diff --git a/defines.nft b/defines.nft index 75853f2..17a6691 100644 --- a/defines.nft +++ b/defines.nft @@ -1,3 +1,6 @@ +# Networks +define VPN_SUBNET = 10.8.0.0/24 + # TCP only services define SSH_PORT1 = 22 define SSH_PORT2 = 8022 @@ -10,3 +13,4 @@ define DNS_PORT = 53 # UDP only services define DHCP_IN_PORT = 67 define DHCP_OUT_PORT = 68 +define OPENVPN_PORT = 1194 diff --git a/filter.nft b/filter.nft index 4d8d8bd..03c934b 100644 --- a/filter.nft +++ b/filter.nft @@ -13,7 +13,7 @@ table ip filter { set allowed_udp_ports_in { type inet_service; flags constant; - elements = { $DNS_PORT, $DHCP_IN_PORT } + elements = { $DNS_PORT, $DHCP_IN_PORT, $OPENVPN_PORT } } set allowed_udp_ports_out { @@ -30,8 +30,13 @@ table ip filter { tcp dport @allowed_tcp_ports accept; udp dport @allowed_udp_ports_in accept; } + chain forward { type filter hook forward priority filter; policy drop; + comment "this routes vpn traffic"; + ct state related,established accept; + iifname "tun0" oifname "eth0" accept; + } chain out { @@ -40,3 +45,5 @@ table ip filter { oifname "lo" accept; } } + +include "./nat.nft" diff --git a/nat.nft b/nat.nft new file mode 100644 index 0000000..d3b28b5 --- /dev/null +++ b/nat.nft @@ -0,0 +1,12 @@ +table nat { + chain prerouting { + type nat hook prerouting priority 0; + comment "this is necessary even if empty"; + } + + chain postrouting { + type nat hook postrouting priority 100; + comment "enable NAT for VPN"; + iifname "tun0" oifname "eth0" ip saddr $VPN_SUBNET masquerade; + } +}