxlan24, br24 }
define HACKLAB-ZONE = { hack-wg, vxlan38 }
define CHAOS-ZONE = chaos-wg
define ELDER-ZONE = { elder-wg, elder-vx }
define REX-SOKAR-WG = rex-sokar-ptp
define REX-SOKAR-GRE = rex-sokar-gre
###### BASIC TABLES AND CHAINS ######
### FILTER ###
add table inet filter
#add chain inet filter INET_INGRESS { type filter hook ingress device $INTERNET-ZONE priority filter; }
add chain inet filter INPUT { type filter hook input priority filter; }
add chain inet filter PREROUTING { type filter hook prerouting priority filter; }
add chain inet filter FORWARD { type filter hook forward priority filter; }
add chain inet filter OUTPUT { type filter hook output priority filter; }
add table bridge filter
add chain bridge filter FORWARD { type filter hook forward priority filter; }
### NAT ###
add table inet nat
add chain inet nat PREROUTING { type nat hook prerouting priority dstnat; }
add chain inet nat POSTROUTING { type nat hook postrouting priority srcnat; }
### MANGLE ###
add table inet mangle
add chain inet mangle PREROUTING { type filter hook prerouting priority mangle; }
add chain inet mangle INPUT { type filter hook input priority mangle; }
add chain inet mangle FORWARD { type filter hook forward priority mangle; }
add chain inet mangle OUTPUT { type filter hook output priority mangle; }
add chain inet mangle POSTROUTING { type filter hook postrouting priority mangle; }
###### INTERNET OUT FILTER SETS ######
### Denied Internet-traffic, destination protocol + port ###
# Denied UDP ports
add set inet filter INTERNET-OUT-DENIED-SERVICES { type inet_proto . inet_service; flags constant, interval; auto-merge; }
add element inet filter INTERNET-OUT-DENIED-SERVICES { udp . 0 comment "IANA Reserved" }
add element inet filter INTERNET-OUT-DENIED-SERVICES { udp . 25 comment "SMTP" }
add element inet filter INTERNET-OUT-DENIED-SERVICES { udp . 135-139 comment "NetBIOS" }
add element inet filter INTERNET-OUT-DENIED-SERVICES { udp . 161 comment "SNMP" }
add element inet filter INTERNET-OUT-DENIED-SERVICES { udp . 445 comment "Microsoft-DS" }
add element inet filter INTERNET-OUT-DENIED-SERVICES { udp . 539 comment "RPC" }
add element inet filter INTERNET-OUT-DENIED-SERVICES { udp . 1433-1434 comment "Microsoft SQL" }
add element inet filter INTERNET-OUT-DENIED-SERVICES { udp . 1900 comment "Simple Network Discovery Protocol" }
# Denied TCP ports
add element inet filter INTERNET-OUT-DENIED-SERVICES { tcp . 0 comment "IANA Reserved" }
add element inet filter INTERNET-OUT-DENIED-SERVICES { tcp . 25 comment "SMTP" }
add element inet filter INTERNET-OUT-DENIED-SERVICES { tcp . 135-139 comment "NetBIOS" }
add element inet filter INTERNET-OUT-DENIED-SERVICES { tcp . 179 comment "Border Gateway Protocol" }
add element inet filter INTERNET-OUT-DENIED-SERVICES { tcp . 445 comment "Microsoft-DS" }
add element inet filter INTERNET-OUT-DENIED-SERVICES { tcp . 539 comment "RPC" }
add element inet filter INTERNET-OUT-DENIED-SERVICES { tcp . 1433-1434 comment "Microsoft SQL" }
add element inet filter INTERNET-OUT-DENIED-SERVICES { tcp . 7547 comment "CPE WAN Management Protocol" }
### RFC 5735 Special Use IPv4 Addresses ###
add set inet filter RFC-5735-ADDRESSES { type ipv4_addr; flags interval; auto-merge; }
add element inet filter RFC-5735-ADDRESSES { 0.0.0.0/8 comment "This network, RFC 1122" }
add element inet filter RFC-5735-ADDRESSES { 10.0.0.0/8 comment "Private-Use Networks, RFC 1918" }
add element inet filter RFC-5735-ADDRESSES { 100.64.0.0/10 comment "Carrier-grade NAT" }
add element inet filter RFC-5735-ADDRESSES { 127.0.0.0/8 comment "Loopback, RFC 1122" }
add element inet filter RFC-5735-ADDRESSES { 169.254.0.0/16 comment "Private-Use Networks, RFC 1918" }
add element inet filter RFC-5735-ADDRESSES { 172.16.0.0/12 comment "Private-Use Networks, RFC 1918" }
add element inet filter RFC-5735-ADDRESSES { 192.0.0.0/24 comment "IETF Protocol Assignments, RFC 5736" }
add element inet filter RFC-5735-ADDRESSES { 192.0.2.0/24 comment "TEST-NET-1, RFC 5737" }
add element inet filter RFC-5735-ADDRESSES { 192.168.0.0/16 comment "Private-Use Networks, RFC 1918" }
add element inet filter RFC-5735-ADDRESSES { 198.18.0.0/15 comment "Network Interconnect Device Benchmark Testing, RFC 1918" }
add element inet filter RFC-5735-ADDRESSES { 198.51.100.0/24 comment "TEST-NET-2, RFC 5737" }
add element inet filter RFC-5735-ADDRESSES { 203.0.113.0/24 comment "TEST-NET-3, RFC 5737" }
add element inet filter RFC-5735-ADDRESSES { 224.0.0.0/4 comment "Multicast, RFC 3171" }
add element inet filter RFC-5735-ADDRESSES { 233.252.0.0/24 comment "MCAST-TEST-NET" }
add element inet filter RFC-5735-ADDRESSES { 240.0.0.0/4 comment "Reserved for Future Use, RFC 1112" }
add element inet filter RFC-5735-ADDRESSES { 192.88.99.0/24 comment "6to4 Relay Anycast, RFC 3068" }
### LOCAL NETWORKS ###
add set inet mangle LOCAL-NETWORKS { type ipv4_addr; flags interval; auto-merge; }
add element inet mangle LOCAL-NETWORKS { 10.23.10.0/24 comment "VLAN10" }
add element inet mangle LOCAL-NETWORKS { 10.23.40.0/24 comment "VLAN40" }
add element inet mangle LOCAL-NETWORKS { 10.23.41.0/24 comment "VLAN41" }
add element inet mangle LOCAL-NETWORKS { 10.23.42.0/24 comment "VLAN42" }
add element inet mangle LOCAL-NETWORKS { 10.23.43.0/24 comment "VLAN43" }
add element inet mangle LOCAL-NETWORKS { 10.23.99.0/24 comment "VLAN99" }
add element inet mangle LOCAL-NETWORKS { 10.23.100.0/24 comment "VLAN100" }
add element inet mangle LOCAL-NETWORKS { 10.0.100.0/24 comment "BR-Servers" }
###### SERVICE FILTER SETS ######
add set inet filter SERVICE-NFS { type inet_proto . inet_service; }
add element inet filter SERVICE-NFS { udp . 111 comment "Portmapper" }
add element inet filter SERVICE-NFS { udp . 112 comment "Rpcbind" }
add element inet filter SERVICE-NFS { udp . 2049 comment "NFS data" }
add element inet filter SERVICE-NFS { tcp . 111 comment "Portmapper" }
add element inet filter SERVICE-NFS { tcp . 112 comment "Rpcbind" }
add element inet filter SERVICE-NFS { tcp . 2049 comment "NFS data" }
add set inet filter NFS-CLIENTS { type ipv4_addr; }
add element inet filter NFS-CLIENTS { 10.23.200.3 comment "Jimmy Mediaserver" }
add element inet filter NFS-CLIENTS { 10.23.200.16 comment "Jimmy Mediaserver" }
#add element inet filter NFS-CLIENTS { 10.23.200.25 comment "Areena44 CAM" }
#add set inet filter SERVICE-MUMBLE { type inet_proto . inet_service; }
#add element inet filter SERVICE-MUMBLE { udp . 64738 comment "Mumble voice" }
#add element inet filter SERVICE-MUMBLE { tcp . 64738 comment "Mumble data" }
add set inet filter SERVICE-IPERF { type inet_proto . inet_service; }
add element inet filter SERVICE-IPERF { udp . 5201 comment "Iperf UDP" }
add element inet filter SERVICE-IPERF { tcp . 5201 comment "Iperf TCP" }
##### FLOWTABLE FASTPATH TEST #####
# Software fastpath for existing and tracked flows. Bypasses routing decision for subsequent packets within a tracked flow
# Do NOT use fastpath for any interfaces where dynamic routing is in effect eg. BGP / OSPF
#add flowtable inet filter fastpath { hook ingress priority filter; counter; devices = { "enp6s0f0", "enp6s0f1", "enp7s0f0", "enp7s0f1" }; }
###### FILTER RULES BEGIN HERE ######
### INGRESS CHAIN ###
# Layer 2 filtering on the Internet WIRE
#add rule inet filter INET_INGRESS iifname { $INTERNET-ZONE } meta pkttype { } udp sport 67 counter log accept comment "ISP DHCP service to Internet-facing interface"
#add rule inet filter INET_INGRESS meta pkttype { broadcast, multicast } counter log drop comment "Policy deny broadcast and multicast traffic from the Internet"
### PREROUTING CHAIN ###
#add rule ip filter PREROUTING iifname {enp6s0f0, br-internet} notrack
add rule inet filter PREROUTING ct state invalid counter drop comment "Drop invalid conntrack states"
add rule inet filter PREROUTING fib saddr . iif oif missing counter drop comment "Drop packets without reverse path"
### INPUT CHAIN ###
add rule inet filter INPUT ct state established, related counter accept comment "Allow established and related connections"
#add rule inet filter INPUT icmp type redirect counter log group 2 drop comment "Deny all ICMP redirects"
add rule inet filter INPUT meta l4proto icmp counter log group 1 accept comment "Allow ICMP"
add rule inet filter INPUT iif lo accept comment "Allow loopback"
add rule inet filter INPUT iifname { $INTERNET-ZONE } ip saddr @RFC-5735-ADDRESSES counter log group 2 drop comment "Drop reserved address space from Internet"
add rule inet filter INPUT iifname { $LAN-ZONE } tcp dport 9091 counter log group 1 accept comment "Local Transmission"
add rule inet filter INPUT iifname { $LAN-ZONE, $P-WLAN-ZONE, $W-WLAN-ZONE } tcp dport 22 counter log group 1 accept comment "Local SSH-server"
#add rule inet filter INPUT iifname { $INTERNET-ZONE } ip saddr 45.154.112.1 tcp dport 22 counter log group 1 accept comment "Areena44 -> Local SSH-server"
add rule inet filter INPUT iifname { $LAN-ZONE, $P-WLAN-ZONE, $W-WLAN-ZONE, $IOT-ZONE, $WLAN-MGMT-ZONE, $VM-ZONE, $REX-ZONE } udp dport 53 counter log group 1 accept comment "Local DN>
add rule inet filter INPUT iifname { $LAN-ZONE, $P-WLAN-ZONE, $IOT-ZONE, $WLAN-MGMT-ZONE, $SWITCH-MGMT-ZONE, $VM-ZONE, $REX-ZONE } udp dport 123 counter log group 1 accept comment "Lo>
add rule inet filter INPUT iifname { $SWITCH-MGMT-ZONE } udp dport 69 counter log group 1 accept comment "Local TFTP-server"
add rule inet filter INPUT iifname { $WLAN-MGMT-ZONE } udp dport { 1812, 1813 } counter log group 1 accept comment "Local RADIUS-server"
