~tardypad/alpine-system

ref: 89af820ef18cbf36e893269d84dcb61cbed0c956 alpine-system/builds/system-config/files/etc/nftables.nft -rw-r--r-- 1.6 KiB
89af820eDamien Tardy-Panis system-config: update nftables rules to allow forwarding WireGuard traffic 5 months ago
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
#!/usr/sbin/nft -f

flush ruleset

table inet filter {
    chain input {
        type filter hook input priority 0; policy drop;

        iifname lo accept \
        comment "Accept any localhost traffic"

        ct state { established, related } accept \
        comment "Accept traffic originated from us"

        ct state invalid drop \
        comment "Early drop of invalid connections"

        ip protocol icmp icmp type {
            echo-reply,  # type 0
            destination-unreachable,  # type 3
            echo-request,  # type 8
            time-exceeded,  # type 11
            parameter-problem,  # type 12
        } accept \
        comment "Accept some ICMP types"

        tcp dport 11235 accept \
        comment "Accept SSH on non default port"

        tcp dport { http, https } accept \
        comment "Accept HTTP"

        tcp dport 1965 accept \
        comment "Accept Gemini"

        udp dport 51820 accept \
        comment "Accept WireGuard"
    }

    chain forward {
        type filter hook forward priority 0; policy drop;

        ct state { established, related } accept \
        comment "Accept traffic originated from us"

        ct state invalid drop \
        comment "Early drop of invalid connections"

        iifname wg0 oifname eth0 ct state new accept \
        comment "Allow WireGuard traffic to access the Internet"
    }
}

table ip router {
    chain postrouting {
        type nat hook postrouting priority 100;

        oifname eth0 ip saddr 192.168.144.0/24 masquerade \
        comment "Masquerade WireGuard traffic to look like it comes from the server itself"
    }
}