~tardypad/alpine-system

89af820ef18cbf36e893269d84dcb61cbed0c956 — Damien Tardy-Panis 3 months ago f5c33bb
system-config: update nftables rules to allow forwarding WireGuard traffic
2 files changed, 19 insertions(+), 1 deletions(-)

M builds/system-config/APKBUILD
M builds/system-config/files/etc/nftables.nft
M builds/system-config/APKBUILD => builds/system-config/APKBUILD +1 -1
@@ 1,6 1,6 @@
# Maintainer: Damien Tardy-Panis <damien.dev@tardypad.me>
pkgname="system-config"
pkgver=9
pkgver=10
pkgrel=0
pkgdesc="System configurations"
url="https://sr.ht/~tardypad/alpine-system/"

M builds/system-config/files/etc/nftables.nft => builds/system-config/files/etc/nftables.nft +18 -0
@@ 39,5 39,23 @@ table inet filter {

    chain forward {
        type filter hook forward priority 0; policy drop;

        ct state { established, related } accept \
        comment "Accept traffic originated from us"

        ct state invalid drop \
        comment "Early drop of invalid connections"

        iifname wg0 oifname eth0 ct state new accept \
        comment "Allow WireGuard traffic to access the Internet"
    }
}

table ip router {
    chain postrouting {
        type nat hook postrouting priority 100;

        oifname eth0 ip saddr 192.168.144.0/24 masquerade \
        comment "Masquerade WireGuard traffic to look like it comes from the server itself"
    }
}