From 1e04a07ef8a57f2aca0c8a9d3ff4172be0ab8426 Mon Sep 17 00:00:00 2001
From: nessi <sascha@nesterovic.cc>
Date: Wed, 18 Mar 2026 09:11:57 +0100
Subject: [PATCH] feat: change gateway forward chain policy to accept and add
 explicit drop rule for WireGuard interface

Change nftables forward chain default policy from drop to accept. Add rule to accept all traffic not originating from WireGuard interface. Add explicit drop rule at end of chain for remaining WireGuard interface traffic to maintain security while allowing non-VPN traffic to flow freely.
---
 deploy/scripts/gateway-entrypoint.sh | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/deploy/scripts/gateway-entrypoint.sh b/deploy/scripts/gateway-entrypoint.sh
index a48e96b..4c0ff37 100644
--- a/deploy/scripts/gateway-entrypoint.sh
+++ b/deploy/scripts/gateway-entrypoint.sh
@@ -107,8 +107,9 @@ EOF
     echo "table inet nexavpn {"
     echo "  chain forward {"
     echo "    type filter hook forward priority 0;"
-    echo "    policy drop;"
+    echo "    policy accept;"
     echo "    ct state established,related accept"
+    echo "    iifname != \"${IFACE}\" accept"
     echo "    iifname \"${IFACE}\" ip saddr ${NETWORK_CIDR} oifname \"${UPLINK_IFACE}\" accept"
 
     jq -c '.peers[]?' "${STATE_JSON}" | while read -r peer; do
@@ -122,6 +123,8 @@ EOF
       done
     done
 
+    echo "    iifname \"${IFACE}\" drop"
+
     echo "  }"
     if [ "${ENABLE_MASQUERADE}" = "true" ]; then
       echo "  chain postrouting {"