diff options
| author | Xiao Pan <xyz@flylightning.xyz> | 2025-07-13 08:14:14 +0000 |
|---|---|---|
| committer | Xiao Pan <xyz@flylightning.xyz> | 2025-07-13 08:14:14 +0000 |
| commit | ce3fc7a8e4d316200b102c3b201ec9f133f370d1 (patch) | |
| tree | 9dc6a113e7f9a6a4e6a58f1ba365d6d8c9528591 | |
| parent | 6fd61f2df93205d3960b7bdae86c0ccdc414c78c (diff) | |
nft define a set variable for two ip to use, allow port forward monerod-p2p
| -rw-r--r-- | etc/nftables.conf | 21 |
1 files changed, 16 insertions, 5 deletions
diff --git a/etc/nftables.conf b/etc/nftables.conf index 5845c4c9..2a70c006 100644 --- a/etc/nftables.conf +++ b/etc/nftables.conf @@ -8,8 +8,10 @@ # needed for reload config using `sudo systemctl restart nftables` or `sudo nft -f /etc/nftables.conf` flush ruleset -define pub_iface = "ens18" -define pub_iface6 = "ipv6net" +# xyzba uses 6in4 sit tunnel for ipv6. To use ipv6 when wg to xyzba, that network interface name ipv6net ($pub_iface6) also needs to be masqueraded and other things +# https://wiki.archlinux.org/title/IPv6_tunnel_broker_setup +# so I use a nftables set for this, see https://wiki.nftables.org/wiki-nftables/index.php/Sets +define pub_iface = { "ens18", "ipv6net" } define wg_iface = "wg0" table inet my_table { @@ -57,17 +59,26 @@ table inet my_table { # https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families table inet nat { # newer kernel no need for `chain prerouting { type nat hook prerouting priority -100; policy accept; }` if has `chain postrouting` + # also vice versa, no need `chain postrouting` if has `chain prerouting` + # more see https://www.procustodibus.com/blog/2021/11/wireguard-nftables/ + chain prerouting { + type nat hook prerouting priority -100 + policy accept + # port forwarding from client + # https://www.procustodibus.com/blog/2022/09/wireguard-port-forward-from-internet + iifname $pub_iface tcp dport monerod-p2p dnat ip to 10.0.0.1:monerod-p2p + iifname $pub_iface tcp dport monerod-p2p dnat ip6 to [fdc9:281f:04d7:9ee9::1]:monerod-p2p + } # for all packets to $pub_iface, after routing, replace source address with primary IP of $pub_iface interface chain postrouting { type nat hook postrouting priority 100 policy accept # Needed for VPN. Needed for port forwarding from cilent with VPN through server # https://www.procustodibus.com/blog/2022/09/wireguard-port-forward-from-internet/#default-route - # xyzba uses 6in4 sit tunnel for ipv6. To use ipv6 when wg to xyzba, that network interface name ipv6net ($pub_iface6) also needs to be masqueraded - # https://wiki.archlinux.org/title/IPv6_tunnel_broker_setup - oifname { $pub_iface, $pub_iface6 } masquerade + oifname $pub_iface masquerade # needed for port forwarding from client without VPN through server # https://www.procustodibus.com/blog/2022/09/wireguard-port-forward-from-internet/#masquerading + # TODO: note this will cause when insp can't access ib qbt and jackett, need improve #oifname $wg_iface masquerade } } |