nftables: add wireguard rules template

2024-11-25 00:38:23 -05:00 · 2021-08-11 18:03:37 +03:00 · 2021-08-11 18:03:37 +03:00 · 7a33971f18
commit 7a33971f18
parent c4aa156dd1
1 changed files with 27 additions and 1 deletions
--- a/system/etc/nftables.conf
+++ b/system/etc/nftables.conf
@ -28,7 +28,12 @@ flush ruleset
 #define ACCEPT_TCP_PORTS = { 80, 443, 1965 }

 # UDP ports to accept (both IPv4 and IPv6)
-#define ACCEPT_UDP_PORTS = {}
+#define ACCEPT_UDP_PORTS = { 51820 }
+
+# Wireguard (use for the 'server' only)
+define vpn = wg0
+define wan = eth0
+define vpn_net = 10.2.0.0/24

 table inet filter {
 	chain libvirt_input {
@ -46,6 +51,18 @@ table inet filter {
 		iifname "virbr0" counter reject with icmpx type port-unreachable
 	}

+    chain wireguard_input {
+        # Allow WireGuard clients to access DNS
+        iifname $vpn udp dport 53 ct state new counter accept
+
+        # Allow VPN clients to communicate with each other
+        iifname $vpn oifname $vpn ct state new accept
+    }
+
+    chain wireguard_forward {
+        iifname $vpn oifname $wan ct state new accept
+    }
+
 	# Default to drop all inbound traffic, unless they meet the criteria
 	chain input {
 		type filter hook input priority 0; policy drop;
@ -75,6 +92,7 @@ table inet filter {
 		iif != lo ip6 daddr ::1/128 counter drop

 		counter jump libvirt_input
+        counter jump wireguard_input

 		# Accept user-defined ports
 		#tcp dport $ACCEPT_TCP_PORTS ct state new counter accept
@ -134,6 +152,7 @@ table inet filter {
 		oif != lo ip6 daddr ::1/128 counter drop

 		counter jump libvirt_forward
+        counter jump wireguard_forward

 		counter comment "Count dropped packets"
 		#log prefix "[nftables] Forward Denied: " flags all counter drop
@ -152,8 +171,15 @@ table inet nat {
 		ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter masquerade
 	}

+    chain wireguard_postrouting {
+        # Masquerade WireGuard traffic
+        # All WireGuard traffic will look like it comes from the servers IP address
+        oifname $wan ip saddr $vpn_net counter masquerade
+    }
+
 	chain postrouting {
 		type nat hook postrouting priority 100; policy accept;
 		counter jump libvirt_postrouting
+        counter jump wireguard_postrouting
 	}
 }