Greetings,
I’ve been using nftables for a year now and have been really enjoying it. Thank you for it.
I’m having some difficulty with ip6 masquerading which the ip6tables equivalent is not having. Here’s my config
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy accept;
ct state established,related accept
tcp dport 22 limit rate 3/minute accept
tcp dport 80 accept
meta l4proto { icmp, ipv6-icmp, esp, ah } accept
udp dport {500, 4500} accept
udp dport 33434-33534 reject
iifname "lo" accept
}
chain forward {
type filter hook forward priority 0; policy accept;
}
chain output {
type filter hook output priority 0; policy accept;
oifname "lo" accept
}
}
table ip6 nat {
chain prerouting {
type nat hook prerouting priority 0;
}
chain postrouting {
type nat hook postrouting priority 0;
oifname wg0 masquerade
}
}
When I try to do this with ip6tables it works.
# Generated by xtables-save v1.8.2 on Mon Apr 15 19:26:27 2019
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
I’m trying to use wireguard as a roadworrier vpn.
Any help is greatly appreciated.
—FC
