Last active
November 16, 2023 15:26
-
-
Save legeana/c79c62e2117efaa8bf0ba0ea272f7290 to your computer and use it in GitHub Desktop.
nftables port forwarding + wireguard
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
table inet nat { | |
chain prerouting { | |
type nat hook prerouting priority dstnat; | |
iifname eth0 jump external-pre | |
} | |
chain external-pre { | |
tcp dport 8022 mark set 1 dnat ip to 10.200.200.2:ssh | |
tcp dport 8022 mark set 1 dnat ip6 to [fd00::2]:ssh | |
tcp dport 8080 mark set 1 dnat ip to 10.200.200.2:http | |
tcp dport 8080 mark set 1 dnat ip6 to [fd00::2]:http | |
} | |
chain postrouting { | |
type nat hook postrouting priority srcnat; | |
# masquerade packets if remote doesn't accept everything | |
# mark 1 masquerade | |
} | |
chain forward { | |
type filter hook forward priority filter; policy drop; | |
mark 1 accept | |
iifname wg0 accept | |
ct state {established, related} accept | |
} | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[NetDev] | |
Name = wg0 | |
Kind = wireguard | |
Description = Wireguard | |
[WireGuard] | |
PrivateKey = <private> | |
[WireGuardPeer] | |
PublicKey = <public> | |
PresharedKey = <preshared> | |
# Accept only the wireguard subnet, requeres masquerading for hosting | |
AllowedIPs = 10.200.200.0/24, fd00::/120 | |
# Accept anything, unnecessary for non-server | |
# AllowedIPs = 0.0.0.0/0, ::/0 | |
Endpoint = <endpoint> | |
PersistentKeepalive = 25 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[Match] | |
Name = wg0 | |
[Network] | |
Address = 10.200.200.2/24 | |
Address = fd00::2/120 | |
[Route] | |
Gateway = 10.200.200.1 | |
Destination = 10.200.200.0/24 | |
GatewayOnlink=true | |
[Route] | |
Gateway = fd00::1 | |
Destination = fd00::/120 | |
# Source policy routing, | |
# route through wg0 by default if comes from its IP | |
[Route] | |
Gateway = 10.200.200.1 | |
Table = 100 | |
[RoutingPolicyRule] | |
From = 10.200.200.2 | |
Table = 100 | |
[Route] | |
Gateway = fd00::1 | |
Table = 100 | |
[RoutingPolicyRule] | |
From = fd00::2 | |
Table = 100 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment