🦔

メモ: WireguardでのVPN(nftables)

2023/01/16に公開約2,800字

メモ

nftablesのルール例

table inet filter {
	set tcp_accepted {
		type inet_service
		flags interval
		elements = { 53, 80, 443, 22 }
	}

	set udp_accepted {
		type inet_service
		flags interval
		elements = { 53, 51820,  60000-60100 }
	}

	chain input {
		type filter hook input priority filter; policy drop;
		ct state invalid drop comment "early drop of invalid connections"
		ct state { established, related } accept comment "allow tracked connections"
		iifname "lo" accept comment "allow from loopback"
		ip protocol icmp accept comment "allow icmp"
		meta l4proto ipv6-icmp accept comment "allow icmp v6"
		iifname "ens3" tcp dport @tcp_accepted ct state new accept
		iifname "ens3" udp dport @udp_accepted ct state new accept
		iifname "wg0" tcp dport @tcp_accepted ct state new accept
		iifname "wg0" udp dport @udp_accepted ct state new accept
		meta pkttype host limit rate 5/second counter packets 9350 bytes 511030 reject with icmpx admin-prohibited
		counter packets 126637 bytes 13036675
	}
}

wireguardの設定ファイル例
wg0.conf

[Interface]
Address = 10.0.0.1/32
Address = fd86:ea04:1119::1/64
Table = auto
SaveConfig = true
PostUp = nft add rule inet filter forward iifname "%i" counter accept;nft add rule inet filter forward oifname "%i" counter accept; nft add table inet nat; nft 'add chain inet nat postrouting { type nat hook postrouting priority srcnat; policy accept; }'; nft 'add rule inet nat postrouting oifname "ens3" ip saddr 10.0.0.0/24 counter masquerade'; nft 'add rule inet nat postrouting oifname "ens3" ip6 saddr fd86:ea04:1119::/64 counter masquerade'
PostDown = nft 'flush chain inet filter forward';nft 'flush chain inet nat postrouting'
#PostDown = nft -a list chain inet filter forward|grep "wg0"|sed 's/.*handle \(.*\)/\1/'|xargs -I{} nft 'delete rule inet filter forward handle {}';nft 'flush chain inet nat postrouting'
ListenPort = 
PrivateKey = 

[Peer]
PublicKey = 
PresharedKey = 
AllowedIPs = 10.0.0.2/32, fd86:ea04:1119::/64
Endpoint = 

PostDownでwg0関連のみルールを削除するためには、nft -aコマンドでhandleを確認して、それを用いるみたい。一応メモ。

nft -a list chain inet filter forward|grep "wg0"|sed 's/.*handle \(.*\)/\1/'|xargs -I{} nft 'delete rule inet filter forward handle {}';nft 'flush chain inet nat postrouting'

wg1.conf

[Interface]
Privatekey = 
Address = 10.0.0.2/32
DNS = 

[Peer]
Publickey = 
PresharedKey = 
EndPoint = 
AllowedIPs = 0.0.0.0/0,::/0

PostUpでnftコマンドにより、以下のようなルールが追加されます。
一部抜粋

	chain forward {
		type filter hook forward priority filter; policy drop;
		iifname "wg0" counter packets 0 bytes 0 accept
		oifname "wg0" counter packets 0 bytes 0 accept
	}
}
table inet nat {
	chain postrouting {
		type nat hook postrouting priority srcnat; policy accept;
		oifname "ens3" ip saddr 10.0.0.0/24 counter packets 0 bytes 0 masquerade
		oifname "ens3" ip6 saddr fd86:ea04:1119::/64 counter packets 0 bytes 0 masquerade
	}
}

Discussion

ログインするとコメントできます