search

jamesmcm / vopono

Run applications through VPN tunnels with temporary network namespaces
GNU General Public License v3.0
815 stars 45 forks source link

Help with nftables and forwarding filter #278

Open punishedJib opened 1 month ago

punishedJib commented 1 month ago

Hi, I have 0 experience with networking and nftables. If I add to my table a filter chain with a forward hook that by default drops everything, vopono won't work. I even set its priority to be very high but to no prevail.

Here's my ruleset when running vopono:

table inet my_table {
    chain my_input {
        type filter hook input priority filter; policy drop;
        ct state established,related accept
        iif "lo" accept
        ct state invalid drop
        meta l4proto ipv6-icmp accept
        meta l4proto icmp accept
        ip protocol igmp accept
        meta l4proto udp ct state new jump my_udp_chain
        tcp flags syn / fin,syn,rst,ack ct state new jump my_tcp_chain
        meta l4proto udp reject
        meta l4proto tcp reject with tcp reset
        counter packets 0 bytes 0 reject
    }

    chain my_forward {
        type filter hook forward priority 200; policy drop;
    }

    chain my_output {
        type filter hook output priority filter; policy accept;
    }

    chain my_tcp_chain {
        tcp dport 53317 accept
    }

    chain my_udp_chain {
        udp dport 53317 accept
    }
}
table inet vopono_nat {
    chain postrouting {
        type nat hook postrouting priority srcnat; policy accept;
        oifname "wlp2s0" ip saddr 10.200.1.0/24 counter packets 0 bytes 0 masquerade
    }
}
table inet vopono_bridge {
    chain forward {
        type filter hook forward priority filter - 10; policy accept;
        iifname "vo_mv_norway_d" oifname "wlp2s0" counter packets 3 bytes 528 accept
        oifname "vo_mv_norway_d" iifname "wlp2s0" counter packets 0 bytes 0 accept
    }
}
jamesmcm commented 1 month ago

The network namespace connects via the network interface, so I think dropping everything like this will also drop the VPN traffic?

What do you want it to do?

punishedJib commented 1 month ago

I wanted it to drop everything by default, but have the vopono rules apply when I use it. If I add the rules to the chain manually in my table it works. But I don't know how I would test to see if it's actually dropping everyhting except the vopono packets or just getting overridden.