From 6bbde285e3635a77d344b0decc7a1fb5aea9c5ab Mon Sep 17 00:00:00 2001
From: Xiao Pan <gky44px1999@gmail.com>
Date: Fri, 7 Jul 2023 19:56:06 -0700
Subject: allow from wg0 network interface so when connected via wireguard, I
 can access local services in xyzka that does not have port open for outside

---
 etc/nftables.conf | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'etc/nftables.conf')

diff --git a/etc/nftables.conf b/etc/nftables.conf
index 85f4242f..539d0e87 100644
--- a/etc/nftables.conf
+++ b/etc/nftables.conf
@@ -3,7 +3,9 @@
 # IPv4/IPv6 Simple & Safe firewall ruleset.
 # More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/.
 
-# some codes from https://wiki.archlinux.org/title/Nftables
+# some codes from:
+# https://wiki.archlinux.org/title/Nftables
+# https://www.procustodibus.com/blog/2021/11/wireguard-nftables
 
 # needed for reload config using `sudo systemctl restart nftables` or `sudo nft -f /etc/nftables.conf`
 flush ruleset
@@ -20,6 +22,7 @@ table inet my_table {
 		ct state invalid drop comment "early drop of invalid connections"
 		ct state {established, related} accept comment "allow tracked connections"
 		iifname lo accept comment "allow from loopback"
+		iifname $wg_iface accept comment "allow from wireguard"
 		ip protocol icmp accept
 		meta l4proto ipv6-icmp accept
 
-- 
cgit v1.2.3-70-g09d2