From 79a16e4584a2e9956d33be9a02304fc21fab20dc Mon Sep 17 00:00:00 2001
From: Xiao Pan <gky44px1999@gmail.com>
Date: Thu, 29 Jun 2023 19:06:22 -0700
Subject: wireguard nft firewall configs

---
 etc/nftables.conf | 26 ++++++++++++++++++++++++--
 1 file changed, 24 insertions(+), 2 deletions(-)

(limited to 'etc')

diff --git a/etc/nftables.conf b/etc/nftables.conf
index f5efb4f5..f00077fe 100644
--- a/etc/nftables.conf
+++ b/etc/nftables.conf
@@ -6,8 +6,10 @@
 # some codes from https://wiki.archlinux.org/title/Nftables
 
 # needed for reload config using `sudo systemctl restart nftables` or `sudo nft -f /etc/nftables.conf`
-table inet my_table
-delete table inet my_table
+flush ruleset
+
+define pub_iface = "eth0"
+define wg_iface = "wg0"
 
 table inet my_table {
 
@@ -40,6 +42,12 @@ table inet my_table {
 		type filter hook forward priority filter
 		policy drop
 		# Drop everything forwarded to us. We do not forward. That is routers job.
+
+		# needed for wireguard?
+		#iifname $wg_iface oifname $pub_iface accept
+		#iifname $pub_iface oifname $wg_iface accept
+		iifname $wg_iface accept
+		oifname $wg_iface accept
 	}
 
 	chain my_output {
@@ -48,3 +56,17 @@ table inet my_table {
 		# Accept every outbound connection
 	}
 }
+
+# https://wiki.gentoo.org/wiki/Nftables/Examples#Basic_NAT
+# needed by wireguard?
+table ip nat {
+	chain prerouting {
+		type nat hook prerouting priority 0; policy accept;
+	}
+
+	# for all packets to WAN, after routing, replace source address with primary IP of WAN interface
+	chain postrouting {
+		type nat hook postrouting priority 100; policy accept;
+		oifname $pub_iface masquerade
+	}
+}
-- 
cgit v1.2.3-70-g09d2