Migrate to pure nftables routing (remove iptables/ipset)

- Replace hybrid iptables/ipset/nftables approach with pure nftables - Add nftables native set for Russian IP ranges (populated from RIPE) - Create update-direct-routes.sh script to load IP ranges from RIPE database - Remove ipset and iptables dependencies from postup.sh/postdown.sh - Add automatic weekly cron job for IP range updates - Update all documentation to reflect the new approach Benefits: - More reliable: no iptables/nftables conflicts - Simpler debugging: single tool for all rules (nft list ruleset) - Atomic rule loading: prevents partial failures - IP-based routing is more predictable than DNS-based Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-19 18:02:28 +03:00
parent b117efc604
commit f14d4f8f33
13 changed files with 461 additions and 264 deletions
--- a/PRE_DEPLOYMENT_CHECKLIST.md
+++ b/PRE_DEPLOYMENT_CHECKLIST.md
@@ -169,15 +169,12 @@ systemctl stop dnsmasq
 # Start systemd-resolved if it was stopped
 systemctl start systemd-resolved

-# Flush firewall (same as above)
+# Flush firewall
 nft flush ruleset
-iptables -F
-iptables -X
-iptables -t nat -F
-iptables -t nat -X
-iptables -P INPUT ACCEPT
-iptables -P FORWARD ACCEPT
-iptables -P OUTPUT ACCEPT
+
+# Remove policy routing
+ip rule del from 10.10.0.0/24 fwmark 0x1 table proxy 2>/dev/null || true
+ip route flush table proxy 2>/dev/null || true
 ```

 ## Post-Deployment Preparation