View paste IRGA

New paste Repaste Download

	`table inet wg {`
	`chain vpn {`
	`type filter hook output priority filter; policy drop;`
	`meta nftrace set 1`
	`oif "wlo1" ip daddr 143.244.46.105 udp dport 51820 accept`
	`# oif "wlo1" drop`
	`}`
	`}`

	`[root@kyler wireguard]# ip a s dev wlo1`
	`4: wlo1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000`
	`link/ether e0:d4:64:ef:09:07 brd ff:ff:ff:ff:ff:ff`
	`altname wlp40s0`
	`altname wlxe0d464ef0907`
	`inet 192.168.50.20/24 brd 192.168.50.255 scope global dynamic noprefixroute wlo1`
	`valid_lft 81500sec preferred_lft 81500sec`
	`inet6 fe80::57cf:fc:7ef9:69d5/64 scope link noprefixroute`
	`valid_lft forever preferred_lft forever`
	`[root@kyler wireguard]# ip a s dev wg-ua`
	`5: wg-ua: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000`
	`link/none`
	`inet 10.14.0.2/16 scope global wg-ua`
	`valid_lft forever preferred_lft forever`
	`[root@kyler wireguard]#`

	`[root@kyler wireguard]# ip r`
	`default via 192.168.50.1 dev wlo1 proto dhcp src 192.168.50.20 metric 600`
	`10.1.1.0/24 dev wg0 proto kernel scope link src 10.1.1.5`
	`10.14.0.0/16 dev wg-ua proto kernel scope link src 10.14.0.2`
	`192.168.50.0/24 dev wlo1 proto kernel scope link src 192.168.50.20 metric 600`

	`================================================================================`
	`after enabling wireguard:`

	`nft list ruleset`
	`table ip wg-quick-wg-ua {`
	`chain preraw {`
	`type filter hook prerouting priority raw; policy accept;`
	`iifname != "wg-ua" ip daddr 10.14.0.2 fib saddr type != local drop`
	`}`

	`chain premangle {`
	`type filter hook prerouting priority mangle; policy accept;`
	`meta l4proto udp meta mark set ct mark`
	`}`

	`chain postmangle {`
	`type filter hook postrouting priority mangle; policy accept;`
	`meta l4proto udp meta mark 0x0000ca6c ct mark set meta mark`
	`}`
	`}`

table inet wg {
	chain vpn {
		type filter hook output priority filter; policy drop;
		meta nftrace set 1
		oif "wlo1" ip daddr 143.244.46.105 udp dport 51820 accept
		# oif "wlo1" drop
	}
}

[root@kyler wireguard]# ip a s dev wlo1
4: wlo1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether e0:d4:64:ef:09:07 brd ff:ff:ff:ff:ff:ff
    altname wlp40s0
    altname wlxe0d464ef0907
    inet 192.168.50.20/24 brd 192.168.50.255 scope global dynamic noprefixroute wlo1
       valid_lft 81500sec preferred_lft 81500sec
    inet6 fe80::57cf:fc:7ef9:69d5/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
[root@kyler wireguard]# ip a s dev wg-ua
5: wg-ua: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1420 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none
    inet 10.14.0.2/16 scope global wg-ua
       valid_lft forever preferred_lft forever
[root@kyler wireguard]#

[root@kyler wireguard]# ip r
default via 192.168.50.1 dev wlo1 proto dhcp src 192.168.50.20 metric 600
10.1.1.0/24 dev wg0 proto kernel scope link src 10.1.1.5
10.14.0.0/16 dev wg-ua proto kernel scope link src 10.14.0.2
192.168.50.0/24 dev wlo1 proto kernel scope link src 192.168.50.20 metric 600

================================================================================
after enabling wireguard:

nft list ruleset
table ip wg-quick-wg-ua {
	chain preraw {
		type filter hook prerouting priority raw; policy accept;
		iifname != "wg-ua" ip daddr 10.14.0.2 fib saddr type != local drop
	}

chain premangle {
		type filter hook prerouting priority mangle; policy accept;
		meta l4proto udp meta mark set ct mark
	}

chain postmangle {
		type filter hook postrouting priority mangle; policy accept;
		meta l4proto udp meta mark 0x0000ca6c ct mark set meta mark
	}
}

Filename: None. Size: 2kb. View raw, , hex, or download this file.

This paste expires on 2025-02-22 12:39:10.790634. Pasted through web.

Are you sure you'd like to remove this file?