Насройтка firewall для wireguard
Форум — Admin
Привет все. Озадачился настройкой собственного VPN сервера, купил VPS, настроил wireguard, nftables. Вопросы по nftables, конфиг такой:
01 #!/usr/sbin/nft -f
02
03 flush ruleset
04
05 table inet filter {
06 chain input {
07 type filter hook input priority filter; policy drop;
08 ct state invalid counter packets 0 bytes 0 drop
09 iifname "lo" accept
10 icmp type echo-request counter packets 0 bytes 0 accept
11 ct state established,related counter packets 0 bytes 0 accept
12 iifname "enp3s0" tcp dport 22 counter packets 0 bytes 0 accept
13 iifname "enp3s0" udp dport 44830 counter packets 0 bytes 0 accept
14 }
15
16 chain forward {
17 type filter hook forward priority filter; policy drop;
18 ct state invalid drop
19 ct state established,related,new counter packets 0 bytes 0 accept
20 }
21
22 chain output {
23 type filter hook output priority filter; policy accept;
24 }
25 }
26 table ip nat {
27 chain prerouting {
28 type nat hook prerouting priority dstnat; policy accept;
29 }
30
31 chain postrouting {
32 type nat hook postrouting priority srcnat; policy accept;
33 oifname "enp0s3" counter packets 0 bytes 0 masquerade
34 }
35 }
- Если в таблице filter политики цепочек input и forward установлены в policy drop, то имеют ли смысл строки [08] и [18]?
- Для iptables хатало строк:
iptables -A INPUT -i enp0s3 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i enp0s3 -p udp --dport 53830 -j ACCEPT
iptables -A INPUT -i enp0s3 -j DROP
iptables -A FORWARD -i eth0 -o wg0 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth0 -o wg0 -j DROP
iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j MASQUERADE
А вот при переносе правил в nftables В строке [19] пришлось добавить state new, это правильный подход?
- Ну и самое главное, сламался curl. Примеры: kali-linux качает, но в консоли пишет всякую дребедень
curl -Lv https://kali.download/arm-images/kali-2022.3/kali-linux-2022.3-raspberry-pi-zero-2-w-armhf.img.xz -o NUL
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 104.18.103.100:443...
* Connected to kali.download (104.18.103.100) port 443 (#0)
* schannel: disabled automatic use of client certificate
* ALPN: offers http/1.1
* ALPN: server accepted http/1.1
> GET /arm-images/kali-2022.3/kali-linux-2022.3-raspberry-pi-zero-2-w-armhf.img.xz HTTP/1.1
> Host: kali.download
> User-Agent: curl/7.83.1
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Tue, 25 Oct 2022 03:43:19 GMT
< Content-Type: application/octet-stream
< Content-Length: 2079663332
< Connection: keep-alive
< Last-Modified: Tue, 09 Aug 2022 13:52:26 GMT
< ETag: "62f2669a-7bf524e4"
< Expires: Thu, 31 Dec 2037 23:55:55 GMT
< Cache-Control: max-age=315360000
< CF-Cache-Status: HIT
< Age: 50
< Accept-Ranges: bytes
< Server: cloudflare
< CF-RAY: 75f7f284ad7abfb4-WAW
<
{ [2340 bytes data]
* schannel: failed to decrypt data, need more data
{ [99725 bytes data]
* schannel: failed to decrypt data, need more data
....
и так далее
А вот alpine вообще не качает, просто зависает вот так вот:
C:\#share>curl -Lv https://dl-cdn.alpinelinux.org/alpine/v3.16/releases/x86_64/alpine-standard-3.16.2-x86_64.iso -o NUL
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 151.101.114.133:443...
* Connected to dl-cdn.alpinelinux.org (151.101.114.133) port 443 (#0)
* schannel: disabled automatic use of client certificate
* ALPN: offers http/1.1
0 0 0 0 0 0 0 0 --:--:-- 0:01:02 --:--:-- 0
Ключ -k не помогает
Это значит, что я не все правильно настроил. Где искать?