welsberr
/
VHostLoom
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
VHostLoom/firewall/nftables.wireguard.conf.exa...

87 lines
2.0 KiB
Plaintext
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!/usr/sbin/nft -f
#
# nftables-wireguard.conf.example
#
# Example nftables config for:
# - Traefik on 80/443 (public web)
# - WireGuard VPN on UDP 51820
# - Private services only accessible via WireGuard (interface wg0)
#
# Copy to /etc/nftables.conf and adjust interface names and port sets.
flush ruleset
# Adjust to your actual interfaces
define wan_if = "eno1" # WAN interface name
# define wan_if = "$(bash /path/to/detect-wan.sh)"
define wg_if = "wg0" # WireGuard interface name
define wg_port = 51820 # WireGuard UDP port
table inet filter {
#
# Sets of ports
#
# Public web ports (Traefik)
set wan_tcp_ports {
type inet_service
comment "Public-facing web ports"
elements = {
80,
443
}
}
# Private TCP services accessible only via WireGuard
set wg_tcp_ports {
type inet_service
flags interval
comment "Private services (AI stack, etc.) over WireGuard only"
elements = {
22, # SSH
7860, # Stable Diffusion
8000, # vLLM or similar
8080-8089, # Llamafile / sandbox UIs
8501, # Sandbox Fusion / Streamlit
11434 # Ollama
}
}
chain input {
type filter hook input priority 0;
policy drop;
# Loopback
iifname "lo" accept
# Established/related
ct state established,related accept
# ICMP (ping, etc.)
ip protocol icmp accept
ip6 nexthdr icmpv6 accept
# WireGuard VPN allow incoming tunnel on WAN
iifname $wan_if udp dport $wg_port accept comment "WireGuard VPN listen"
# Private services only over WireGuard interface
iifname $wg_if tcp dport @wg_tcp_ports accept
# Public web
# If you want to restrict 80/443 strictly to WAN:
# iifname $wan_if tcp dport @wan_tcp_ports accept
tcp dport @wan_tcp_ports accept
}
chain forward {
type filter hook forward priority 0;
policy drop;
}
chain output {
type filter hook output priority 0;
policy accept;
}
}
Reference in New Issue View Git Blame Copy Permalink