diff options
Diffstat (limited to 'etc/nftables.conf')
| -rw-r--r-- | etc/nftables.conf | 26 |
1 files changed, 24 insertions, 2 deletions
diff --git a/etc/nftables.conf b/etc/nftables.conf index f5efb4f5..f00077fe 100644 --- a/etc/nftables.conf +++ b/etc/nftables.conf @@ -6,8 +6,10 @@ # some codes from https://wiki.archlinux.org/title/Nftables # needed for reload config using `sudo systemctl restart nftables` or `sudo nft -f /etc/nftables.conf` -table inet my_table -delete table inet my_table +flush ruleset + +define pub_iface = "eth0" +define wg_iface = "wg0" table inet my_table { @@ -40,6 +42,12 @@ table inet my_table { type filter hook forward priority filter policy drop # Drop everything forwarded to us. We do not forward. That is routers job. + + # needed for wireguard? + #iifname $wg_iface oifname $pub_iface accept + #iifname $pub_iface oifname $wg_iface accept + iifname $wg_iface accept + oifname $wg_iface accept } chain my_output { @@ -48,3 +56,17 @@ table inet my_table { # Accept every outbound connection } } + +# https://wiki.gentoo.org/wiki/Nftables/Examples#Basic_NAT +# needed by wireguard? +table ip nat { + chain prerouting { + type nat hook prerouting priority 0; policy accept; + } + + # for all packets to WAN, after routing, replace source address with primary IP of WAN interface + chain postrouting { + type nat hook postrouting priority 100; policy accept; + oifname $pub_iface masquerade + } +} |