added openvpn port, forward rules and nat table on its own file

This commit is contained in:
celso 2024-12-13 00:49:09 -03:00
parent baa554ffd0
commit ee2fe873f3
3 changed files with 24 additions and 1 deletions

View File

@ -1,3 +1,6 @@
# Networks
define VPN_SUBNET = 10.8.0.0/24
# TCP only services # TCP only services
define SSH_PORT1 = 22 define SSH_PORT1 = 22
define SSH_PORT2 = 8022 define SSH_PORT2 = 8022
@ -10,3 +13,4 @@ define DNS_PORT = 53
# UDP only services # UDP only services
define DHCP_IN_PORT = 67 define DHCP_IN_PORT = 67
define DHCP_OUT_PORT = 68 define DHCP_OUT_PORT = 68
define OPENVPN_PORT = 1194

View File

@ -13,7 +13,7 @@ table ip filter {
set allowed_udp_ports_in { set allowed_udp_ports_in {
type inet_service; type inet_service;
flags constant; flags constant;
elements = { $DNS_PORT, $DHCP_IN_PORT } elements = { $DNS_PORT, $DHCP_IN_PORT, $OPENVPN_PORT }
} }
set allowed_udp_ports_out { set allowed_udp_ports_out {
@ -30,8 +30,13 @@ table ip filter {
tcp dport @allowed_tcp_ports accept; tcp dport @allowed_tcp_ports accept;
udp dport @allowed_udp_ports_in accept; udp dport @allowed_udp_ports_in accept;
} }
chain forward { chain forward {
type filter hook forward priority filter; policy drop; type filter hook forward priority filter; policy drop;
comment "this routes vpn traffic";
ct state related,established accept;
iifname "tun0" oifname "eth0" accept;
} }
chain out { chain out {
@ -40,3 +45,5 @@ table ip filter {
oifname "lo" accept; oifname "lo" accept;
} }
} }
include "./nat.nft"

12
nat.nft Normal file
View File

@ -0,0 +1,12 @@
table nat {
chain prerouting {
type nat hook prerouting priority 0;
comment "this is necessary even if empty";
}
chain postrouting {
type nat hook postrouting priority 100;
comment "enable NAT for VPN";
iifname "tun0" oifname "eth0" ip saddr $VPN_SUBNET masquerade;
}
}