add rule inet filter INPUT iifname { $INTERNET-ZONE, $LAN-ZONE, $P-WLAN-ZONE } udp dport { 1223, 1224, 1225, 1226, 1227, 1238, 1239 } counter log group 1 accept comment "WireGuard gat>
add rule inet filter INPUT iifname { $VM-ZONE } udp dport 161 counter log group 1 accept comment "Local SNMP-server"
add rule inet filter INPUT iifname { $LAN-ZONE, $P-WLAN-ZONE, $REX-ZONE, $SOKAR-ZONE, $A44-ZONE, $APOPHIS-ZONE, $CHAOS-ZONE, $HACKLAB-ZONE, $ELDER-ZONE } tcp dport 445 counter log gro>
add rule inet filter INPUT iifname { $DIGI-ZONE, $SOKAR-ZONE, $A44-ZONE } tcp dport 179 counter log group 1 accept comment "Internal BGP-peering"
add rule inet filter INPUT iifname { $DIGI-ZONE, $SOKAR-ZONE, $A44-ZONE } udp dport { 3784, 3785 } counter log group 1 accept comment "Internal BFD"
add rule inet filter INPUT iifname { $REX-ZONE, $A44-ZONE } ip saddr @NFS-CLIENTS meta l4proto . th dport @SERVICE-NFS counter log group 1 accept comment "Local NFS-server"
add rule inet filter INPUT iifname { $LAN-ZONE, $REX-ZONE, $A44-ZONE, $SOKAR-ZONE, $HACKLAB-ZONE } meta l4proto . th dport @SERVICE-IPERF counter log group 1 accept comment "Local IPE>
add rule inet filter INPUT iifname { $SOKAR-ZONE, $APOPHIS-ZONE, $HACKLAB-ZONE, $ELDER-ZONE } udp dport 8472 counter log group 1 accept comment "REX-FW <-> Other sites VXLAN-tunnels"
add rule inet filter INPUT iifname { $SOKAR-ZONE, $APOPHIS-ZONE, $HACKLAB-ZONE, $ELDER-ZONE } ip protocol gre counter log group 1 accept comment "REX-FW <-> Other sites GRE-tunnels"
add rule inet filter INPUT iifname { $SOKAR-ZONE, $APOPHIS-ZONE, $HACKLAB-ZONE, $ELDER-ZONE } ip protocol ospf counter log group 1 accept comment "REX-FW <-> Other sites OSPF"
add rule inet filter INPUT iifname { $SOKAR-ZONE, $APOPHIS-ZONE, $HACKLAB-ZONE, $ELDER-ZONE } tcp dport 179 counter log group 1 accept comment "REX-FW <-> Other sites BGP"
add rule inet filter INPUT iifname { $SOKAR-ZONE, $APOPHIS-ZONE, $HACKLAB-ZONE, $ELDER-ZONE } udp dport { 3784, 3785 } counter log group 1 accept comment "REX-FW <-> Other sites BFD"
add rule inet filter INPUT iifname { $REX-ZONE } ip saddr 10.23.200.22 counter log group 1 accept comment "Lenovo mgmt"
add rule inet filter INPUT iifname { $REX-ZONE } ip saddr 10.23.200.10 counter log group 1 accept comment "S20FE mgmt"
#add rule inet filter INPUT iifname $INTERNET-ZONE tcp dport 80 counter accept
add rule inet filter INPUT counter log group 2 drop comment "POLICY DROP INPUT"
### OUTPUT FILTER ###
add rule inet filter OUTPUT ct state established, related counter accept comment "Allow established and related connections"
add rule inet filter OUTPUT oifname $INTERNET-ZONE ip daddr @RFC-5735-ADDRESSES counter log group 4 drop comment "Deny output to private address range"
add rule inet filter OUTPUT oifname $INTERNET-ZONE meta l4proto . th dport @INTERNET-OUT-DENIED-SERVICES counter log group 4 drop comment "Denied Internet-traffic"
add rule inet filter OUTPUT counter log group 3 accept comment "POLICY ACCEPT OUTPUT"
### FORWARD FILTER ###
#add rule inet filter FORWARD ip daddr 10.38.100.66 nftrace set 1
add rule inet filter FORWARD ct state established, related counter accept comment "Allow established and related connections"
