🔐 Karlo Luiten

Think Evil, DO Good

Uncategorized

Debian VM as GW routing through VPN (tun) with nftables

By karlo

My LAN interfaces are ens3/ens8/ens9.

VPN tunnel set up using openvpn, gets dev tun0.

NFTables config file /etc/nftables.conf (do not forget to enable the nftables services):

flush ruleset
table inet filter {
  chain input {
    type filter hook input priority 0; policy drop;
    ct state {established, related} accept
    ct state invalid drop
    iifname lo accept
    iifname ens3 accept
    iifname ens8 accept
    iifname ens9 accept
    ip protocol icmp accept
    tcp dport 22 accept comment "SSH in"
    tcp dport 80 accept comment "HTTP in"
    tcp dport 443 accept comment "HTTPS in"
    reject
  }
  chain forward {
    type filter hook forward priority 0;
    oifname tun0 accept
    iifname tun0 ct state related, established accept
    iifname tun0 drop
  }
  chain output {
    type filter hook output priority 0;
  }
}
table ip nat {
  chain prerouting {
    type nat hook prerouting priority 0;
  }
  chain postrouting {
    type nat hook postrouting priority 0;
    oifname tun0 masquerade
  }
}

Thanks to: https://superuser.com/questions/985800/complete-masquerading-nat-example-using-nftables-on-linux/1225109#1225109

By karlo

Related Post

Uncategorized

Elasticsearch start fail on debian 11 after install from ES repos

karlo
Uncategorized

Apache2 (apache) forward https headers

karlo
Uncategorized

Postgres read long lines (wrap text)

karlo

Posts

Woocommerce

Woocommerce: make address optional

Victron

Victron ESS console behind apache2 proxy

CLI and tools

Python upgrade venv python binary/version

CLI and tools Debian Linux

Git use different ssh key once