nftables. forward

forward

Посмотреть

nft list ruleset

включить форвардинг пакетов

echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf

sysctl -p

Добавить таблицу

nft add chain inet filter forward {type filter hook forward priority 0\; policy drop\;}

invalid + related,established

nft add rule inet filter forward ct state invalid counter drop

nft add rule inet filter forward ct state related,established counter accept

разрешить прохождение трафика из vmbr1 в vmbr0

nft add rule inet filter forward iifname "vmbr1" oifname "vmbr0" counter accept

iifname – input interface name
oifname – output interface name

Разрешить форвардинг 22 порт

nft add rule inet filter forward tcp dport 22 counter accept

Задать подитику

nft chain inet filter forward {policy drop \;}

nft chain inet filter forward {policy accept \;}

Пример

        chain forward {
                type filter hook forward priority filter; policy drop;
                ct state invalid counter drop
                ct state established,related counter accept

                iifname "vmbr1" oifname "vmbr0" counter accept
                udp dport 1194 counter accept
                tcp dport 22 counter accept
                tcp dport { 25, 110, 465, 587, 993 } counter accept
        }