22 lines
711 B
Bash
22 lines
711 B
Bash
#!/bin/bash
|
|
set -e
|
|
|
|
# Create ipsets for routing decisions
|
|
ipset create direct hash:net -exist
|
|
ipset flush direct
|
|
|
|
# Add default route via DE tunnel for 'proxy' table
|
|
ip route add default via 10.20.0.2 dev wg1 table proxy 2>/dev/null || true
|
|
|
|
# Policy routing: packets with fwmark 0x1 use 'proxy' table
|
|
ip rule add from 10.10.0.0/24 fwmark 0x1 table proxy priority 100 2>/dev/null || true
|
|
|
|
# Load nftables rules
|
|
nft -f /etc/nftables.conf
|
|
|
|
# Mark packets NOT going to 'direct' ipset with fwmark 0x1
|
|
# This is needed because nftables + ipset integration is complex
|
|
iptables -t mangle -I PREROUTING -m set ! --match-set direct dst -s 10.10.0.0/24 -j MARK --set-mark 0x1
|
|
|
|
echo "PostUp script completed successfully"
|