diff options
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/nftables.conf | 15 | ||||
| -rw-r--r-- | etc/sysctl.d/99-sysctl.conf | 7 |
2 files changed, 22 insertions, 0 deletions
diff --git a/etc/nftables.conf b/etc/nftables.conf index 1ec682d9..1fec22e2 100644 --- a/etc/nftables.conf +++ b/etc/nftables.conf @@ -39,6 +39,10 @@ table inet my_table { type filter hook forward priority filter policy drop # Drop everything forwarded to us. We do not forward. That is routers job. + + # needed for phantun + iifname pt0 accept + oifname pt0 accept } chain my_output { @@ -47,3 +51,14 @@ table inet my_table { # Accept every outbound connection } } + +table inet nat { + # needed for phantun https://github.com/dndx/phantun + # note here is postrouting not prerouting, server side phantun config is prerouting instead + chain postrouting { + type nat hook postrouting priority srcnat + policy accept + iifname pt0 oif enp3s0 masquerade + iifname pt0 oif wlp2s0 masquerade + } +} diff --git a/etc/sysctl.d/99-sysctl.conf b/etc/sysctl.d/99-sysctl.conf new file mode 100644 index 00000000..b9677c02 --- /dev/null +++ b/etc/sysctl.d/99-sysctl.conf @@ -0,0 +1,7 @@ +# at least `net.ipv4.ip_forward = 1` is needed for wireguard masquerade? to work. Without will result into can't ping ips, can't curl websites, browser can't visit websites +# ka seems has this as default, maybe arch linux cloud-init image has this as default? +# https://forums.rockylinux.org/t/wireguard-masquerade-wont-work/7752 +# https://wiki.archlinux.org/title/Nftables#NAT_with_port_forwarding +# https://github.com/teddysun/across/blob/acef6b00a6ad062c0e99286ea136d1a246def644/wireguard.sh#L514-L522 +net.ipv4.ip_forward = 1 +net.ipv6.conf.all.forwarding = 1 |