blob: 1ea06d6bfe1d03c5284cc985023895a1ff225598 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
|
#!/usr/bin/nft -f
# IPv4/IPv6 Simple & Safe firewall ruleset.
# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/.
# some codes from https://wiki.archlinux.org/title/Nftables
# needed for reload config using `sudo systemctl restart nftables` or `sudo nft -f /etc/nftables.conf`
flush ruleset
define pub_iface = "eth0"
define wg_iface = "wg0"
table inet my_table {
chain my_input {
type filter hook input priority filter
policy drop
ct state invalid drop comment "early drop of invalid connections"
ct state {established, related} accept comment "allow tracked connections"
iifname lo accept comment "allow from loopback"
iifname $wg_iface accept comment "allow from wireguard"
ip protocol icmp accept
meta l4proto ipv6-icmp accept
tcp dport ssh accept
#tcp dport qbt-nox accept
#tcp dport qbt accept
#udp dport qbt accept
#tcp dport iperf3 accept
udp dport wireguard accept
udp dport swgp accept
# for acme.sh standalone mode builtin webserver to renew ssl cert
tcp dport http accept
# email related ports
tcp dport smtp accept
tcp dport pop3 accept
tcp dport imap accept
tcp dport submissions accept
tcp dport submission accept
tcp dport imaps accept
tcp dport pop3s accept
tcp dport monerod-p2p accept
pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
counter comment "count any other traffic"
}
chain my_forward {
type filter hook forward priority filter
policy drop
# Drop everything forwarded to us. We do not forward. That is routers job.
# needed for wireguard?
#iifname $wg_iface oifname $pub_iface accept
#iifname $pub_iface oifname $wg_iface accept
iifname $wg_iface accept
oifname $wg_iface accept
}
chain my_output {
type filter hook output priority filter
policy accept
# Accept every outbound connection
}
}
# needed to wireguard NAT masquerade VPN traffic
# Need inet to masquerade both ipv4 and ipv6? If use ip it will only masquerade ipv4? If use ip6 it will only masquerade ipv6?
# https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families
table inet nat {
# newer kernel no need for `chain prerouting { type nat hook prerouting priority -100; policy accept; }` if has `chain postrouting`
# also vice versa, no need `chain postrouting` if has `chain prerouting`
# more see https://www.procustodibus.com/blog/2021/11/wireguard-nftables/
chain prerouting {
type nat hook prerouting priority -100
policy accept
# port forwarding from client
# https://www.procustodibus.com/blog/2022/09/wireguard-port-forward-from-internet
iifname $pub_iface tcp dport monerod-p2p dnat ip to 10.0.0.1:monerod-p2p
iifname $pub_iface tcp dport monerod-p2p dnat ip6 to [fdc9:281f:04d7:9ee9::1]:monerod-p2p
}
# for all packets to $pub_iface, after routing, replace source address with primary IP of $pub_iface interface
chain postrouting {
type nat hook postrouting priority 100
policy accept
# Needed for VPN. Needed for port forwarding from cilent with VPN through server
# https://www.procustodibus.com/blog/2022/09/wireguard-port-forward-from-internet/#default-route
oifname $pub_iface masquerade
# needed for port forwarding from client without VPN through server
# https://www.procustodibus.com/blog/2022/09/wireguard-port-forward-from-internet/#masquerading
#oifname $wg_iface masquerade
}
}
|
