docs: upload assets/files/openvpn-server/nftables.conf

2022-06-02 09:16:04 +00:00 · 2022-06-02 09:16:04 +00:00 · af39e2d8b9
commit af39e2d8b9
parent 16e6d3521d
1 changed files with 53 additions and 0 deletions
--- a/assets/files/openvpn-server/nftables.conf
+++ b/assets/files/openvpn-server/nftables.conf
@ -0,0 +1,53 @@
 #!/usr/sbin/nft -f
 flush ruleset
 define vpn_port=6174
 define vpn_if=tun0
 define outside_if=enp0s17
 define vpn_subnet=10.10.10.0/24
 table inet filter {
        chain input {
                # allow OpenVPN VPN connections to the Server
                udp dport $vpn_port accept
        }
        chain forward {
                #Drop forwarded packets if they are not matched
                type filter hook forward priority 0; policy drop;
                # allow existing connections
                ct state related,established accept
                # allow packets from vpn interface
                iifname $vpn_if oifname $outside_if accept
        }
        chain output {
                # Security drops
                ct state invalid counter drop
                oifname != "lo" ip saddr != 127.0.0.1 ip daddr != 127.0.0.1 tcp flags & (fin|ack) == fin|ack counter drop
                oifname != "lo" ip saddr != 127.0.0.1 ip daddr != 127.0.0.1 tcp flags & (rst|ack) == rst|ack counter drop
    }
 }
 # create a ipv4 table only for NAT entries (you need both chains even if they're empty)
 table ip nat {
        chain postrouting {
                type nat hook postrouting priority 100;
                # enable NAT for VPN
                iifname $vpn_if oifname $outside_if ip saddr $vpn_subnet masquerade
        }
        chain prerouting {
                type nat hook prerouting priority 0;
        }
 }