thermalcircle.de

climbing the thermals

User Tools

Site Tools


linux:ipsec:example:ss1:nftables_ruleset

Nftables ruleset of Example Site-to-site VPN topology

Address-based VPN traffic distinction

The following are the complete Nftables rulesets for both VPN gateways r1 and r2 in the example setup described in article Nftables - Netfilter and VPN/IPsec packet flow. The distinction between VPN and non-VPN traffic is done based on the peer subnet addresses.

r1

root@r1:~# nft list ruleset
table ip nat {
        chain postrouting {
                type nat hook postrouting priority srcnat; policy accept;
                oif eth1 ip daddr 192.168.2.0/24 accept
                oif eth1 masquerade
        }
}
table ip filter {
        chain forward {
                type filter hook forward priority filter; policy drop;
                iif eth0 oif eth1 accept
                iif eth1 oif eth0 ct state established,related accept
                iif eth1 oif eth0 ip saddr 192.168.2.0/24 ct state new accept
        }
}

r2

root@r2:~# nft list ruleset
table ip nat {
        chain postrouting {
                type nat hook postrouting priority srcnat; policy accept;
                oif eth1 ip daddr 192.168.1.0/24 accept
                oif eth1 masquerade
        }
}
table ip filter {
        chain forward {
                type filter hook forward priority filter; policy drop;
                iif eth0 oif r2 accept
                iif eth1 oif r2 ct state established,related accept
                iif eth1 oif r2 ip saddr 192.168.1.0/24 ct state new accept
        }
}
linux/ipsec/example/ss1/nftables_ruleset.txt ยท Last modified: 2022-01-30 by Andrej Stender