add rule inet filter FORWARD oifname $INTERNET-ZONE ip daddr @RFC-5735-ADDRESSES counter log group 6 drop comment "Deny private space traffic to Internet"
add rule inet filter FORWARD iifname $INTERNET-ZONE ip saddr @RFC-5735-ADDRESSES counter log group 6 drop comment "Deny private space traffic from Internet"
add rule inet filter FORWARD oifname $INTERNET-ZONE meta l4proto . th dport @INTERNET-OUT-DENIED-SERVICES counter log group 6 drop comment "Denied Internet-traffic"
add rule inet filter FORWARD meta l4proto icmp counter log group 5 accept comment "Allow ICMP"
add rule inet filter FORWARD iifname $REX-ZONE oifname $INTERNET-ZONE ip saddr { 10.23.200.10, 10.23.200.22 } counter log group 5 accept comment "S20FE+Lenovo Internet over REX-WG"
add rule inet filter FORWARD iifname { $LAN-ZONE, $P-WLAN-ZONE } oifname { $SOKAR-ZONE, $APOPHIS-ZONE } counter log group 5 accept comment "REX-FW networks -> SOKAR-FW, APOPHIS-FW net>
add rule inet filter FORWARD iifname { $LAN-ZONE, $P-WLAN-ZONE, $W-WLAN-ZONE, $VM-ZONE } oifname $INTERNET-ZONE counter log group 5 accept comment "Local networks -> Internet"
#add rule inet filter FORWARD iifname $REX-ZONE oifname $REX-ZONE counter log group 5 accept comment "REX-ZONE <-> REX-ZONE"
#add rule inet filter FORWARD iifname $REX-ZONE oifname $LAN-ZONE ip daddr 10.23.10.10 tcp dport 3389 counter log group 5 accept comment "REX-ZONE -> PC RDP"
add rule inet filter FORWARD iifname { $LAN-ZONE, $P-WLAN-ZONE } oifname { $VM-ZONE, $REX-ZONE, $A44-ZONE } counter log group 5 accept comment "Allow VPN- and VM-services for LAN"
add rule inet filter FORWARD iifname { $LAN-ZONE, $VM-ZONE, $REX-ZONE } ip daddr 10.44.0.0/16 counter log group 5 accept comment "Areena44"
#add rule inet filter FORWARD iifname { $REX-ZONE, $A44-ZONE } oifname $VM-ZONE ip saddr 10.44.99.0/24 ip daddr 10.0.100.7 udp dport 162 counter log group 5 accept comment "Areena44 S>
add rule inet filter FORWARD iifname $WLAN-MGMT-ZONE oifname $VM-ZONE ip daddr 10.23.100.56 counter log group 5 accept comment "Local WLAN-MGMT -> UNIFI-Controller"
add rule inet filter FORWARD iifname $VM-ZONE oifname $WLAN-MGMT-ZONE ip saddr 10.23.100.56 counter log group 5 accept comment "UNIFI-Controller -> Local WLAN-MGMT"
add rule inet filter FORWARD iifname $IOT-ZONE ip saddr 10.23.43.3 oifname $INTERNET-ZONE counter log group 5 accept comment "IoT NET, HomeAssistant -> Internet"
#add rule inet filter FORWARD iifname $INTERNET-ZONE oifname $VM-ZONE tcp dport { 80, 443 } counter log group 5 accept comment "Internet -> WEB-server"
add rule inet filter FORWARD iifname { $P-WLAN-ZONE, $LAN-ZONE } oifname { $IOT-ZONE } counter log group 5 accept comment "LAN, P-WLAN -> IOT"
add rule inet filter FORWARD iifname $REX-ZONE oifname $IOT-ZONE ip saddr 10.23.200.10 counter log group 5 accept comment "S20FE over REX-WG -> IOT"
add rule inet filter FORWARD iifname { $INTERNET-ZONE } meta l4proto . th dport @SERVICE-IPERF oifname { $VM-ZONE } ip daddr 10.23.100.10 counter log group 5 accept comment "Local IPE>
add rule inet filter FORWARD iifname $REX-ZONE oifname $SOKAR-ZONE ip saddr 10.23.200.15 counter log group 5 accept comment "Nikke puhelin REX-WG -> Sokar-FW"
