[user@sys-vpn ~]$ sudo nft list ruleset
table ip qubes {
set downstream {
type ipv4_addr
elements = { 10.137.0.10 }
}
set allowed {
type ifname . ipv4_addr
elements = { "vif12.0" . 10.137.0.10 }
}
chain prerouting {
type filter hook prerouting priority raw; policy accept;
iifgroup 2 goto antispoof
ip saddr @downstream counter packets 0 bytes 0 drop
}
chain antispoof {
iifname . ip saddr @allowed accept
counter packets 0 bytes 0 drop
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oifgroup 2 accept
oif "lo" accept
masquerade
}
chain input {
type filter hook input priority filter; policy drop;
jump custom-input
ct state invalid counter packets 2 bytes 80 drop
iifgroup 2 udp dport 68 counter packets 0 bytes 0 drop
ct state established,related accept
iifgroup 2 meta l4proto icmp accept
iif "lo" accept
iifgroup 2 counter packets 0 bytes 0 reject with icmp host-prohibited
counter packets 0 bytes 0
}
chain forward {
type filter hook forward priority filter; policy accept;
jump custom-forward
ct state invalid counter packets 0 bytes 0 drop
ct state established,related accept
oifgroup 2 counter packets 0 bytes 0 drop
}
chain custom-input {
}
chain custom-forward {
log
tcp flags syn / syn,rst tcp option maxseg size set rt mtu
oifname "eth0" counter packets 0 bytes 0 drop
}
chain nat {
type nat hook prerouting priority dstnat - 1; policy accept;
iifname "vif*" tcp dport 53 counter packets 1079 bytes 60364 dnat to 10.64.0.1
iifname "vif*" udp dport 53 counter packets 5116 bytes 363908 dnat to 10.64.0.1
}
chain dnat-dns {
type nat hook prerouting priority dstnat; policy accept;
ip daddr 10.139.1.1 udp dport 53 dnat to 10.139.1.1
ip daddr 10.139.1.1 tcp dport 53 dnat to 10.139.1.1
ip daddr 10.139.1.2 udp dport 53 dnat to 10.139.1.2
ip daddr 10.139.1.2 tcp dport 53 dnat to 10.139.1.2
}
chain log-chain {
type filter hook prerouting priority -450; policy accept;
log
}
}
table ip6 qubes {
set downstream {
type ipv6_addr
}
set allowed {
type ifname . ipv6_addr
}
chain antispoof {
iifname . ip6 saddr @allowed accept
counter packets 25 bytes 1612 drop
}
chain prerouting {
type filter hook prerouting priority raw; policy accept;
iifgroup 2 goto antispoof
ip6 saddr @downstream counter packets 0 bytes 0 drop
}
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oifgroup 2 accept
oif "lo" accept
masquerade
}
chain _icmpv6 {
meta l4proto != ipv6-icmp counter packets 0 bytes 0 reject with icmpv6 admin-prohibited
icmpv6 type { nd-router-advert, nd-redirect } counter packets 0 bytes 0 drop
accept
}
chain input {
type filter hook input priority filter; policy drop;
jump custom-input
ct state invalid counter packets 0 bytes 0 drop
ct state established,related accept
iifgroup 2 goto _icmpv6
iif "lo" accept
ip6 saddr fe80::/64 ip6 daddr fe80::/64 udp dport 546 accept
meta l4proto ipv6-icmp accept
counter packets 0 bytes 0
}
chain forward {
type filter hook forward priority filter; policy accept;
jump custom-forward
ct state invalid counter packets 0 bytes 0 drop
ct state established,related accept
oifgroup 2 counter packets 0 bytes 0 drop
}
chain custom-input {
}
chain custom-forward {
oifname "eth0" counter packets 0 bytes 0 drop
}
}
table ip qubes-firewall {
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept
iifname != “vif*” accept
ip saddr 10.137.0.10 jump qbs-10-137-0-10
}
chain prerouting {
type filter hook prerouting priority raw; policy accept;
iifname != "vif*" ip saddr 10.137.0.10 drop
}
chain postrouting {
type filter hook postrouting priority raw; policy accept;
oifname != "vif*" ip daddr 10.137.0.10 drop
}
chain qbs-10-137-0-10 {
accept
reject with icmp admin-prohibited
}
}
table ip6 qubes-firewall {
chain forward {
type filter hook forward priority filter; policy drop;
ct state established,related accept
iifname != “vif*” accept
}
chain prerouting {
type filter hook prerouting priority raw; policy accept;
}
chain postrouting {
type filter hook postrouting priority raw; policy accept;
}
}
table inet mullvad {
chain prerouting {
type filter hook prerouting priority -199; policy accept;
iif != “wg0-mullvad” ct mark 0x00000f41 meta mark set 0x6d6f6c65
ip saddr 103.216.220.18 udp sport 21341 meta mark set 0x6d6f6c65
}
chain output {
type filter hook output priority filter; policy drop;
oif "lo" accept
ct mark 0x00000f41 accept
udp sport 68 ip daddr 255.255.255.255 udp dport 67 accept
ip6 saddr fe80::/10 udp sport 546 ip6 daddr ff02::1:2 udp dport 547 accept
ip6 saddr fe80::/10 udp sport 546 ip6 daddr ff05::1:3 udp dport 547 accept
ip6 daddr ff02::2 icmpv6 type nd-router-solicit icmpv6 code no-route accept
ip6 daddr ff02::1:ff00:0/104 icmpv6 type nd-neighbor-solicit icmpv6 code no-route accept
ip6 daddr fe80::/10 icmpv6 type nd-neighbor-solicit icmpv6 code no-route accept
ip6 daddr fe80::/10 icmpv6 type nd-neighbor-advert icmpv6 code no-route accept
ip daddr 103.216.220.18 udp dport 21341 meta mark 0x6d6f6c65 accept
oif "wg0-mullvad" udp dport 53 ip daddr 100.64.0.23 accept
oif "wg0-mullvad" tcp dport 53 ip daddr 100.64.0.23 accept
udp dport 53 reject
tcp dport 53 reject with tcp reset
oif "wg0-mullvad" accept
reject
}
chain input {
type filter hook input priority filter; policy drop;
iif "lo" accept
ct mark 0x00000f41 accept
udp sport 67 udp dport 68 accept
ip6 saddr fe80::/10 udp sport 547 ip6 daddr fe80::/10 udp dport 546 accept
ip6 saddr fe80::/10 icmpv6 type nd-router-advert icmpv6 code no-route accept
ip6 saddr fe80::/10 icmpv6 type nd-redirect icmpv6 code no-route accept
ip6 saddr fe80::/10 icmpv6 type nd-neighbor-solicit icmpv6 code no-route accept
icmpv6 type nd-neighbor-advert icmpv6 code no-route accept
ip saddr 103.216.220.18 udp sport 21341 ct state established accept
iif "wg0-mullvad" accept
}
chain forward {
type filter hook forward priority filter; policy drop;
ct mark 0x00000f41 accept
udp sport 68 ip daddr 255.255.255.255 udp dport 67 accept
udp sport 67 udp dport 68 accept
ip6 saddr fe80::/10 udp sport 546 ip6 daddr ff02::1:2 udp dport 547 accept
ip6 saddr fe80::/10 udp sport 546 ip6 daddr ff05::1:3 udp dport 547 accept
ip6 saddr fe80::/10 udp sport 547 ip6 daddr fe80::/10 udp dport 546 accept
ip6 daddr ff02::2 icmpv6 type nd-router-solicit icmpv6 code no-route accept
ip6 saddr fe80::/10 icmpv6 type nd-router-advert icmpv6 code no-route accept
ip6 saddr fe80::/10 icmpv6 type nd-redirect icmpv6 code no-route accept
ip6 daddr ff02::1:ff00:0/104 icmpv6 type nd-neighbor-solicit icmpv6 code no-route accept
ip6 daddr fe80::/10 icmpv6 type nd-neighbor-solicit icmpv6 code no-route accept
ip6 saddr fe80::/10 icmpv6 type nd-neighbor-solicit icmpv6 code no-route accept
ip6 daddr fe80::/10 icmpv6 type nd-neighbor-advert icmpv6 code no-route accept
icmpv6 type nd-neighbor-advert icmpv6 code no-route accept
oif "wg0-mullvad" udp dport 53 ip daddr 100.64.0.23 accept
oif "wg0-mullvad" tcp dport 53 ip daddr 100.64.0.23 accept
udp dport 53 reject
tcp dport 53 reject with tcp reset
oif "wg0-mullvad" accept
iif "wg0-mullvad" ct state established accept
reject
}
chain mangle {
type route hook output priority mangle; policy accept;
oif "wg0-mullvad" udp dport 53 ip daddr 100.64.0.23 accept
oif "wg0-mullvad" tcp dport 53 ip daddr 100.64.0.23 accept
meta cgroup 5087041 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
}
chain nat {
type nat hook postrouting priority srcnat; policy accept;
oif "wg0-mullvad" ct mark 0x00000f41 drop
oif != "lo" ct mark 0x00000f41 masquerade
}
}
table inet qubes-nat-accel {
flowtable qubes-accel {
hook ingress priority filter
devices = { eth0, lo, vif12.0 }
}
chain qubes-accel {
type filter hook forward priority filter + 5; policy accept;
meta l4proto { tcp, udp } iifgroup 2 oifgroup 1 flow add @qubes-accel
counter packets 68 bytes 5712
}
}
[user@sys-vpn ~]$