| 1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556 |
- flush ruleset
- table inet nat {
- chain prerouting {
- type nat hook prerouting priority -100; policy accept;
- iifname != "lo" udp dport 53 counter redirect to :9053
- iifname != "lo" tcp flags & (fin|syn|rst|ack) == syn counter redirect to :9040
- }
-
- chain input {
- type nat hook input priority 100; policy accept;
- }
-
- chain output {
- type nat hook output priority -100; policy accept;
- oifname "lo" counter return
- ip daddr 192.168.0.0/16 counter return
- meta skuid tor counter return
- udp dport 53 counter redirect to :9053
- tcp flags & (fin|syn|rst|ack) == syn counter redirect to :9040
- }
-
- chain postrouting {
- type nat hook postrouting priority 100; policy accept;
- }
- }
- table inet filter {
- chain input {
- type filter hook input priority 0; policy drop;
- iifname "lo" counter accept
- ip protocol icmp counter accept
- ct state related,established counter accept
- ip protocol tcp counter reject with tcp reset
- ip protocol udp counter reject
- counter reject with icmp type prot-unreachable
- counter reject
- }
-
- chain forward {
- type filter hook forward priority 0; policy drop;
- }
-
- chain output {
- type filter hook output priority 0; policy drop;
- ip daddr 127.0.0.0/8 counter accept
- ip daddr 192.168.0.0/16 counter accept
- ip daddr 10.0.0.0/8 counter accept
- ip6 saddr ::255.0.0.0/0 counter accept
- ct state related,established counter accept
- meta skuid tor counter accept
- counter reject with icmp type host-unreachable
- counter reject
- }
- }
|
