#!/usr/sbin/nft -f # Flush old rules from the nat and firewall tables table inet nat delete table inet nat table inet firewall delete table inet firewall # Users whose traffic shouldn't automatically get redirected. define NO_REDIRECT = { mitmproxy } # Firewall rules. You should define your custom rules here! table inet firewall { # Add two named counters to keep track of the number of dropped input and # output packets. # # Reference: https://wiki.nftables.org/wiki-nftables/index.php/Counters counter input_drop_counter { comment "Number of dropped inbound packets: " } counter output_drop_counter { comment "Number of dropped outbound packets: " } chain input { type filter hook input priority filter; policy drop; # The following rule _must_ appear at the top of this chain! Do not drop # traffic to either of these ports (22 and 3389) unless you'd like to # get locked out of VCR tcp dport {22, 3389} counter accept # TODO: your rules here! # Count inbound packets before they're dropped counter name input_drop_counter } chain output { type filter hook output priority filter; policy drop; # Same story as the input chain -- don't delete this rule if you don't # want to get locked out of VCR. tcp sport {22, 3389} counter accept # TODO: your rules here! # Count outbound packets before they're dropped counter name output_drop_counter } } ### ### NAT (Network Address Translation) table ### # The rules in this table automatically redirect traffic going to HTTP(S) # servers (on port 80 and 443) to the mitmproxy server. table inet nat { chain prerouting { type nat hook output priority -100; policy accept; # Don't redirect traffic from users in the NO_REDIRECT list # # Reference: https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_metainformation#Matching_by_socket_UID_.2F_GID skuid != $NO_REDIRECT tcp dport {80, 443} goto proxy } chain proxy { counter comment "Number of packets rerouted to the proxy: " limit rate 15/minute log prefix "PROXY_LOG: " flags all # Redirect packets that reach this rule to port 8080, where the proxy # server is being hosted # # Reference: https://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_(NAT)#Redirect ip protocol tcp counter redirect to :8080 } }