Loading templates/nftables.nft.j2 +16 −8 Original line number Diff line number Diff line Loading @@ -6,17 +6,17 @@ table inet filter { chain input { type filter hook input priority 0; policy drop; # Allow established/related # allow established/related ct state established,related accept # Allow loopback # allow loopback iif lo accept # Allow ICMP # allow icmp ip protocol icmp accept ip6 nexthdr ipv6-icmp accept # Allow incoming firewall rules # allow incoming firewall rules {% for rule in incoming_firewall_rules %} # {{ rule.name }} iif {{ lan_interface }} ip saddr {{ rule.source }} {{ rule.protocol | default('tcp') }} dport {{ rule.port }} accept Loading @@ -26,16 +26,19 @@ table inet filter { chain forward { type filter hook forward priority 0; policy drop; # Allow established/related # allow established/related ct state established,related accept {% if wireguard_enabled %} # Allow WireGuard traffic # allow wireguard traffic iifname "wt*" accept oifname "wt*" accept # allow wireguard to internet (exit node) iifname "wt*" oif {{ wan_interface }} accept {% endif %} # Allow forwarding from LAN to anywhere # allow forwarding from lan to anywhere iif {{ lan_interface }} oif {{ wan_interface }} accept {% for forward in nat_port_forwards %} # {{ forward.name }} Loading @@ -52,8 +55,13 @@ table ip nat { chain postrouting { type nat hook postrouting priority 100; policy accept; # NAT masquerade from LAN to WAN # nat masquerade from lan to wan iif {{ lan_interface }} oif {{ wan_interface }} masquerade {% if wireguard_enabled %} # nat mascerade from wireguard to wan (exit node) iifname "wt*" oif {{ wan_interface }} masquerade {% endif %} } chain prerouting { Loading Loading
templates/nftables.nft.j2 +16 −8 Original line number Diff line number Diff line Loading @@ -6,17 +6,17 @@ table inet filter { chain input { type filter hook input priority 0; policy drop; # Allow established/related # allow established/related ct state established,related accept # Allow loopback # allow loopback iif lo accept # Allow ICMP # allow icmp ip protocol icmp accept ip6 nexthdr ipv6-icmp accept # Allow incoming firewall rules # allow incoming firewall rules {% for rule in incoming_firewall_rules %} # {{ rule.name }} iif {{ lan_interface }} ip saddr {{ rule.source }} {{ rule.protocol | default('tcp') }} dport {{ rule.port }} accept Loading @@ -26,16 +26,19 @@ table inet filter { chain forward { type filter hook forward priority 0; policy drop; # Allow established/related # allow established/related ct state established,related accept {% if wireguard_enabled %} # Allow WireGuard traffic # allow wireguard traffic iifname "wt*" accept oifname "wt*" accept # allow wireguard to internet (exit node) iifname "wt*" oif {{ wan_interface }} accept {% endif %} # Allow forwarding from LAN to anywhere # allow forwarding from lan to anywhere iif {{ lan_interface }} oif {{ wan_interface }} accept {% for forward in nat_port_forwards %} # {{ forward.name }} Loading @@ -52,8 +55,13 @@ table ip nat { chain postrouting { type nat hook postrouting priority 100; policy accept; # NAT masquerade from LAN to WAN # nat masquerade from lan to wan iif {{ lan_interface }} oif {{ wan_interface }} masquerade {% if wireguard_enabled %} # nat mascerade from wireguard to wan (exit node) iifname "wt*" oif {{ wan_interface }} masquerade {% endif %} } chain prerouting { Loading
