Created
February 26, 2020 23:12
-
-
Save Gunni/5deaf9b8b65b212cbfcf9aab6fa46820 to your computer and use it in GitHub Desktop.
Example nftables.conf for a wireguard "server"
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| table inet filter { | |
| chain inbound { | |
| type filter hook input priority 0 | |
| policy drop | |
| ct state invalid counter drop | |
| ct state { established, related } counter accept | |
| ip protocol icmp counter accept | |
| ip6 nexthdr ipv6-icmp counter accept | |
| ip6 saddr fe80::/10 ip6 daddr fe80::/10 tcp dport dhcpv6-client counter accept | |
| ip6 saddr fe80::/10 ip6 daddr fe80::/10 udp dport dhcpv6-client counter accept | |
| iifname lo counter accept | |
| # Wireguard listening ports/ips | |
| udp dport 53 ip daddr 203.0.113.1 counter accept comment "Wireguard IPv4" | |
| udp dport 53 ip6 daddr 2001:db8::1 counter accept comment "Wireguard IPv6" | |
| # SSH Management | |
| tcp dport 22 ip6 daddr 2001:db8::1 counter jump netadmins comment "SSH Management" | |
| counter comment "policy" | |
| } | |
| chain outbound { | |
| type filter hook output priority 0 | |
| policy accept | |
| # no rules | |
| counter comment "policy" | |
| } | |
| chain netadmins { | |
| ip6 saddr 2001:db8:aaaa::/64 counter accept comment "mgmt network" | |
| } | |
| chain forward { | |
| type filter hook forward priority 0 | |
| policy drop | |
| ct state invalid counter drop | |
| ct state { established, related } counter accept | |
| ip protocol icmp counter accept | |
| ip6 nexthdr ipv6-icmp counter accept | |
| # Wireguard | |
| iifname wg0 oifname ens18 counter goto wg0_to_internet | |
| oifname wg0 iifname ens18 counter goto internet_to_wg0 | |
| iifname wg0 oifname wg0 counter goto wg0_to_wg0 | |
| counter comment "policy" | |
| } | |
| chain wg0_to_internet { | |
| # no rules | |
| # Prevent communication to private IPs unless allowed above | |
| ip daddr 10.0.0.0/8 counter drop | |
| ip daddr 172.16.0.0/12 counter drop | |
| ip daddr 192.168.0.0/16 counter drop | |
| # Example internal networks | |
| ip6 daddr 2001:db8:aaaa::/64 counter drop | |
| counter accept comment "policy" | |
| } | |
| chain internet_to_wg0 { | |
| # Internet counts as "any" | |
| counter jump from_any_to_tunnel_peers | |
| ip6 saddr 2001:db8:aaaa::/64 tcp dport 22 counter accept comment "mgmt to wg peers" | |
| ip6 daddr 2001:db8:aaaa::/64 udp dport 60000-61000 counter accept comment "mosh" | |
| counter drop comment "policy" | |
| } | |
| chain wg0_to_wg0 { | |
| # Wireguard peers counts as "any" | |
| counter jump from_any_to_tunnel_peers | |
| # no rules | |
| counter drop comment "policy" | |
| } | |
| chain from_any_to_tunnel_peers { | |
| # no rules | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # /usr/lib/systemd/system/nftables.service | |
| [Unit] | |
| Description=Netfilter Tables | |
| Documentation=man:nft(8) | |
| Wants=network-pre.target | |
| Before=network-pre.target | |
| [Service] | |
| Type=oneshot | |
| ProtectSystem=full | |
| ProtectHome=true | |
| ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf | |
| ExecReload=/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";' | |
| ExecStop=/sbin/nft flush ruleset | |
| RemainAfterExit=yes | |
| [Install] | |
| WantedBy=multi-user.target |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment