diff options
Diffstat (limited to 'etc/netns/ns0/nftables.conf')
| -rw-r--r-- | etc/netns/ns0/nftables.conf | 71 |
1 files changed, 71 insertions, 0 deletions
diff --git a/etc/netns/ns0/nftables.conf b/etc/netns/ns0/nftables.conf new file mode 100644 index 00000000..b0c1237c --- /dev/null +++ b/etc/netns/ns0/nftables.conf @@ -0,0 +1,71 @@ +#!/usr/bin/nft -f + +# IPv4/IPv6 Simple & Safe firewall ruleset. +# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/. + +# references, some codes from: +# https://wiki.archlinux.org/title/Nftables +# https://www.procustodibus.com/blog/2021/11/wireguard-nftables +# https://wiki.gentoo.org/wiki/Nftables/Examples#Basic_NAT + +# needed for reload config using `sudo systemctl restart nftables` or `sudo nft -f /etc/nftables.conf` +flush ruleset + +define pub_iface = "ipvl0" +define wg_iface = "wg0" +table inet my_table { + + chain my_input { + type filter hook input priority filter + policy drop + + ct state invalid drop comment "early drop of invalid connections" + ct state {established, related} accept comment "allow tracked connections" + iifname lo accept comment "allow from loopback" + iifname $wg_iface accept comment "allow from wireguard" + ip protocol icmp accept + meta l4proto ipv6-icmp accept + + #tcp dport ssh accept + #tcp dport qbt-nox accept + tcp dport qbt accept + udp dport qbt accept + #tcp dport iperf3 accept + udp dport wireguard accept + udp dport swgp accept + + pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited + counter comment "count any other traffic" + } + + chain my_forward { + type filter hook forward priority filter + policy drop + # Drop everything forwarded to us. We do not forward. That is routers job. + + # needed for wireguard? + #iifname $wg_iface oifname $pub_iface accept + #iifname $pub_iface oifname $wg_iface accept + iifname $wg_iface accept + oifname $wg_iface accept + } + + chain my_output { + type filter hook output priority filter + policy accept + # Accept every outbound connection + } +} + +# needed to wireguard NAT masquerade VPN traffic +# Need inet to masquerade both ipv4 and ipv6? If use ip it will only masquerade ipv4? If use ip6 it will only masquerade ipv6? +# https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families +table inet nat { + # newer kernel no need for `chain prerouting { type nat hook prerouting priority -100; policy accept; }`, more see https://www.procustodibus.com/blog/2021/11/wireguard-nftables/ + # for all packets to $pub_iface, after routing, replace source address with primary IP of $pub_iface interface + chain postrouting { + type nat hook postrouting priority 100 + policy accept + oifname $pub_iface masquerade + } +} |