diff --git a/filter.nft b/filter.nft index e459ac5..8860a68 100644 --- a/filter.nft +++ b/filter.nft @@ -30,6 +30,7 @@ table ip filter { type filter hook input priority filter; policy drop; ct state vmap { invalid : drop, related : accept, established : accept }; iifname "lo" accept; + icmp type echo-request accept; tcp dport @allowed_tcp_ports accept; udp dport @allowed_udp_ports_in accept; } @@ -39,14 +40,15 @@ table ip filter { comment "this routes vpn traffic"; ct state related,established accept; iifname "tun0" oifname "eth0" accept; - } chain out { type filter hook output priority filter; policy drop; udp dport @allowed_udp_ports_out accept; oifname "lo" accept; + icmp type echo-reply accept; } } include "./nat.nft" +