Re: How to allow traffic over VPN across namespaces using nftables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I have a wireguard interface configured in a dedicated namespace vpn.
It is configured first creating the interface in the main namespace
(that has access to the physical interface routing to the Internet
`eno1`), then moving the Wireguard interface `wg0` to the vpn
namespace (Reference [1]). The ruleset I've configured on the main,
"physical", namespace disallow traffic going over the VPN. Can you
please help tweak my configuration to allow traffic going out / in
from the `wg0` interface in the vpn namespace?

Same question for StackExchange rep for those who might care:
https://superuser.com/questions/1746449/how-to-allow-traffic-over-vpn-across-namespaces-using-nftables

[1]: https://www.wireguard.com/netns/#the-new-namespace-solution


--- Ruleset ---

sudo nft -a list table inet filter
table inet filter { # handle 15
        set blackhole { # handle 4
                type ipv4_addr
                elements = { 224.0.0.1, 224.0.0.251,
                             255.255.255.255 }
        }

        set in_tcp_accept { # handle 5
                type inet_service
                flags interval
                elements = { 22 }
        }

        set ip6blackhole { # handle 6
                type ipv6_addr
                elements = { ff02::16 }
        }

        set out_tcp_accept { # handle 7
                type inet_service
                flags interval
                elements = { 80, 443, 11371 }
        }

        set out_udp_accept { # handle 8
                type inet_service
                flags interval
                elements = { 53, 67, 123 }
        }

        chain global { # handle 1
                ct state established,related accept # handle 12
                ct state invalid drop # handle 13
        }

        chain input { # handle 2
                type filter hook input priority filter; policy drop;
                jump global # handle 14
                ip daddr @blackhole counter packets 0 bytes 0 drop # handle 15
                ip6 daddr @ip6blackhole counter packets 0 bytes 0 drop
# handle 16
                iif "lo" accept # handle 17
                meta l4proto { icmp, ipv6-icmp } accept # handle 18
                tcp dport @in_tcp_accept ct state new accept # handle 19
                tcp dport { 80, 443 } ct state new accept # handle 20
                udp dport 51821 accept # handle 21
        }

        chain output { # handle 3
                type filter hook output priority filter; policy drop;
                jump global # handle 22
                oif "lo" accept # handle 23
                ip protocol icmp accept # handle 24
                ip6 nexthdr ipv6-icmp counter packets 3 bytes 192
accept # handle 25
                udp dport @out_udp_accept ct state new accept # handle 26
                tcp dport @out_tcp_accept ct state new accept # handle 27
                tcp sport 22 tcp flags { rst, psh | ack } counter
packets 44 bytes 6052 accept # handle 28
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux