diff options
| -rw-r--r-- | etc/nftables.conf | 30 | ||||
| -rw-r--r-- | etc/services | 1 | ||||
| -rw-r--r-- | etc/sysctl.d/99-sysctl.conf | 7 | ||||
| l--------- | etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service | 1 | ||||
| -rw-r--r-- | home/xyz/.config/myconf/pacman_Qqne | 1 | 
5 files changed, 2 insertions, 38 deletions
| diff --git a/etc/nftables.conf b/etc/nftables.conf index c4ca7f45..22e38dfe 100644 --- a/etc/nftables.conf +++ b/etc/nftables.conf @@ -3,17 +3,11 @@  # IPv4/IPv6 Simple & Safe firewall ruleset.  # More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/. -# references, some codes from: -# https://wiki.archlinux.org/title/Nftables -# https://www.procustodibus.com/blog/2021/11/wireguard-nftables -# https://wiki.gentoo.org/wiki/Nftables/Examples#Basic_NAT +# some codes from https://wiki.archlinux.org/title/Nftables  # needed for reload config using `sudo systemctl restart nftables` or `sudo nft -f /etc/nftables.conf`  flush ruleset -define pub_iface = "eth0" -define wg_iface = "wg0" -  table inet my_table {  	chain my_input { @@ -23,7 +17,6 @@ table inet my_table {  		ct state invalid drop comment "early drop of invalid connections"  		ct state {established, related} accept comment "allow tracked connections"  		iifname lo accept comment "allow from loopback" -		iifname $wg_iface accept comment "allow from wireguard"  		ip protocol icmp accept  		meta l4proto ipv6-icmp accept @@ -32,7 +25,7 @@ table inet my_table {  		#tcp dport qbt accept  		#udp dport qbt accept  		#tcp dport iperf3 accept -		udp dport wireguard accept +		#udp dport wireguard accept  		# for acme.sh standalone mode builtin webserver to renew ssl cert  		tcp dport http accept  		# email related ports @@ -52,12 +45,6 @@ table inet my_table {  		type filter hook forward priority filter  		policy drop  		# Drop everything forwarded to us. We do not forward. That is routers job. - -		# needed for wireguard? -		#iifname $wg_iface oifname $pub_iface accept -		#iifname $pub_iface oifname $wg_iface accept -		iifname $wg_iface accept -		oifname $wg_iface accept  	}  	chain my_output { @@ -66,16 +53,3 @@ table inet my_table {  		# Accept every outbound connection  	}  } - -# needed to wireguard NAT masquerade VPN traffic -# Need inet to masquerade both ipv4 and ipv6? If use ip it will only masquerade ipv4? If use ip6 it will only masquerade ipv6? -# https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families -table inet nat { -	# newer kernel no need for `chain prerouting { type nat hook prerouting priority -100; policy accept; }`, more see https://www.procustodibus.com/blog/2021/11/wireguard-nftables/ -	# for all packets to $pub_iface, after routing, replace source address with primary IP of $pub_iface interface -	chain postrouting { -		type nat hook postrouting priority 100 -		policy accept -		oifname $pub_iface masquerade -	} -} diff --git a/etc/services b/etc/services index b1b9f5bc..500c6ac7 100644 --- a/etc/services +++ b/etc/services @@ -11507,7 +11507,6 @@ nusrp           49001/tcp  nusdp-disc      49001/udp  inspider        49150/tcp  # my services -wireguard       49432/udp  # My ISP verizon block incomming to gateway port 22. So I need to use another port to ssh into my home server.  # https://www.reddit.com/r/verizon/comments/to1q43/verizon_5g_home_internet_blocking_ssh_service_port/  ssh-isp         49812/tcp diff --git a/etc/sysctl.d/99-sysctl.conf b/etc/sysctl.d/99-sysctl.conf deleted file mode 100644 index b9677c02..00000000 --- a/etc/sysctl.d/99-sysctl.conf +++ /dev/null @@ -1,7 +0,0 @@ -# at least `net.ipv4.ip_forward = 1` is needed for wireguard masquerade? to work. Without will result into can't ping ips, can't curl websites, browser can't visit websites -# ka seems has this as default, maybe arch linux cloud-init image has this as default? -# https://forums.rockylinux.org/t/wireguard-masquerade-wont-work/7752 -# https://wiki.archlinux.org/title/Nftables#NAT_with_port_forwarding -# https://github.com/teddysun/across/blob/acef6b00a6ad062c0e99286ea136d1a246def644/wireguard.sh#L514-L522 -net.ipv4.ip_forward = 1 -net.ipv6.conf.all.forwarding = 1 diff --git a/etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service b/etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service deleted file mode 120000 index 0a92cb9a..00000000 --- a/etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service +++ /dev/null @@ -1 +0,0 @@ -/usr/lib/systemd/system/wg-quick@.service
\ No newline at end of file diff --git a/home/xyz/.config/myconf/pacman_Qqne b/home/xyz/.config/myconf/pacman_Qqne index 912426c0..f60f41bc 100644 --- a/home/xyz/.config/myconf/pacman_Qqne +++ b/home/xyz/.config/myconf/pacman_Qqne @@ -49,7 +49,6 @@ tree  unrar-free  unzip  vidir2-git -wireguard-tools  xdg-user-dirs  xfsprogs  zip | 
