Thermalcircle.de

climbing the thermals

User Tools

Site Tools


linux:ipsec:example:ss1:nftables_ruleset

This is an old revision of the document!


Nftables ruleset of Example Site-to-site VPN topology

back to parent article

r1

root@r1:~# nft list ruleset
table ip nat {
        chain postrouting {
                type nat hook postrouting priority srcnat; policy accept;
                oif eth1 ip daddr 192.168.2.0/24 accept
                oif eth1 masquerade
        }
}
table ip filter {
        chain forward {
                type filter hook forward priority filter; policy drop;
                iif eth0 oif eth1 accept
                iif eth1 oif eth0 ct state established,related accept
                iif eth1 oif eth0 ip saddr 192.168.2.0/24 ct state new accept
        }
}

r2

root@r2:~# nft list ruleset
table ip nat {
        chain postrouting {
                type nat hook postrouting priority srcnat; policy accept;
                oif eth1 ip daddr 192.168.1.0/24 accept
                oif eth1 masquerade
        }
}
table ip filter {
        chain forward {
                type filter hook forward priority filter; policy drop;
                iif eth0 oif r2 accept
                iif eth1 oif r2 ct state established,related accept
                iif eth1 oif r2 ip saddr 192.168.1.0/24 ct state new accept
        }
}
linux/ipsec/example/ss1/nftables_ruleset.1592853366.txt.gz ยท Last modified: 2020-06-22 by Andrej Stender