From 9c651764edba34dde2fcfc37d4d2fe2370205c65 Mon Sep 17 00:00:00 2001 From: Bernd Storath <999999bst@gmail.com> Date: Fri, 4 Apr 2025 12:26:56 +0200 Subject: [PATCH] fix nftables rules --- Dockerfile | 1 + docs/content/examples/tutorials/podman-nft.md | 7 +------ 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index 7624a471..1fc0b5a5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -34,6 +34,7 @@ RUN apk add --no-cache \ dumb-init \ iptables \ ip6tables \ + nftables \ kmod \ iptables-legacy \ wireguard-tools diff --git a/docs/content/examples/tutorials/podman-nft.md b/docs/content/examples/tutorials/podman-nft.md index 9707b0e5..df992070 100644 --- a/docs/content/examples/tutorials/podman-nft.md +++ b/docs/content/examples/tutorials/podman-nft.md @@ -2,11 +2,6 @@ title: Podman + nftables --- -/// warning | Not working yet - -There are some problems with nftables currently. You can use the Quadlet files anyway -/// - This guide will show you how to run `wg-easy` with rootful Podman and nftables. ## Requirements @@ -93,7 +88,7 @@ In the Admin Panel of your WireGuard server, go to the `Hooks` tab and add the f 1. PostUp ```shell - apk add nftables; nft add table inet wg_table; nft add chain inet wg_table postrouting { type nat hook postrouting priority 100 \; }; nft add rule inet wg_table postrouting ip saddr {{ipv4Cidr}} oifname {{device}} masquerade; nft add rule inet wg_table postrouting ip6 saddr {{ipv6Cidr}} oifname {{device}} masquerade; nft add chain inet wg_table input { type filter hook input priority 0 \; policy accept \; }; nft add rule inet wg_table input udp dport {{port}} accept; nft add rule inet wg_table input tcp dport {{uiPort}} accept; nft add chain inet wg_table forward { type filter hook forward priority 0 \; policy accept \; }; nft add rule inet wg_table forward iifname "wg0" accept; nft add rule inet wg_table forward oifname "wg0" accept; + nft add table inet wg_table; nft add chain inet wg_table prerouting { type nat hook prerouting priority 100 \; }; nft add chain inet wg_table postrouting { type nat hook postrouting priority 100 \; }; nft add rule inet wg_table postrouting ip saddr {{ipv4Cidr}} oifname {{device}} masquerade; nft add rule inet wg_table postrouting ip6 saddr {{ipv6Cidr}} oifname {{device}} masquerade; nft add chain inet wg_table input { type filter hook input priority 0 \; policy accept \; }; nft add rule inet wg_table input udp dport {{port}} accept; nft add rule inet wg_table input tcp dport {{uiPort}} accept; nft add chain inet wg_table forward { type filter hook forward priority 0 \; policy accept \; }; nft add rule inet wg_table forward iifname "wg0" accept; nft add rule inet wg_table forward oifname "wg0" accept; ``` 2. PostDown