diff options
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/nftables.conf | 25 | ||||
| -rw-r--r-- | etc/services | 2 | ||||
| -rw-r--r-- | etc/sysctl.d/99-sysctl.conf | 7 | ||||
| -rw-r--r-- | etc/systemd/network/10-cloud-init-eth0.network | 7 | ||||
| l--------- | etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service | 1 |
5 files changed, 41 insertions, 1 deletions
diff --git a/etc/nftables.conf b/etc/nftables.conf index 22e38dfe..b824edee 100644 --- a/etc/nftables.conf +++ b/etc/nftables.conf @@ -8,6 +8,8 @@ # needed for reload config using `sudo systemctl restart nftables` or `sudo nft -f /etc/nftables.conf` flush ruleset +define pub_iface = "eth0" +define wg_iface = "wg0" table inet my_table { chain my_input { @@ -17,6 +19,7 @@ table inet my_table { ct state invalid drop comment "early drop of invalid connections" ct state {established, related} accept comment "allow tracked connections" iifname lo accept comment "allow from loopback" + iifname $wg_iface accept comment "allow from wireguard" ip protocol icmp accept meta l4proto ipv6-icmp accept @@ -25,7 +28,8 @@ table inet my_table { #tcp dport qbt accept #udp dport qbt accept #tcp dport iperf3 accept - #udp dport wireguard accept + udp dport wireguard accept + udp dport swgp accept # for acme.sh standalone mode builtin webserver to renew ssl cert tcp dport http accept # email related ports @@ -45,6 +49,12 @@ table inet my_table { type filter hook forward priority filter policy drop # Drop everything forwarded to us. We do not forward. That is routers job. + + # needed for wireguard? + #iifname $wg_iface oifname $pub_iface accept + #iifname $pub_iface oifname $wg_iface accept + iifname $wg_iface accept + oifname $wg_iface accept } chain my_output { @@ -53,3 +63,16 @@ table inet my_table { # Accept every outbound connection } } + +# needed to wireguard NAT masquerade VPN traffic +# Need inet to masquerade both ipv4 and ipv6? If use ip it will only masquerade ipv4? If use ip6 it will only masquerade ipv6? +# https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families +table inet nat { + # newer kernel no need for `chain prerouting { type nat hook prerouting priority -100; policy accept; }`, more see https://www.procustodibus.com/blog/2021/11/wireguard-nftables/ + # for all packets to $pub_iface, after routing, replace source address with primary IP of $pub_iface interface + chain postrouting { + type nat hook postrouting priority 100 + policy accept + oifname $pub_iface masquerade + } +} diff --git a/etc/services b/etc/services index aa270681..91a89df2 100644 --- a/etc/services +++ b/etc/services @@ -11510,5 +11510,7 @@ inspider 49150/tcp # my services # My ISP verizon block incomming to gateway port 22. So I need to use another port to ssh into my home server. # https://www.reddit.com/r/verizon/comments/to1q43/verizon_5g_home_internet_blocking_ssh_service_port/ +wireguard 49432/udp ssh-isp 49812/tcp iperf3 53497/tcp +swgp 54635/udp diff --git a/etc/sysctl.d/99-sysctl.conf b/etc/sysctl.d/99-sysctl.conf new file mode 100644 index 00000000..b9677c02 --- /dev/null +++ b/etc/sysctl.d/99-sysctl.conf @@ -0,0 +1,7 @@ +# at least `net.ipv4.ip_forward = 1` is needed for wireguard masquerade? to work. Without will result into can't ping ips, can't curl websites, browser can't visit websites +# ka seems has this as default, maybe arch linux cloud-init image has this as default? +# https://forums.rockylinux.org/t/wireguard-masquerade-wont-work/7752 +# https://wiki.archlinux.org/title/Nftables#NAT_with_port_forwarding +# https://github.com/teddysun/across/blob/acef6b00a6ad062c0e99286ea136d1a246def644/wireguard.sh#L514-L522 +net.ipv4.ip_forward = 1 +net.ipv6.conf.all.forwarding = 1 diff --git a/etc/systemd/network/10-cloud-init-eth0.network b/etc/systemd/network/10-cloud-init-eth0.network index 1bc579b9..7829f528 100644 --- a/etc/systemd/network/10-cloud-init-eth0.network +++ b/etc/systemd/network/10-cloud-init-eth0.network @@ -14,7 +14,14 @@ Address=38.175.201.185/22 Address=2606:a8c0:3::75f/128 [Address] +# another ipv6 address for aa wireguard+swgp into +# not sure if it is corret, but it works +Address=2606:a8c0:3:773::b/64 + +[Address] +# the last address seems is the default? # ...:1/64 also works, but I use ...:a/64 because crunchbits panel reverse DNS support this address +# 2024-06-27, ...:1/64 seems doe not work any more, not sure why Address=2606:a8c0:3:773::a/64 # use the following will not need GatewayOnLink=yes in [Route] section, but I'm not sure if it is correct, I'm not sure if those ips could be accessed without gateway, more see https://superuser.com/q/1562380 #Address=2606:a8c0:3:773::a/48 diff --git a/etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service b/etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service new file mode 120000 index 00000000..0a92cb9a --- /dev/null +++ b/etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service @@ -0,0 +1 @@ +/usr/lib/systemd/system/wg-quick@.service
\ No newline at end of file |