Skip to content

Instantly share code, notes, and snippets.

@nerdalert

nerdalert/rules.md

Created September 22, 2023 19:41
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save nerdalert/ea76079cbd7645ed18cb68097f4aade1 to your computer and use it in GitHub Desktop.
Save nerdalert/ea76079cbd7645ed18cb68097f4aade1 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
rules.md 

# Final Working with fwmark set on the interface Configuration

REMOTE_KEY=6/CwH/gzz9jdKnxeVpWFivycFQMBkniLeBNFQq0+f04=
sudo wg set wg0 peer $REMOTE_KEY allowed-ips 0.0.0.0/0 persistent-keepalive 25  endpoint 54.227.102.183:41823

# This command enables the src_valid_mark functionality for all network interfaces. This is required for routing marked packets properly with WireGuard.
sudo sysctl -q net.ipv4.conf.all.src_valid_mark=1
# This command adds a rule to the routing policy database (RPDB) that says, "If a packet does not have the firewall mark 51820, look up the routing table 51820."
sudo ip -4 rule add not fwmark 51820 table 51820
# This command adds a rule to the RPDB that says, "When looking up the main routing table, ignore the source address prefix length." This is useful for avoiding unnecessary routing cache updates when using policy-based routing.
sudo ip -4 rule add table main suppress_prefixlength 0
# This command adds a default route to the routing table 51820, which says that all traffic should be sent through the WireGuard interface (wg0).
sudo ip -4 route add 0.0.0.0/0 dev wg0 table 51820


# Nftables/Iptables

# These commands create an nftables table nexodus-stun-mangle and a chain OUTPUT within it. The purpose of this chain is to mangle (alter) packets. It adds a rule that sets the mark 0x4B66 for packets with UDP destination port 19302.
sudo nft add table ip nexodus-stun-mangle
sudo nft add chain ip nexodus-stun-mangle OUTPUT { type route hook output priority mangle\; policy accept\; }
sudo nft add rule ip nexodus-stun-mangle OUTPUT meta l4proto udp udp dport 19302 counter mark set 0x4B66
# These commands create an nftables table nexodus-stun-snat and a chain POSTROUTING within it. The purpose of this chain is to perform source NAT (SNAT) for outgoing packets. It adds a rule that applies masquerading (SNAT) to packets going out through the enp0s1 interface.
sudo nft add table ip nexodus-stun-snat
sudo nft add chain ip nexodus-stun-snat POSTROUTING { type nat hook postrouting priority srcnat\; policy accept\; }
sudo nft add rule ip nexodus-stun-snat POSTROUTING oifname "enp0s1" counter masquerade
# This command adds a default route to the routing table 19302, which says that all traffic should be sent through the enp0s1 interface with a gateway at 192.168.64.1.
sudo ip -4 route add 0.0.0.0/0 table 19302 via 192.168.64.1 dev enp0s1
# This command adds a rule to the RPDB that says, "If a packet has the firewall mark 19302, look up the routing table 19302." This is used to route marked packets with destination port 19302 using the custom routing table created in step 11.
sudo ip -4 rule add fwmark 19302 table 19302
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment