56 lines
1.3 KiB
Plaintext
56 lines
1.3 KiB
Plaintext
#!/usr/sbin/nft -f
|
|
|
|
flush ruleset
|
|
|
|
table inet filter {
|
|
chain input {
|
|
type filter hook input priority 0; policy drop;
|
|
|
|
# Allow established connections
|
|
ct state established,related accept
|
|
|
|
# Allow loopback
|
|
iif lo accept
|
|
|
|
# Allow SSH (adjust port if needed)
|
|
tcp dport 22 accept
|
|
|
|
# Allow WireGuard from anywhere (user connections)
|
|
udp dport 51820 accept
|
|
|
|
# Allow DNS from VPN clients only
|
|
iifname "wg0" udp dport 53 accept
|
|
iifname "wg0" tcp dport 53 accept
|
|
|
|
# Allow ICMP
|
|
icmp type echo-request accept
|
|
}
|
|
|
|
chain forward {
|
|
type filter hook forward priority 0; policy drop;
|
|
|
|
# Allow forwarding from user VPN
|
|
iifname "wg0" accept
|
|
|
|
# Allow forwarding from DE tunnel
|
|
iifname "wg1" accept
|
|
|
|
# Allow established connections
|
|
ct state established,related accept
|
|
}
|
|
|
|
chain output {
|
|
type filter hook output priority 0; policy accept;
|
|
}
|
|
}
|
|
|
|
table inet nat {
|
|
chain postrouting {
|
|
type nat hook postrouting priority 100;
|
|
|
|
# NAT direct traffic going out main interface
|
|
# Traffic going through wg1 doesn't need NAT (DE VDS will NAT it)
|
|
oifname != "wg0" oifname != "wg1" ip saddr 10.10.0.0/24 masquerade
|
|
}
|
|
}
|