diff options
| author | Xiao Pan <gky44px1999@gmail.com> | 2024-06-25 17:20:32 -0700 |
|---|---|---|
| committer | Xiao Pan <gky44px1999@gmail.com> | 2024-06-25 17:20:32 -0700 |
| commit | 1681a2b0d725189b4f6f0d19a46d1e0721872f35 (patch) | |
| tree | 7e79b5c6694ffac3d0ad40de344e6e42c6eaf7c0 /etc/nftables.conf | |
| parent | a15d7097e161a914810e4d8f0ce48578a8224751 (diff) | |
init xyzaa
remove some xyzca specific configs and some xyzaa specific configs
Diffstat (limited to 'etc/nftables.conf')
| -rw-r--r-- | etc/nftables.conf | 36 |
1 files changed, 25 insertions, 11 deletions
diff --git a/etc/nftables.conf b/etc/nftables.conf index 22e38dfe..f5d7b49e 100644 --- a/etc/nftables.conf +++ b/etc/nftables.conf @@ -8,6 +8,8 @@ # needed for reload config using `sudo systemctl restart nftables` or `sudo nft -f /etc/nftables.conf` flush ruleset +define pub_iface = "eth0" +define wg_iface = "wg0" table inet my_table { chain my_input { @@ -17,6 +19,7 @@ table inet my_table { ct state invalid drop comment "early drop of invalid connections" ct state {established, related} accept comment "allow tracked connections" iifname lo accept comment "allow from loopback" + iifname $wg_iface accept comment "allow from wireguard" ip protocol icmp accept meta l4proto ipv6-icmp accept @@ -25,17 +28,8 @@ table inet my_table { #tcp dport qbt accept #udp dport qbt accept #tcp dport iperf3 accept - #udp dport wireguard accept - # for acme.sh standalone mode builtin webserver to renew ssl cert - tcp dport http accept - # email related ports - tcp dport smtp accept - tcp dport pop3 accept - tcp dport imap accept - tcp dport submissions accept - tcp dport submission accept - tcp dport imaps accept - tcp dport pop3s accept + udp dport wireguard accept + udp dport swgp accept pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited counter comment "count any other traffic" @@ -45,6 +39,12 @@ table inet my_table { type filter hook forward priority filter policy drop # Drop everything forwarded to us. We do not forward. That is routers job. + + # needed for wireguard? + #iifname $wg_iface oifname $pub_iface accept + #iifname $pub_iface oifname $wg_iface accept + iifname $wg_iface accept + oifname $wg_iface accept } chain my_output { @@ -53,3 +53,17 @@ table inet my_table { # Accept every outbound connection } } + + +# needed to wireguard NAT masquerade VPN traffic +# Need inet to masquerade both ipv4 and ipv6? If use ip it will only masquerade ipv4? If use ip6 it will only masquerade ipv6? +# https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families +table inet nat { + # newer kernel no need for `chain prerouting { type nat hook prerouting priority -100; policy accept; }`, more see https://www.procustodibus.com/blog/2021/11/wireguard-nftables/ + # for all packets to $pub_iface, after routing, replace source address with primary IP of $pub_iface interface + chain postrouting { + type nat hook postrouting priority 100 + policy accept + oifname $pub_iface masquerade + } +} |