diff --git a/system/etc/nftables.conf b/system/etc/nftables.conf index 5ec2296..82def02 100644 --- a/system/etc/nftables.conf +++ b/system/etc/nftables.conf @@ -28,7 +28,12 @@ flush ruleset #define ACCEPT_TCP_PORTS = { 80, 443, 1965 } # UDP ports to accept (both IPv4 and IPv6) -#define ACCEPT_UDP_PORTS = {} +#define ACCEPT_UDP_PORTS = { 51820 } + +# Wireguard (use for the 'server' only) +define vpn = wg0 +define wan = eth0 +define vpn_net = 10.2.0.0/24 table inet filter { chain libvirt_input { @@ -46,6 +51,18 @@ table inet filter { iifname "virbr0" counter reject with icmpx type port-unreachable } + chain wireguard_input { + # Allow WireGuard clients to access DNS + iifname $vpn udp dport 53 ct state new counter accept + + # Allow VPN clients to communicate with each other + iifname $vpn oifname $vpn ct state new accept + } + + chain wireguard_forward { + iifname $vpn oifname $wan ct state new accept + } + # Default to drop all inbound traffic, unless they meet the criteria chain input { type filter hook input priority 0; policy drop; @@ -75,6 +92,7 @@ table inet filter { iif != lo ip6 daddr ::1/128 counter drop counter jump libvirt_input + counter jump wireguard_input # Accept user-defined ports #tcp dport $ACCEPT_TCP_PORTS ct state new counter accept @@ -134,6 +152,7 @@ table inet filter { oif != lo ip6 daddr ::1/128 counter drop counter jump libvirt_forward + counter jump wireguard_forward counter comment "Count dropped packets" #log prefix "[nftables] Forward Denied: " flags all counter drop @@ -152,8 +171,15 @@ table inet nat { ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter masquerade } + chain wireguard_postrouting { + # Masquerade WireGuard traffic + # All WireGuard traffic will look like it comes from the servers IP address + oifname $wan ip saddr $vpn_net counter masquerade + } + chain postrouting { type nat hook postrouting priority 100; policy accept; counter jump libvirt_postrouting + counter jump wireguard_postrouting } }