diff options
| author | Xiao Pan <gky44px1999@gmail.com> | 2023-11-17 17:45:00 -0800 |
|---|---|---|
| committer | Xiao Pan <gky44px1999@gmail.com> | 2023-11-17 17:45:00 -0800 |
| commit | 293c80d0967e9c688e1ed52f40b6c7ea285e4506 (patch) | |
| tree | 36e35d866de8b1af98b9750c268106975077dfc8 /etc/nftables.conf | |
| parent | ea92bc34c5e7a6835f2c09f9cad2595f4aeed4ad (diff) | |
prepare for wg
Diffstat (limited to 'etc/nftables.conf')
| -rw-r--r-- | etc/nftables.conf | 31 |
1 files changed, 30 insertions, 1 deletions
diff --git a/etc/nftables.conf b/etc/nftables.conf index 999b91ac..e2520d7e 100644 --- a/etc/nftables.conf +++ b/etc/nftables.conf @@ -3,11 +3,15 @@ # IPv4/IPv6 Simple & Safe firewall ruleset. # More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/. -# some codes from https://wiki.archlinux.org/title/Nftables +# some codes from: +# https://wiki.archlinux.org/title/Nftables +# https://www.procustodibus.com/blog/2021/11/wireguard-nftables # needed for reload config using `sudo systemctl restart nftables` or `sudo nft -f /etc/nftables.conf` flush ruleset +define pub_iface = "enp2s0" +define wg_iface = "wg_studio" table inet my_table { chain my_input { @@ -17,12 +21,17 @@ table inet my_table { ct state invalid drop comment "early drop of invalid connections" ct state {established, related} accept comment "allow tracked connections" iifname lo accept comment "allow from loopback" + iifname $wg_iface accept comment "allow from wireguard" ip protocol icmp accept meta l4proto ipv6-icmp accept tcp dport ssh accept udp dport mdns accept + #tcp dport qbt-nox accept + tcp dport qbt accept + udp dport qbt accept #tcp dport iperf3 accept + udp dport wireguard accept pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited counter comment "count any other traffic" @@ -32,6 +41,12 @@ table inet my_table { type filter hook forward priority filter policy drop # Drop everything forwarded to us. We do not forward. That is routers job. + + # needed for wireguard? + #iifname $wg_iface oifname $pub_iface accept + #iifname $pub_iface oifname $wg_iface accept + iifname $wg_iface accept + oifname $wg_iface accept } chain my_output { @@ -40,3 +55,17 @@ table inet my_table { # Accept every outbound connection } } + +# https://wiki.gentoo.org/wiki/Nftables/Examples#Basic_NAT +# needed by wireguard? +table ip nat { + chain prerouting { + type nat hook prerouting priority 0; policy accept; + } + + # for all packets to WAN, after routing, replace source address with primary IP of WAN interface + chain postrouting { + type nat hook postrouting priority 100; policy accept; + oifname $pub_iface masquerade + } +} |