The following are the complete Nftables rulesets for both VPN gateways r1
and r2
in the example setup described in article Nftables - Netfilter and VPN/IPsec packet flow. The distinction between VPN and non-VPN traffic is done based on the peer subnet addresses.
root@r1:~# nft list ruleset table ip nat { chain postrouting { type nat hook postrouting priority srcnat; policy accept; oif eth1 ip daddr 192.168.2.0/24 accept oif eth1 masquerade } } table ip filter { chain forward { type filter hook forward priority filter; policy drop; iif eth0 oif eth1 accept iif eth1 oif eth0 ct state established,related accept iif eth1 oif eth0 ip saddr 192.168.2.0/24 ct state new accept } }
root@r2:~# nft list ruleset table ip nat { chain postrouting { type nat hook postrouting priority srcnat; policy accept; oif eth1 ip daddr 192.168.1.0/24 accept oif eth1 masquerade } } table ip filter { chain forward { type filter hook forward priority filter; policy drop; iif eth0 oif r2 accept iif eth1 oif r2 ct state established,related accept iif eth1 oif r2 ip saddr 192.168.1.0/24 ct state new accept } }