Firewall & NAT control plane
Firewall & NAT
Manage nftables DNAT port forwards, masquerade rules, input and forward chain policies, and WireGuard ACL filters from a single control surface.
Active
DNAT Rules
7
Port forwards
Masquerade
5
SNAT rules
Input Accept
24
Allowed
Input Drop
18
Blocked
Fwd Accept
14
Allowed
Fwd Drop
12
Blocked
WG ACL Rules
7
WireGuard
Port Forwards (DNAT) dnat rules
TCP 443 192.168.10.20 wan0 dst public-ip-placeholder 78.6 MB
TCP 80 192.168.10.20 wan0 dst public-ip-placeholder 12.2 MB
TCP 2222 192.168.10.2:22 wan0 dst public-ip-placeholder 925.9 KB
TCP 19090 192.168.10.110 wg0 dst public-ip-placeholder 411.3 KB
TCP 51820 192.168.10.1 wan0 dst public-ip-placeholder 17.6 MB
UDP 53 192.168.10.1 lan0 dst 192.168.10.1 4.3 MB
TCP 8443 192.168.10.30 wan0 dst public-ip-placeholder 2.1 MB
Masquerade (SNAT) postrouting
MASQ 192.168.10.0/24 → wan0 614.3 MB
MASQ 10.8.0.0/24 → wan0 17.6 MB
MASQ 192.168.30.0/24 → wan0 2.7 MB
MASQ 192.168.10.0/24 → wg0 1.2 MB
MASQ 10.8.0.0/24 → lan0 1.8 MB
Add Port Forward (DNAT) new rule
Current Port Forwards dnat
TCP 443 192.168.10.20 wan0 dst public-ip-placeholder 78.6 MB (49110 pkts)
TCP 80 192.168.10.20 wan0 dst public-ip-placeholder 12.2 MB (8920 pkts)
TCP 2222 192.168.10.2:22 wan0 dst public-ip-placeholder 925.9 KB (2844 pkts)
TCP 19090 192.168.10.110 wg0 dst public-ip-placeholder 411.3 KB (392 pkts)
TCP 51820 192.168.10.1 wan0 dst public-ip-placeholder 17.6 MB (12842 pkts)
UDP 53 192.168.10.1 lan0 dst 192.168.10.1 4.3 MB (38211 pkts)
TCP 8443 192.168.10.30 wan0 dst public-ip-placeholder 2.1 MB (1911 pkts)
Add Masquerade Rule new rule
Masquerade Rules (POSTROUTING) snat
MASQ 192.168.10.0/24 → wan0 614.3 MB (844110 pkts)
MASQ 10.8.0.0/24 → wan0 17.6 MB (42110 pkts)
MASQ 192.168.30.0/24 → wan0 2.7 MB (18210 pkts)
MASQ 192.168.10.0/24 → wg0 1.2 MB (9120 pkts)
MASQ 10.8.0.0/24 → lan0 1.8 MB (4211 pkts)
All NAT Rules (Raw) full table
prerouting
DNAT tcp dport 443 dnat to 192.168.10.20:443 h=44 78.6 MB
DNAT tcp dport 80 dnat to 192.168.10.20:80 h=45 12.2 MB
DNAT tcp dport 2222 dnat to 192.168.10.2:22 h=46 925.9 KB
DNAT tcp dport 19090 dnat to 192.168.10.110:19090 h=52 411.3 KB
DNAT tcp dport 51820 dnat to 192.168.10.1:51820 h=53 17.6 MB
DNAT udp dport 53 dnat to 192.168.10.1:53 h=54 4.3 MB
DNAT tcp dport 8443 dnat to 192.168.10.30:8443 h=55 2.1 MB
postrouting
MASQUERADE ip saddr 192.168.10.0/24 oifname wan0 masquerade h=90 614.3 MB
MASQUERADE ip saddr 10.8.0.0/24 oifname wan0 masquerade h=91 17.6 MB
MASQUERADE ip saddr 192.168.30.0/24 oifname wan0 masquerade h=92 2.7 MB
MASQUERADE ip saddr 10.8.0.0/24 ip daddr 192.168.10.0/24 masquerade h=93 1.2 MB
MASQUERADE ip saddr 192.168.10.0/24 oifname lan0 masquerade h=94 1.8 MB
Add Input Rule new rule
Input Chain Rules filter
POLICY: DROP Default policy 0 B
ACCEPT ct state established,related accept 465.8 MB
ACCEPT iifname lo accept 27.7 KB
ACCEPT iifname lan0 tcp dport { 22, 80, 443 } accept 863.4 KB
ACCEPT iifname lan0 udp dport 53 accept 4.3 MB
ACCEPT iifname wg0 tcp dport { 22, 443 } accept 180.1 KB
ACCEPT iifname wg0 udp dport 53 accept 125.9 KB
ACCEPT icmp type echo-request limit rate 10/second accept 40.8 KB
ACCEPT iifname lan0 tcp dport 8443 accept 214.8 KB
DROP ip saddr @blacklist_ipv4 drop 184.0 KB
DROP iifname wan0 tcp dport { 22, 2222 } ct state new limit rate 10/minute burst 20 packets drop 47.0 KB
DROP iifname wan0 tcp flags fin,syn,rst,ack syn ct state new limit rate 100/second drop 17.9 KB
DROP iifname wan0 udp dport 53 ct state new limit rate 50/second drop 12.1 KB
DROP iifname guest0 oifname lan0 drop 2.9 KB
DROP ip saddr 10.0.0.0/8 iifname wan0 drop 8.6 KB
Add Forward Rule new rule
Forward Chain Rules filter
ACCEPT ct state established,related accept 84.3 MB
ACCEPT iifname lan0 oifname wan0 accept 61.4 MB
ACCEPT iifname wg0 oifname wan0 accept 17.6 MB
ACCEPT iifname wg0 ip daddr 192.168.10.0/24 accept 1.2 MB
ACCEPT iifname lan0 oifname wg0 ip daddr 10.8.0.0/24 accept 822.2 KB
DROP iifname guest0 oifname lan0 drop 2.9 KB
DROP iifname wan0 oifname lan0 ct state new drop 12.5 KB
DROP ip saddr @blacklist_ipv4 drop 184.0 KB
DROP iifname guest0 oifname wan0 tcp dport { 22, 3389 } drop 4.7 KB
ACCEPT iifname lan0 oifname guest0 udp dport 53 accept 47.0 KB
DROP iifname guest0 tcp dport { 25, 587 } drop 1.8 KB
WireGuard ACL Rules wg filter
ACCEPT iifname wg0 ip daddr 192.168.10.0/24 accept 1.2 MB
ACCEPT iifname wg0 oifname wan0 accept 17.6 MB
DROP iifname wg0 ip daddr 192.168.30.0/24 drop 840 B
ACCEPT iifname wg0 tcp dport { 22, 443 } accept 180.1 KB
ACCEPT iifname wg0 udp dport 53 accept 125.9 KB
DROP iifname wg0 ip daddr 10.0.0.0/8 drop 0 B
ACCEPT iifname wg0 ip daddr 192.168.10.110 tcp dport 19090 accept 411.3 KB
🌙