|
|
@@ -0,0 +1,19 @@
|
|
|
+#!/bin/bash
|
|
|
+## systemctl enable nftables
|
|
|
+## nft -a list ruleset
|
|
|
+
|
|
|
+RemoteAddr="${1:-}"
|
|
|
+LocalPort="${2:-443}"
|
|
|
+
|
|
|
+[ "$(cat /proc/sys/net/ipv4/ip_forward)" != "1" ] && echo "1" >/proc/sys/net/ipv4/ip_forward
|
|
|
+
|
|
|
+nft list table ip nat >/dev/null 2>&1 || nft add table ip nat
|
|
|
+nft list chain ip nat prerouting >/dev/null 2>&1 || nft add chain ip nat prerouting { type nat hook prerouting priority dstnat \; policy accept \; }
|
|
|
+nft list chain ip nat postrouting >/dev/null 2>&1 || nft add chain ip nat postrouting { type nat hook postrouting priority srcnat \; policy accept \; }
|
|
|
+
|
|
|
+
|
|
|
+nft insert rule ip nat prerouting tcp dport "${LocalPort}" dnat to "${RemoteAddr}"
|
|
|
+nft insert rule ip nat postrouting ip daddr "${RemoteAddr%:*}" tcp dport "${RemoteAddr#*:}" masquerade
|
|
|
+nft insert rule inet filter forward ip daddr "${RemoteAddr%:*}" tcp dport "${RemoteAddr#*:}" ip dscp set 46
|
|
|
+nft insert rule inet filter forward ip saddr "${RemoteAddr%:*}" tcp sport "${RemoteAddr#*:}" ip dscp set 46
|
|
|
+
|
MoeClub