Amazing-Mirror/FollieHiyuki-dotfiles
Amazing-Mirror/FollieHiyuki-dotfiles
1
0
Fork 0
mirror of https://git.disroot.org/FollieHiyuki/dotfiles.git synced 2024-11-25 00:38:23 -05:00
Code Issues Projects Releases Wiki Activity

nftables: add wireguard rules template

Browse Source
This commit is contained in:
FollieHiyuki 2021-08-11 18:03:37 +03:00
parent c4aa156dd1
commit 7a33971f18
No known key found for this signature in database
GPG Key ID: 813CF484F4993419
1 changed files with 27 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
system/etc/nftables.conf
View File

@ -28,7 +28,12 @@ flush ruleset
#define ACCEPT_TCP_PORTS = { 80, 443, 1965 } #define ACCEPT_TCP_PORTS = { 80, 443, 1965 }
# UDP ports to accept (both IPv4 and IPv6) # UDP ports to accept (both IPv4 and IPv6)
#define ACCEPT_UDP_PORTS = {} #define ACCEPT_UDP_PORTS = { 51820 }
# Wireguard (use for the 'server' only)
define vpn = wg0
define wan = eth0
define vpn_net = 10.2.0.0/24
table inet filter { table inet filter {
chain libvirt_input { chain libvirt_input {
@ -46,6 +51,18 @@ table inet filter {
iifname "virbr0" counter reject with icmpx type port-unreachable iifname "virbr0" counter reject with icmpx type port-unreachable
} }
chain wireguard_input {
# Allow WireGuard clients to access DNS
iifname $vpn udp dport 53 ct state new counter accept
# Allow VPN clients to communicate with each other
iifname $vpn oifname $vpn ct state new accept
}
chain wireguard_forward {
iifname $vpn oifname $wan ct state new accept
}
# Default to drop all inbound traffic, unless they meet the criteria # Default to drop all inbound traffic, unless they meet the criteria
chain input { chain input {
type filter hook input priority 0; policy drop; type filter hook input priority 0; policy drop;
@ -75,6 +92,7 @@ table inet filter {
iif != lo ip6 daddr ::1/128 counter drop iif != lo ip6 daddr ::1/128 counter drop
counter jump libvirt_input counter jump libvirt_input
counter jump wireguard_input
# Accept user-defined ports # Accept user-defined ports
#tcp dport $ACCEPT_TCP_PORTS ct state new counter accept #tcp dport $ACCEPT_TCP_PORTS ct state new counter accept
@ -134,6 +152,7 @@ table inet filter {
oif != lo ip6 daddr ::1/128 counter drop oif != lo ip6 daddr ::1/128 counter drop
counter jump libvirt_forward counter jump libvirt_forward
counter jump wireguard_forward
counter comment "Count dropped packets" counter comment "Count dropped packets"
#log prefix "[nftables] Forward Denied: " flags all counter drop #log prefix "[nftables] Forward Denied: " flags all counter drop
@ -152,8 +171,15 @@ table inet nat {
ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter masquerade ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter masquerade
} }
chain wireguard_postrouting {
# Masquerade WireGuard traffic
# All WireGuard traffic will look like it comes from the servers IP address
oifname $wan ip saddr $vpn_net counter masquerade
}
chain postrouting { chain postrouting {
type nat hook postrouting priority 100; policy accept; type nat hook postrouting priority 100; policy accept;
counter jump libvirt_postrouting counter jump libvirt_postrouting
counter jump wireguard_postrouting
} }
} }