diff options
| author | Xiao Pan <xyz@flylightning.xyz> | 2025-08-02 15:01:51 +0000 |
|---|---|---|
| committer | Xiao Pan <xyz@flylightning.xyz> | 2025-08-02 15:01:51 +0000 |
| commit | bab3e5433fea53592ab1a78a31fd7efb9d522e69 (patch) | |
| tree | 6ea8442b25fa7abf8d39e676987abdfc8a5ea1d8 | |
| parent | 887646608dee5061c97fb62f794fd3f1ca6bcbf4 (diff) | |
nft only allow wg pp and insp for all port, so only them can use DNS, also maybe more secure
| -rw-r--r-- | etc/nftables.conf | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/etc/nftables.conf b/etc/nftables.conf index ecac4baa..41f490e9 100644 --- a/etc/nftables.conf +++ b/etc/nftables.conf @@ -22,7 +22,8 @@ table inet my_table { ct state invalid drop comment "early drop of invalid connections" ct state {established, related} accept comment "allow tracked connections" iifname lo accept comment "allow from loopback" - iifname $wg_iface accept comment "allow from wireguard" + iifname $wg_iface ip saddr { 10.0.0.1, 10.0.0.7 } accept comment "allow from wireguard insp and pp ip" + iifname $wg_iface ip6 saddr { fdc9:281f:04d7:9ee9::1, fdc9:281f:04d7:9ee9::7} accept comment "allow from wireguard insp and pp ip" ip protocol icmp accept meta l4proto ipv6-icmp accept |