Apr 072022
 

My LAN interfaces are ens3/ens8/ens9.

VPN tunnel set up using openvpn, gets dev tun0.

NFTables config file /etc/nftables.conf (do not forget to enable the nftables services):

flush ruleset
table inet filter {
  chain input {
    type filter hook input priority 0; policy drop;
    ct state {established, related} accept
    ct state invalid drop
    iifname lo accept
    iifname ens3 accept
    iifname ens8 accept
    iifname ens9 accept
    ip protocol icmp accept
    tcp dport 22 accept comment "SSH in"
    tcp dport 80 accept comment "HTTP in"
    tcp dport 443 accept comment "HTTPS in"
    reject
  }
  chain forward {
    type filter hook forward priority 0;
    oifname tun0 accept
    iifname tun0 ct state related, established accept
    iifname tun0 drop
  }
  chain output {
    type filter hook output priority 0;
  }
}
table ip nat {
  chain prerouting {
    type nat hook prerouting priority 0;
  }
  chain postrouting {
    type nat hook postrouting priority 0;
    oifname tun0 masquerade
  }
}

Thanks to: https://superuser.com/questions/985800/complete-masquerading-nat-example-using-nftables-on-linux/1225109#1225109

 Posted by at 05:35

Sorry, the comment form is closed at this time.