[prev in list] [next in list] [prev in thread] [next in thread]
List: netfilter
Subject: NFTables and Openvpn killswitch
From: Paul Fontenot <wpfontenot () no-hope ! com>
Date: 2019-04-19 19:57:10
Message-ID: f24bbdac-cce3-6ab7-306e-9728ef21df00 () no-hope ! com
[Download RAW message or body]
Hello,
I am beating my head on the way trying to implement a vpn killswitch
with nftables. My configuration is below and I want to allow access to
my networks (192.168.0.0/24 which is working) as well as allowing vmware
to do it's thing over vmnet8 (which is also working). I am almost
certain this a "can't see the forest for the trees" issue at this point.
When the VPN connects and these rules are applied everything except the
VPN works as expected and if the rulese are not applied the VPN works as
expected.
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
counter
ip protocol icmp accept
ct state {related, established } accept
ct state invalid drop
iif lo accept
iifname "enp3s0f1" jump input_enp3s0f1
iifname "wlp2s0" jump input_wlp2s0
iifname "vmnet8" jump input_vmnet8
iifname "tun0" jump input_tun0
}
chain forward {
type filter hook forward priority 0; policy drop;
counter
}
chain output {
type filter hook output priority 0; policy drop;
counter
oif { lo, tun0 } accept
oif { enp3s0f1, wlp2s0 } ip daddr 192.168.0.0/24 accept
oif { vmnet8 } accept
}
chain input_enp3s0f1 {
counter
}
chain input_wlp2s0 {
counter
}
chain input_vmnet8 {
counter
iifname "vmnet8" accept
}
chain input_tun0 {
counter
}
}
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic