nessi/NexaVPN
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: change gateway forward chain policy to accept and add explicit drop rule for WireGuard interface

Browse Source 
Change nftables forward chain default policy from drop to accept. Add rule to accept all traffic not originating from WireGuard interface. Add explicit drop rule at end of chain for remaining WireGuard interface traffic to maintain security while allowing non-VPN traffic to flow freely.
This commit is contained in:
Sascha Nesterovic
2026-03-18 09:11:57 +01:00
parent 77773493e2
commit 1e04a07ef8
1 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
deploy/scripts/gateway-entrypoint.sh
View File

@@ -107,8 +107,9 @@ EOF
echo "table inet nexavpn {" echo "table inet nexavpn {"
echo " chain forward {" echo " chain forward {"
echo " type filter hook forward priority 0;" echo " type filter hook forward priority 0;"
echo " policy drop;" echo " policy accept;"
echo " ct state established,related accept" echo " ct state established,related accept"
echo " iifname != \"${IFACE}\" accept"
echo " iifname \"${IFACE}\" ip saddr ${NETWORK_CIDR} oifname \"${UPLINK_IFACE}\" accept" echo " iifname \"${IFACE}\" ip saddr ${NETWORK_CIDR} oifname \"${UPLINK_IFACE}\" accept"
jq -c '.peers[]?' "${STATE_JSON}" | while read -r peer; do jq -c '.peers[]?' "${STATE_JSON}" | while read -r peer; do
@@ -122,6 +123,8 @@ EOF
done done
done done
echo " iifname \"${IFACE}\" drop"
echo " }" echo " }"
if [ "${ENABLE_MASQUERADE}" = "true" ]; then if [ "${ENABLE_MASQUERADE}" = "true" ]; then
echo " chain postrouting {" echo " chain postrouting {"