configs/ru-vds/nftables.conf

#!/usr/sbin/nft -f
#
# RU VDS nftables configuration
#
# Routing approach:
# - dnsmasq populates the 'direct' nftables set via helper script
# - nftables marks packets for policy routing
# - No iptables dependency
#

flush ruleset

table inet filter {
    chain input {
        type filter hook input priority 0; policy drop;

        # Allow established connections
        ct state established,related accept

        # Allow loopback
        iif lo accept

        # Allow SSH (adjust port if needed)
        tcp dport 22 accept

        # Allow WireGuard from anywhere (user connections)
        udp dport 51820 accept

        # Allow DNS from VPN clients only
        iifname "wg0" udp dport 53 accept
        iifname "wg0" tcp dport 53 accept

        # Allow ICMP
        icmp type echo-request accept
    }

    chain forward {
        type filter hook forward priority 0; policy drop;

        # Allow forwarding from user VPN
        iifname "wg0" accept

        # Allow forwarding from DE tunnel
        iifname "wg1" accept

        # Allow established connections
        ct state established,related accept
    }

    chain output {
        type filter hook output priority 0; policy accept;
    }
}

table ip vpn-routing {
    # Set for Russian domain IPs (direct routing, no proxy)
    # Populated by dnsmasq via /etc/wireguard/nft-set-add.sh
    # Auto-expires entries after 6 hours
    set direct {
        type ipv4_addr
        flags timeout
        timeout 6h
    }

    # Packet marking chain for policy routing
    chain prerouting {
        type filter hook prerouting priority mangle; policy accept;

        # Only process traffic from VPN clients
        ip saddr != 10.10.0.0/24 return

        # Destinations in 'direct' set: no mark (direct routing)
        ip daddr @direct return

        # Everything else: mark for proxy routing via DE tunnel
        meta mark set 0x1
    }
}

table inet nat {
    chain postrouting {
        type nat hook postrouting priority 100;

        # NAT traffic going out to internet directly (not via wg1 tunnel)
        # Traffic via wg1 will be NATed by DE VDS
        oifname != "wg0" oifname != "wg1" ip saddr 10.10.0.0/24 masquerade
    }
}
Init 2026-02-02 20:11:05 +03:00			`#!/usr/sbin/nft -f`
Migrate to pure nftables routing (remove iptables/ipset) - Replace hybrid iptables/ipset/nftables approach with pure nftables - Add nftables native set for Russian IP ranges (populated from RIPE) - Create update-direct-routes.sh script to load IP ranges from RIPE database - Remove ipset and iptables dependencies from postup.sh/postdown.sh - Add automatic weekly cron job for IP range updates - Update all documentation to reflect the new approach Benefits: - More reliable: no iptables/nftables conflicts - Simpler debugging: single tool for all rules (nft list ruleset) - Atomic rule loading: prevents partial failures - IP-based routing is more predictable than DNS-based Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-19 18:02:28 +03:00			`#`
			`# RU VDS nftables configuration`
			`#`
			`# Routing approach:`
			`# - dnsmasq populates the 'direct' nftables set via helper script`
			`# - nftables marks packets for policy routing`
			`# - No iptables dependency`
			`#`
Init 2026-02-02 20:11:05 +03:00
			`flush ruleset`

			`table inet filter {`
			`chain input {`
			`type filter hook input priority 0; policy drop;`

			`# Allow established connections`
			`ct state established,related accept`

			`# Allow loopback`
			`iif lo accept`

			`# Allow SSH (adjust port if needed)`
			`tcp dport 22 accept`

			`# Allow WireGuard from anywhere (user connections)`
			`udp dport 51820 accept`

			`# Allow DNS from VPN clients only`
			`iifname "wg0" udp dport 53 accept`
			`iifname "wg0" tcp dport 53 accept`

			`# Allow ICMP`
			`icmp type echo-request accept`
			`}`

			`chain forward {`
			`type filter hook forward priority 0; policy drop;`

			`# Allow forwarding from user VPN`
			`iifname "wg0" accept`

			`# Allow forwarding from DE tunnel`
			`iifname "wg1" accept`

			`# Allow established connections`
			`ct state established,related accept`
			`}`

			`chain output {`
			`type filter hook output priority 0; policy accept;`
			`}`
			`}`

Migrate to pure nftables routing (remove iptables/ipset) - Replace hybrid iptables/ipset/nftables approach with pure nftables - Add nftables native set for Russian IP ranges (populated from RIPE) - Create update-direct-routes.sh script to load IP ranges from RIPE database - Remove ipset and iptables dependencies from postup.sh/postdown.sh - Add automatic weekly cron job for IP range updates - Update all documentation to reflect the new approach Benefits: - More reliable: no iptables/nftables conflicts - Simpler debugging: single tool for all rules (nft list ruleset) - Atomic rule loading: prevents partial failures - IP-based routing is more predictable than DNS-based Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-19 18:02:28 +03:00			`table ip vpn-routing {`
			`# Set for Russian domain IPs (direct routing, no proxy)`
			`# Populated by dnsmasq via /etc/wireguard/nft-set-add.sh`
			`# Auto-expires entries after 6 hours`
			`set direct {`
			`type ipv4_addr`
			`flags timeout`
			`timeout 6h`
			`}`

			`# Packet marking chain for policy routing`
			`chain prerouting {`
			`type filter hook prerouting priority mangle; policy accept;`

			`# Only process traffic from VPN clients`
			`ip saddr != 10.10.0.0/24 return`

			`# Destinations in 'direct' set: no mark (direct routing)`
			`ip daddr @direct return`

			`# Everything else: mark for proxy routing via DE tunnel`
			`meta mark set 0x1`
			`}`
			`}`

Init 2026-02-02 20:11:05 +03:00			`table inet nat {`
			`chain postrouting {`
			`type nat hook postrouting priority 100;`

Migrate to pure nftables routing (remove iptables/ipset) - Replace hybrid iptables/ipset/nftables approach with pure nftables - Add nftables native set for Russian IP ranges (populated from RIPE) - Create update-direct-routes.sh script to load IP ranges from RIPE database - Remove ipset and iptables dependencies from postup.sh/postdown.sh - Add automatic weekly cron job for IP range updates - Update all documentation to reflect the new approach Benefits: - More reliable: no iptables/nftables conflicts - Simpler debugging: single tool for all rules (nft list ruleset) - Atomic rule loading: prevents partial failures - IP-based routing is more predictable than DNS-based Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-19 18:02:28 +03:00			`# NAT traffic going out to internet directly (not via wg1 tunnel)`
			`# Traffic via wg1 will be NATed by DE VDS`
Init 2026-02-02 20:11:05 +03:00			`oifname != "wg0" oifname != "wg1" ip saddr 10.10.0.0/24 masquerade`
			`}`
			`}`