Personal Blog of Andrej Stender, covering Linux and other topics.
Blog
Latest
Archive
Tags
My Profiles
GitHub
LinkedIn
Xing
Facebook
Misc
Legal Notice
Privacy Policy
About this Website
The following are the complete Nftables rulesets for both VPN gateways r1 and r2 in the example setup described in article Nftables - Netfilter and VPN/IPsec packet flow. The distinction between VPN and non-VPN traffic is done based on the peer subnet addresses.
root@r1:~# nft list ruleset table ip nat { chain postrouting { type nat hook postrouting priority srcnat; policy accept; oif eth1 ip daddr 192.168.2.0/24 accept oif eth1 masquerade } } table ip filter { chain forward { type filter hook forward priority filter; policy drop; iif eth0 oif eth1 accept iif eth1 oif eth0 ct state established,related accept iif eth1 oif eth0 ip saddr 192.168.2.0/24 ct state new accept } }
root@r2:~# nft list ruleset table ip nat { chain postrouting { type nat hook postrouting priority srcnat; policy accept; oif eth1 ip daddr 192.168.1.0/24 accept oif eth1 masquerade } } table ip filter { chain forward { type filter hook forward priority filter; policy drop; iif eth0 oif r2 accept iif eth1 oif r2 ct state established,related accept iif eth1 oif r2 ip saddr 192.168.1.0/24 ct state new accept } }
