blob: d20d260559c267116ed1049535e00d99ae6e5d98 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
|
#!/usr/bin/nft -f
# IPv4/IPv6 Simple & Safe firewall ruleset.
# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/.
# some codes from https://wiki.archlinux.org/title/Nftables
# needed for reload config using `sudo systemctl restart nftables` or `sudo nft -f /etc/nftables.conf`
flush ruleset
# xyzba uses 6in4 sit tunnel for ipv6. To use ipv6 when wg to xyzba, that network interface name ipv6net ($pub_iface6) also needs to be masqueraded and other things
# https://wiki.archlinux.org/title/IPv6_tunnel_broker_setup
# so I use a nftables set for this, see https://wiki.nftables.org/wiki-nftables/index.php/Sets
define pub_iface = { "ens18", "ipv6net" }
define wg_iface = "wg0"
table inet my_table {
chain my_input {
type filter hook input priority filter
policy drop
ct state invalid drop comment "early drop of invalid connections"
ct state {established, related} accept comment "allow tracked connections"
iifname lo accept comment "allow from loopback"
iifname $wg_iface accept comment "allow from wireguard"
ip protocol icmp accept
meta l4proto ipv6-icmp accept
tcp dport ssh accept
#tcp dport iperf3 accept
udp dport wireguard accept
udp dport swgp accept
tcp dport monerod-p2p accept
pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
counter comment "count any other traffic"
}
chain my_forward {
type filter hook forward priority filter
policy drop
# Drop everything forwarded to us. We do not forward. That is routers job.
# needed for wireguard?
#iifname $wg_iface oifname $pub_iface accept
#iifname $pub_iface oifname $wg_iface accept
iifname $wg_iface accept
oifname $wg_iface accept
}
chain my_output {
type filter hook output priority filter
policy accept
# Accept every outbound connection
}
}
# needed to wireguard NAT masquerade VPN traffic
# Need inet to masquerade both ipv4 and ipv6? If use ip it will only masquerade ipv4? If use ip6 it will only masquerade ipv6?
# https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families
table inet nat {
# newer kernel no need for `chain prerouting { type nat hook prerouting priority -100; policy accept; }` if has `chain postrouting`
# also vice versa, no need `chain postrouting` if has `chain prerouting`
# more see https://www.procustodibus.com/blog/2021/11/wireguard-nftables/
chain prerouting {
type nat hook prerouting priority -100
policy accept
# port forwarding from client
# https://www.procustodibus.com/blog/2022/09/wireguard-port-forward-from-internet
iifname $pub_iface tcp dport monerod-p2p dnat ip to 10.0.0.1:monerod-p2p
iifname $pub_iface tcp dport monerod-p2p dnat ip6 to [fdc9:281f:04d7:9ee9::1]:monerod-p2p
}
# for all packets to $pub_iface, after routing, replace source address with primary IP of $pub_iface interface
chain postrouting {
type nat hook postrouting priority 100
policy accept
# Needed for VPN. Needed for port forwarding from cilent with VPN through server
# https://www.procustodibus.com/blog/2022/09/wireguard-port-forward-from-internet/#default-route
oifname $pub_iface masquerade
# needed for port forwarding from client without VPN through server
# https://www.procustodibus.com/blog/2022/09/wireguard-port-forward-from-internet/#masquerading
# TODO: note this will cause when insp can't access ib qbt and jackett, need improve
#oifname $wg_iface masquerade
}
}
|
