f14d4f8f33
- Replace hybrid iptables/ipset/nftables approach with pure nftables - Add nftables native set for Russian IP ranges (populated from RIPE) - Create update-direct-routes.sh script to load IP ranges from RIPE database - Remove ipset and iptables dependencies from postup.sh/postdown.sh - Add automatic weekly cron job for IP range updates - Update all documentation to reflect the new approach Benefits: - More reliable: no iptables/nftables conflicts - Simpler debugging: single tool for all rules (nft list ruleset) - Atomic rule loading: prevents partial failures - IP-based routing is more predictable than DNS-based Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
89 lines
2.2 KiB
Plaintext
89 lines
2.2 KiB
Plaintext
#!/usr/sbin/nft -f
|
|
#
|
|
# RU VDS nftables configuration
|
|
#
|
|
# Routing approach:
|
|
# - dnsmasq populates the 'direct' nftables set via helper script
|
|
# - nftables marks packets for policy routing
|
|
# - No iptables dependency
|
|
#
|
|
|
|
flush ruleset
|
|
|
|
table inet filter {
|
|
chain input {
|
|
type filter hook input priority 0; policy drop;
|
|
|
|
# Allow established connections
|
|
ct state established,related accept
|
|
|
|
# Allow loopback
|
|
iif lo accept
|
|
|
|
# Allow SSH (adjust port if needed)
|
|
tcp dport 22 accept
|
|
|
|
# Allow WireGuard from anywhere (user connections)
|
|
udp dport 51820 accept
|
|
|
|
# Allow DNS from VPN clients only
|
|
iifname "wg0" udp dport 53 accept
|
|
iifname "wg0" tcp dport 53 accept
|
|
|
|
# Allow ICMP
|
|
icmp type echo-request accept
|
|
}
|
|
|
|
chain forward {
|
|
type filter hook forward priority 0; policy drop;
|
|
|
|
# Allow forwarding from user VPN
|
|
iifname "wg0" accept
|
|
|
|
# Allow forwarding from DE tunnel
|
|
iifname "wg1" accept
|
|
|
|
# Allow established connections
|
|
ct state established,related accept
|
|
}
|
|
|
|
chain output {
|
|
type filter hook output priority 0; policy accept;
|
|
}
|
|
}
|
|
|
|
table ip vpn-routing {
|
|
# Set for Russian domain IPs (direct routing, no proxy)
|
|
# Populated by dnsmasq via /etc/wireguard/nft-set-add.sh
|
|
# Auto-expires entries after 6 hours
|
|
set direct {
|
|
type ipv4_addr
|
|
flags timeout
|
|
timeout 6h
|
|
}
|
|
|
|
# Packet marking chain for policy routing
|
|
chain prerouting {
|
|
type filter hook prerouting priority mangle; policy accept;
|
|
|
|
# Only process traffic from VPN clients
|
|
ip saddr != 10.10.0.0/24 return
|
|
|
|
# Destinations in 'direct' set: no mark (direct routing)
|
|
ip daddr @direct return
|
|
|
|
# Everything else: mark for proxy routing via DE tunnel
|
|
meta mark set 0x1
|
|
}
|
|
}
|
|
|
|
table inet nat {
|
|
chain postrouting {
|
|
type nat hook postrouting priority 100;
|
|
|
|
# NAT traffic going out to internet directly (not via wg1 tunnel)
|
|
# Traffic via wg1 will be NATed by DE VDS
|
|
oifname != "wg0" oifname != "wg1" ip saddr 10.10.0.0/24 masquerade
|
|
}
|
|
}
|