diff options
| -rw-r--r-- | etc/nftables.conf | 16 |
1 files changed, 7 insertions, 9 deletions
diff --git a/etc/nftables.conf b/etc/nftables.conf index eae3bbe4..e2e83f5c 100644 --- a/etc/nftables.conf +++ b/etc/nftables.conf @@ -3,9 +3,10 @@ # IPv4/IPv6 Simple & Safe firewall ruleset. # More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/. -# some codes from: +# references, some codes from: # https://wiki.archlinux.org/title/Nftables # https://www.procustodibus.com/blog/2021/11/wireguard-nftables +# https://wiki.gentoo.org/wiki/Nftables/Examples#Basic_NAT # needed for reload config using `sudo systemctl restart nftables` or `sudo nft -f /etc/nftables.conf` flush ruleset @@ -56,18 +57,15 @@ table inet my_table { } } -# https://wiki.gentoo.org/wiki/Nftables/Examples#Basic_NAT -# needed by wireguard? +# needed to wireguard NAT masquerade VPN traffic # Need inet to masquerade both ipv4 and ipv6? If use ip it will only masquerade ipv4? If use ip6 it will only masquerade ipv6? # https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families table inet nat { - chain prerouting { - type nat hook prerouting priority 0; policy accept; - } - - # for all packets to WAN, after routing, replace source address with primary IP of WAN interface + # newer kernel no need for `chain prerouting { type nat hook prerouting priority -100; policy accept; }`, more see https://www.procustodibus.com/blog/2021/11/wireguard-nftables/ + # for all packets to $pub_iface, after routing, replace source address with primary IP of $pub_iface interface chain postrouting { - type nat hook postrouting priority 100; policy accept; + type nat hook postrouting priority 100 + policy accept oifname $pub_iface masquerade } } |