Nill-R · January 3, 2022 16:36
diff --git a/nftables.conf b/nftables.conf
 #!/usr/sbin/nft -f

 flush ruleset

 define CF_IPS = {
    173.245.48.0/20,
    103.21.244.0/22,
    103.22.200.0/22,
    103.31.4.0/22,
    141.101.64.0/18,
    108.162.192.0/18,
    190.93.240.0/20,
    188.114.96.0/20,
    197.234.240.0/22,
    198.41.128.0/17,
    162.158.0.0/15,
    104.16.0.0/13,
    104.24.0.0/14,
    172.64.0.0/13,
    131.0.72.0/22
 }

 define EXT_IF = "ens2"

 table inet filter {
        chain input {
                type filter hook input priority 0;
                iif lo accept
                icmp type echo-request limit rate over 1/second counter drop
                icmp type echo-request counter accept

                icmpv6 type {echo-request,nd-neighbor-solicit,nd-neighbor-advert,nd-router-solicit,
                nd-router-advert,mld-listener-query,destination-unreachable,
                packet-too-big,time-exceeded,parameter-problem} accept

                ct state {established, related} counter accept
                ct state invalid counter drop

                tcp dport { http, https } ip saddr $CF_IPS counter accept
                udp dport { http, https } ip saddr $CF_IPS counter accept
                tcp dport ssh accept comment "Accept SSH on port 22"
                tcp dport 8389 ip saddr 0.0.0.0/0 counter accept
                udp dport 51820 ip saddr 0.0.0.0/0 counter accept
                udp dport 60000-61000 accept comment "Accept mosh(mobile shell)"
                counter drop
        }
        chain forward {
                type filter hook forward priority 0;
        }
                chain output {
                type filter hook output priority 0;
        }
 }

 table ip my_nat {
  chain my_masquerade {
    type nat hook postrouting priority srcnat;
    oifname $EXT_IF masquerade
  }
 }
	#!/usr/sbin/nft -f

	flush ruleset

	define CF_IPS = {
	173.245.48.0/20,
	103.21.244.0/22,
	103.22.200.0/22,
	103.31.4.0/22,
	141.101.64.0/18,
	108.162.192.0/18,
	190.93.240.0/20,
	188.114.96.0/20,
	197.234.240.0/22,
	198.41.128.0/17,
	162.158.0.0/15,
	104.16.0.0/13,
	104.24.0.0/14,
	172.64.0.0/13,
	131.0.72.0/22
	}

	define EXT_IF = "ens2"

	table inet filter {
	chain input {
	type filter hook input priority 0;
	iif lo accept
	icmp type echo-request limit rate over 1/second counter drop
	icmp type echo-request counter accept

	icmpv6 type {echo-request,nd-neighbor-solicit,nd-neighbor-advert,nd-router-solicit,
	nd-router-advert,mld-listener-query,destination-unreachable,
	packet-too-big,time-exceeded,parameter-problem} accept

	ct state {established, related} counter accept
	ct state invalid counter drop

	tcp dport { http, https } ip saddr $CF_IPS counter accept
	udp dport { http, https } ip saddr $CF_IPS counter accept
	tcp dport ssh accept comment "Accept SSH on port 22"
	tcp dport 8389 ip saddr 0.0.0.0/0 counter accept
	udp dport 51820 ip saddr 0.0.0.0/0 counter accept
	udp dport 60000-61000 accept comment "Accept mosh(mobile shell)"
	counter drop
	}
	chain forward {
	type filter hook forward priority 0;
	}
	chain output {
	type filter hook output priority 0;
	}
	}

	table ip my_nat {
	chain my_masquerade {
	type nat hook postrouting priority srcnat;
	oifname $EXT_IF masquerade
	}
	}