Created
February 2, 2022 13:22
-
-
Save kapouer/2d8c1b603f98a6aa266cbe324d4ac176 to your computer and use it in GitHub Desktop.
nftables sample with parity load balancer, multiple servers ip
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/sbin/nft -f | |
flush ruleset | |
table inet filter { | |
chain input { | |
type filter hook input priority filter; policy drop; | |
iif "lo" accept | |
ct state established,related accept | |
tcp dport { 22, 44 } ct state new accept comment "ssh on default and inhouse ports" | |
ip daddr 211.98.15.42 tcp dport { 80, 443, 7700-7706 } accept comment "ws1.nsocket.com" | |
ip daddr 211.98.15.49 tcp dport { 80, 443 } accept comment "site1" | |
ip daddr 211.98.24.24 tcp dport { 80, 443 } accept comment "site2" | |
ip6 nexthdr ipv6-icmp icmpv6 type { nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept comment "IPv6 connectivity" | |
ip saddr 102.104.95.87 ip daddr 111.88.77.66 tcp dport 5432 accept comment "postgresql from barman@example.com" | |
ct status dnat accept comment "allow prerouted packets" | |
} | |
chain forward { | |
type filter hook forward priority filter; policy accept; | |
} | |
chain output { | |
type filter hook output priority filter; policy accept; | |
} | |
} | |
table inet nat { | |
chain prerouting { | |
type nat hook prerouting priority dstnat; policy accept; | |
ip daddr 211.98.15.49 tcp dport 443 dnat to 211.98.15.49:17444 comment "redirect https to site1 user port" | |
ip daddr 211.98.15.49 tcp dport 80 dnat to 211.98.15.49:17081 comment "redirect http to site1 user port" | |
ip daddr 211.98.24.24 tcp dport 443 dnat to 211.98.24.24:17443 comment "redirect https to site2 user port" | |
ip daddr 211.98.24.24 tcp dport 80 dnat to 211.98.24.24:17080 comment "redirect http to site2 user port" | |
} | |
chain output { | |
type nat hook output priority filter; policy accept; | |
ip daddr 211.98.15.49 tcp dport 443 dnat to 211.98.15.49:17444 comment "redirect https to site1 user port" | |
ip daddr 211.98.15.49 tcp dport 80 dnat to 211.98.15.49:17081 comment "redirect http to site1 user port" | |
ip daddr 211.98.24.24 tcp dport 443 dnat to 211.98.24.24:17443 comment "redirect https to site2 user port" | |
ip daddr 211.98.24.24 tcp dport 80 dnat to 211.98.24.24:17080 comment "redirect http to site2 user port" | |
} | |
chain fanout { | |
type nat hook prerouting priority dstnat; policy accept; | |
ip daddr 211.98.15.42 tcp dport 443 dnat ip to 211.98.15.42:jhash ip saddr mod 6 map { 0 : 7700, 1 : 7701, 2 : 7702, 3 : 7703, 4 : 7704, 5 : 7705 } comment "ws https" | |
ip daddr 211.98.15.42 tcp dport 80 dnat ip to 211.98.15.42:jhash ip saddr mod 1 map { 0 : 7706 } comment "ws http" | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment