blob: 4c7d0840a0d983df0c4dbf5b3b1caec00888b0bf (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
|
#!/usr/bin/nft -f
# IPv4/IPv6 Simple & Safe firewall ruleset.
# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/.
# references, some codes from:
# https://wiki.archlinux.org/title/Nftables
# https://www.procustodibus.com/blog/2021/11/wireguard-nftables
# https://wiki.gentoo.org/wiki/Nftables/Examples#Basic_NAT
# needed for reload config using `sudo systemctl restart nftables` or `sudo nft -f /etc/nftables.conf`
flush ruleset
define pub_iface = "eth0"
define wg_iface = "wg0"
table inet my_table {
chain my_input {
type filter hook input priority filter
policy drop
ct state invalid drop comment "early drop of invalid connections"
ct state {established, related} accept comment "allow tracked connections"
iifname lo accept comment "allow from loopback"
iifname $wg_iface accept comment "allow from wireguard"
ip protocol icmp accept
meta l4proto ipv6-icmp accept
tcp dport ssh accept
#tcp dport qbt-nox accept
tcp dport qbt accept
udp dport qbt accept
#tcp dport iperf3 accept
udp dport wireguard accept
#tcp dport 60711 accept
tcp dport 59083 accept
# insp to ia udp2raw wireguard, not sure if needed
#ip daddr 89.213.174.92 tcp dport 60711 drop
pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
counter comment "count any other traffic"
}
chain my_forward {
type filter hook forward priority filter
policy drop
# Drop everything forwarded to us. We do not forward. That is routers job.
# needed for wireguard?
#iifname $wg_iface oifname $pub_iface accept
#iifname $pub_iface oifname $wg_iface accept
iifname $wg_iface accept
oifname $wg_iface accept
# needed for phantun
iifname pt0 accept
oifname pt0 accept
}
chain my_output {
type filter hook output priority filter
policy accept
# Accept every outbound connection
}
}
# needed to wireguard NAT masquerade VPN traffic
# Need inet to masquerade both ipv4 and ipv6? If use ip it will only masquerade ipv4? If use ip6 it will only masquerade ipv6?
# https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families
table inet nat {
# needed for phantun
# note here is prerouting not postrouting, client side phantun config is postrouting instead
chain prerouting {
type nat hook prerouting priority dstnat
policy accept
iif $pub_iface tcp dport 59083 dnat ip to 10.0.2.2
iif $pub_iface tcp dport 59083 dnat ip6 to fdc9:281f:04d7:9eeb::2
}
# newer kernel no need for `chain prerouting { type nat hook prerouting priority -100; policy accept; }`, more see https://www.procustodibus.com/blog/2021/11/wireguard-nftables/
# for all packets to $pub_iface, after routing, replace source address with primary IP of $pub_iface interface
chain postrouting {
type nat hook postrouting priority 100
policy accept
oifname $pub_iface masquerade
}
}
|
