diff options
Diffstat (limited to 'etc/nftables.conf')
| -rw-r--r-- | etc/nftables.conf | 30 |
1 files changed, 2 insertions, 28 deletions
diff --git a/etc/nftables.conf b/etc/nftables.conf index c4ca7f45..22e38dfe 100644 --- a/etc/nftables.conf +++ b/etc/nftables.conf @@ -3,17 +3,11 @@ # IPv4/IPv6 Simple & Safe firewall ruleset. # More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/. -# references, some codes from: -# https://wiki.archlinux.org/title/Nftables -# https://www.procustodibus.com/blog/2021/11/wireguard-nftables -# https://wiki.gentoo.org/wiki/Nftables/Examples#Basic_NAT +# some codes from https://wiki.archlinux.org/title/Nftables # needed for reload config using `sudo systemctl restart nftables` or `sudo nft -f /etc/nftables.conf` flush ruleset -define pub_iface = "eth0" -define wg_iface = "wg0" - table inet my_table { chain my_input { @@ -23,7 +17,6 @@ table inet my_table { ct state invalid drop comment "early drop of invalid connections" ct state {established, related} accept comment "allow tracked connections" iifname lo accept comment "allow from loopback" - iifname $wg_iface accept comment "allow from wireguard" ip protocol icmp accept meta l4proto ipv6-icmp accept @@ -32,7 +25,7 @@ table inet my_table { #tcp dport qbt accept #udp dport qbt accept #tcp dport iperf3 accept - udp dport wireguard accept + #udp dport wireguard accept # for acme.sh standalone mode builtin webserver to renew ssl cert tcp dport http accept # email related ports @@ -52,12 +45,6 @@ table inet my_table { type filter hook forward priority filter policy drop # Drop everything forwarded to us. We do not forward. That is routers job. - - # needed for wireguard? - #iifname $wg_iface oifname $pub_iface accept - #iifname $pub_iface oifname $wg_iface accept - iifname $wg_iface accept - oifname $wg_iface accept } chain my_output { @@ -66,16 +53,3 @@ table inet my_table { # Accept every outbound connection } } - -# needed to wireguard NAT masquerade VPN traffic -# Need inet to masquerade both ipv4 and ipv6? If use ip it will only masquerade ipv4? If use ip6 it will only masquerade ipv6? -# https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families -table inet nat { - # newer kernel no need for `chain prerouting { type nat hook prerouting priority -100; policy accept; }`, more see https://www.procustodibus.com/blog/2021/11/wireguard-nftables/ - # for all packets to $pub_iface, after routing, replace source address with primary IP of $pub_iface interface - chain postrouting { - type nat hook postrouting priority 100 - policy accept - oifname $pub_iface masquerade - } -} |