~tardypad/alpine-system

f91e8d6b5f7e1ca8f800fc0823baaba7503f83ee — Damien Tardy-Panis 3 months ago 89af820
system-config: minor style changes in nftables rules

- go to new lines for each rule
- use variables
2 files changed, 12 insertions(+), 6 deletions(-)

M builds/system-config/APKBUILD
M builds/system-config/files/etc/nftables.nft
M builds/system-config/APKBUILD => builds/system-config/APKBUILD +1 -1
@@ 1,6 1,6 @@
# Maintainer: Damien Tardy-Panis <damien.dev@tardypad.me>
pkgname="system-config"
pkgver=10
pkgver=11
pkgrel=0
pkgdesc="System configurations"
url="https://sr.ht/~tardypad/alpine-system/"

M builds/system-config/files/etc/nftables.nft => builds/system-config/files/etc/nftables.nft +11 -5
@@ 2,9 2,14 @@

flush ruleset

define wan = eth0
define vpn = wg0
define vpn_net = 192.168.144.0/24

table inet filter {
    chain input {
        type filter hook input priority 0; policy drop;
        type filter hook input priority 0
        policy drop

        iifname lo accept \
        comment "Accept any localhost traffic"


@@ 38,7 43,8 @@ table inet filter {
    }

    chain forward {
        type filter hook forward priority 0; policy drop;
        type filter hook forward priority 0
        policy drop

        ct state { established, related } accept \
        comment "Accept traffic originated from us"


@@ 46,16 52,16 @@ table inet filter {
        ct state invalid drop \
        comment "Early drop of invalid connections"

        iifname wg0 oifname eth0 ct state new accept \
        iifname $vpn oifname $wan ct state new accept \
        comment "Allow WireGuard traffic to access the Internet"
    }
}

table ip router {
    chain postrouting {
        type nat hook postrouting priority 100;
        type nat hook postrouting priority 100

        oifname eth0 ip saddr 192.168.144.0/24 masquerade \
        oifname $wan ip saddr $vpn_net masquerade \
        comment "Masquerade WireGuard traffic to look like it comes from the server itself"
    }
}