From 1681a2b0d725189b4f6f0d19a46d1e0721872f35 Mon Sep 17 00:00:00 2001
From: Xiao Pan <gky44px1999@gmail.com>
Date: Tue, 25 Jun 2024 17:20:32 -0700
Subject: init xyzaa

remove some xyzca specific configs and some xyzaa specific configs
---
 etc/nftables.conf | 36 +++++++++++++++++++++++++-----------
 1 file changed, 25 insertions(+), 11 deletions(-)

(limited to 'etc/nftables.conf')

diff --git a/etc/nftables.conf b/etc/nftables.conf
index 22e38dfe..f5d7b49e 100644
--- a/etc/nftables.conf
+++ b/etc/nftables.conf
@@ -8,6 +8,8 @@
 # needed for reload config using `sudo systemctl restart nftables` or `sudo nft -f /etc/nftables.conf`
 flush ruleset
 
+define pub_iface = "eth0"
+define wg_iface = "wg0"
 table inet my_table {
 
 	chain my_input {
@@ -17,6 +19,7 @@ table inet my_table {
 		ct state invalid drop comment "early drop of invalid connections"
 		ct state {established, related} accept comment "allow tracked connections"
 		iifname lo accept comment "allow from loopback"
+		iifname $wg_iface accept comment "allow from wireguard"
 		ip protocol icmp accept
 		meta l4proto ipv6-icmp accept
 
@@ -25,17 +28,8 @@ table inet my_table {
 		#tcp dport qbt accept
 		#udp dport qbt accept
 		#tcp dport iperf3 accept
-		#udp dport wireguard accept
-		# for acme.sh standalone mode builtin webserver to renew ssl cert
-		tcp dport http accept
-		# email related ports
-		tcp dport smtp accept
-		tcp dport pop3 accept
-		tcp dport imap accept
-		tcp dport submissions accept
-		tcp dport submission accept
-		tcp dport imaps accept
-		tcp dport pop3s accept
+		udp dport wireguard accept
+		udp dport swgp accept
 
 		pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
 		counter comment "count any other traffic"
@@ -45,6 +39,12 @@ table inet my_table {
 		type filter hook forward priority filter
 		policy drop
 		# Drop everything forwarded to us. We do not forward. That is routers job.
+
+		# needed for wireguard?
+		#iifname $wg_iface oifname $pub_iface accept
+		#iifname $pub_iface oifname $wg_iface accept
+		iifname $wg_iface accept
+		oifname $wg_iface accept
 	}
 
 	chain my_output {
@@ -53,3 +53,17 @@ table inet my_table {
 		# Accept every outbound connection
 	}
 }
+
+
+# needed to wireguard NAT masquerade VPN traffic
+# Need inet to masquerade both ipv4 and ipv6? If use ip it will only masquerade ipv4? If use ip6 it will only masquerade ipv6?
+# https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families
+table inet nat {
+	# newer kernel no need for `chain prerouting { type nat hook prerouting priority -100; policy accept; }`, more see https://www.procustodibus.com/blog/2021/11/wireguard-nftables/
+	# for all packets to $pub_iface, after routing, replace source address with primary IP of $pub_iface interface
+	chain postrouting {
+		type nat hook postrouting priority 100
+		policy accept
+		oifname $pub_iface masquerade
+	}
+}
-- 
cgit v1.2.3-70-g09d2