diff options
| -rw-r--r-- | etc/nftables.conf | 22 |
1 files changed, 17 insertions, 5 deletions
diff --git a/etc/nftables.conf b/etc/nftables.conf index 5845c4c9..d20d2605 100644 --- a/etc/nftables.conf +++ b/etc/nftables.conf @@ -8,8 +8,10 @@ # needed for reload config using `sudo systemctl restart nftables` or `sudo nft -f /etc/nftables.conf` flush ruleset -define pub_iface = "ens18" -define pub_iface6 = "ipv6net" +# xyzba uses 6in4 sit tunnel for ipv6. To use ipv6 when wg to xyzba, that network interface name ipv6net ($pub_iface6) also needs to be masqueraded and other things +# https://wiki.archlinux.org/title/IPv6_tunnel_broker_setup +# so I use a nftables set for this, see https://wiki.nftables.org/wiki-nftables/index.php/Sets +define pub_iface = { "ens18", "ipv6net" } define wg_iface = "wg0" table inet my_table { @@ -28,6 +30,7 @@ table inet my_table { #tcp dport iperf3 accept udp dport wireguard accept udp dport swgp accept + tcp dport monerod-p2p accept pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited counter comment "count any other traffic" @@ -57,17 +60,26 @@ table inet my_table { # https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families table inet nat { # newer kernel no need for `chain prerouting { type nat hook prerouting priority -100; policy accept; }` if has `chain postrouting` + # also vice versa, no need `chain postrouting` if has `chain prerouting` + # more see https://www.procustodibus.com/blog/2021/11/wireguard-nftables/ + chain prerouting { + type nat hook prerouting priority -100 + policy accept + # port forwarding from client + # https://www.procustodibus.com/blog/2022/09/wireguard-port-forward-from-internet + iifname $pub_iface tcp dport monerod-p2p dnat ip to 10.0.0.1:monerod-p2p + iifname $pub_iface tcp dport monerod-p2p dnat ip6 to [fdc9:281f:04d7:9ee9::1]:monerod-p2p + } # for all packets to $pub_iface, after routing, replace source address with primary IP of $pub_iface interface chain postrouting { type nat hook postrouting priority 100 policy accept # Needed for VPN. Needed for port forwarding from cilent with VPN through server # https://www.procustodibus.com/blog/2022/09/wireguard-port-forward-from-internet/#default-route - # xyzba uses 6in4 sit tunnel for ipv6. To use ipv6 when wg to xyzba, that network interface name ipv6net ($pub_iface6) also needs to be masqueraded - # https://wiki.archlinux.org/title/IPv6_tunnel_broker_setup - oifname { $pub_iface, $pub_iface6 } masquerade + oifname $pub_iface masquerade # needed for port forwarding from client without VPN through server # https://www.procustodibus.com/blog/2022/09/wireguard-port-forward-from-internet/#masquerading + # TODO: note this will cause when insp can't access ib qbt and jackett, need improve #oifname $wg_iface masquerade } } |