diff options
Diffstat (limited to 'etc/nftables.conf')
| -rw-r--r-- | etc/nftables.conf | 24 |
1 files changed, 0 insertions, 24 deletions
diff --git a/etc/nftables.conf b/etc/nftables.conf index da1f2f44..ebf4a082 100644 --- a/etc/nftables.conf +++ b/etc/nftables.conf @@ -11,8 +11,6 @@ # needed for reload config using `sudo systemctl restart nftables` or `sudo nft -f /etc/nftables.conf` flush ruleset -define pub_iface = "eth0" -define wg_iface = "wg0" table inet my_table { chain my_input { @@ -22,7 +20,6 @@ table inet my_table { ct state invalid drop comment "early drop of invalid connections" ct state {established, related} accept comment "allow tracked connections" iifname lo accept comment "allow from loopback" - iifname $wg_iface accept comment "allow from wireguard" ip protocol icmp accept meta l4proto ipv6-icmp accept @@ -31,8 +28,6 @@ table inet my_table { tcp dport qbt accept udp dport qbt accept #tcp dport iperf3 accept - udp dport wireguard accept - udp dport swgp accept # for acme.sh standalone mode builtin webserver to renew ssl cert tcp dport http accept # email related ports @@ -52,12 +47,6 @@ table inet my_table { type filter hook forward priority filter policy drop # Drop everything forwarded to us. We do not forward. That is routers job. - - # needed for wireguard? - #iifname $wg_iface oifname $pub_iface accept - #iifname $pub_iface oifname $wg_iface accept - iifname $wg_iface accept - oifname $wg_iface accept } chain my_output { @@ -66,16 +55,3 @@ table inet my_table { # Accept every outbound connection } } - -# needed to wireguard NAT masquerade VPN traffic -# Need inet to masquerade both ipv4 and ipv6? If use ip it will only masquerade ipv4? If use ip6 it will only masquerade ipv6? -# https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families -table inet nat { - # newer kernel no need for `chain prerouting { type nat hook prerouting priority -100; policy accept; }`, more see https://www.procustodibus.com/blog/2021/11/wireguard-nftables/ - # for all packets to $pub_iface, after routing, replace source address with primary IP of $pub_iface interface - chain postrouting { - type nat hook postrouting priority 100 - policy accept - oifname $pub_iface masquerade - } -} |