wireguard nft firewall configs

1 files changed, 24 insertions, 2 deletions

diff --git a/etc/nftables.conf b/etc/nftables.conf
index f5efb4f5..f00077fe 100644
--- a/etc/nftables.conf
+++ b/etc/nftables.conf
@@ -6,8 +6,10 @@
 # some codes from https://wiki.archlinux.org/title/Nftables
 
 # needed for reload config using `sudo systemctl restart nftables` or `sudo nft -f /etc/nftables.conf`
-table inet my_table
-delete table inet my_table
+flush ruleset
+
+define pub_iface = "eth0"
+define wg_iface = "wg0"
 
 table inet my_table {
 
@@ -40,6 +42,12 @@ table inet my_table {
 		type filter hook forward priority filter
 		policy drop
 		# Drop everything forwarded to us. We do not forward. That is routers job.
+
+		# needed for wireguard?
+		#iifname $wg_iface oifname $pub_iface accept
+		#iifname $pub_iface oifname $wg_iface accept
+		iifname $wg_iface accept
+		oifname $wg_iface accept
 	}
 
 	chain my_output {
@@ -48,3 +56,17 @@ table inet my_table {
 		# Accept every outbound connection
 	}
 }
+
+# https://wiki.gentoo.org/wiki/Nftables/Examples#Basic_NAT
+# needed by wireguard?
+table ip nat {
+	chain prerouting {
+		type nat hook prerouting priority 0; policy accept;
+	}
+
+	# for all packets to WAN, after routing, replace source address with primary IP of WAN interface
+	chain postrouting {
+		type nat hook postrouting priority 100; policy accept;
+		oifname $pub_iface masquerade
+	}
+}