add rule inet filter FORWARD iifname $HACKLAB-ZONE oifname $A44-ZONE ip daddr 45.154.112.217 counter log group 5 accept comment "Hacklab-FW -> A44 HACKLAB-VM"
add rule inet filter FORWARD iifname $REX-ZONE oifname $VM-ZONE ip saddr { 10.23.200.10, 10.23.200.22 } counter log group 5 accept comment "Lenovo, S20FE -> Servers"
add rule inet filter FORWARD iifname { hacklab-wg } oifname { hacklab-wg } counter log group 5 accept comment "HACKLAB-WG <-> HACKLAB-WG"
add rule inet filter FORWARD iifname $REX-ZONE ip saddr { 10.23.200.17, 10.23.200.18 } oifname $HACKLAB-ZONE counter log group 5 accept comment "Henkka, Rasse <-> Hacklab"
add rule inet filter FORWARD iifname { $LAN-ZONE, $P-WLAN-ZONE } oifname $HACKLAB-ZONE counter log group 5 accept comment "Omat verkot -> Hacklab"
#add rule inet filter FORWARD ip saddr 10.23.100.0/24 ip daddr 1.1.1.1 counter log group 5 accept comment "TESTI"
add rule inet filter FORWARD iifname { $ELDER-ZONE, $HACKLAB-ZONE } oifname { $ELDER-ZONE, $HACKLAB-ZONE } counter accept comment "Elder-FW <-> Hacklab-FW TRANSIT"
add rule inet filter FORWARD iifname { $A44-ZONE } oifname { $HACKLAB-ZONE } counter accept comment "Elder honeypot hacklab"
add rule inet filter FORWARD counter log group 6 drop comment "POLICY DROP FORWARD"
### BRIDGE FILTER ###
add rule bridge filter FORWARD ibrname br-servers obrname br-servers counter drop comment "Drop direct VM-to-VM traffic"
###### NAT RULES BEGIN HERE ######
## Source NAT ##
add rule inet nat POSTROUTING oifname $INTERNET-ZONE counter masquerade random, persistent comment "Internet Source NAT"
add rule inet nat POSTROUTING oifname $REX-ZONE counter masquerade random, persistent comment "VPN Source NAT"
## Destination NAT ##
#add rule inet nat PREROUTING iifname $INTERNET-ZONE tcp dport { 80, 443 } counter dnat ip to 10.23.100.10 comment "Internet -> WEB Destination NAT"
#add rule inet nat PREROUTING iifname { $INTERNET-ZONE } tcp dport 5201 counter dnat ip to 10.23.100.10 comment "Internet -> Iperf TCP Destination NAT"
#add rule inet nat PREROUTING iifname { $INTERNET-ZONE } udp dport 5201 counter dnat ip to 10.23.100.10 comment "Internet -> Iperf UDP Destination NAT"
#add rule inet nat PREROUTING iifname { $INTERNET-ZONE } udp dport 1338 counter dnat ip to 10.23.100.11 comment "Internet -> Iperf UDP Destination NAT"
#add rule inet nat PREROUTING iifname { $INTERNET-ZONE } udp dport 1338 counter dnat ip to 10.23.100.10 comment "Internet -> Iperf UDP Destination NAT"
add rule inet nat PREROUTING iifname { $IOT-ZONE } udp dport { 53, 123 } counter dnat ip to 127.0.0.1 comment "IoT -> DNS+NTP Destination NAT"
###### MANGLE RULES BEGIN HERE ######
#add rule ip mangle PREROUTING iifname REX-ZONE tcp flags syn tcp option maxseg size set 1368 counter comment "MSSCLAMP REX-ZONE"
#add rule ip mangle POSTROUTING oifname $INTERNET-ZONE counter meta priority set 1:11 comment "Mark Internet Egress for TC"
add rule inet mangle POSTROUTING oifname $INTERNET-ZONE counter meta priority set 1:11 comment "Mark Internet Egress"
add rule inet mangle POSTROUTING ip saddr != @LOCAL-NETWORKS ip daddr @LOCAL-NETWORKS counter meta priority set 1:12 comment "Mark Internet Ingress"
#add rule inet mangle PREROUTING ip saddr 10.23.100.10 ip daddr 1.1.1.1 counter meta mark set 666