This article details how to integrate nftables with iTopVPN (assuming a WireGuard backend) for a more robust firewall and security posture. This setup provides granular control over VPN traffic, enhancing privacy and security.
Ensure nftables is installed and running on your iTopVPN server. Most modern Linux distributions include it by default. If not, install it using your distribution's package manager (e.g., apt install nftables or yum install nftables).
You must have iTopVPN configured with a working WireGuard interface (e.g., wg0).
Disable any existing firewall rules that might conflict (e.g., iptables -F, ufw disable).
Create a new nftables configuration file (e.g., /etc/nftables.conf).
Populate the file with the following ruleset, adjusting interface names and IP addresses as needed:
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
# Allow established/related connections
ct state {established, related} accept
# Allow SSH (adjust port as needed)
tcp dport 22 accept
# Allow ICMP
icmp type echo-request accept
# Allow traffic from WireGuard interface
iifname "wg0" accept
# Log and drop invalid packets
ct state invalid log prefix "NFTABLES_INVALID: " drop
}
chain forward {
type filter hook forward priority 0; policy drop;
# Allow forwarding from WireGuard to WAN interface
iifname "wg0" oifname "eth0" accept
# Allow forwarding from WAN to WireGuard for established/related
iifname "eth0" oifname "wg0" ct state {established, related} accept
}
chain output {
type filter hook output priority 0; policy accept;
}
}
table nat nat {
chain postrouting {
type nat hook postrouting priority 100; policy accept;
# Masquerade traffic from WireGuard interface
oifname "eth0" masquerade
}
}
Explanation:
flush ruleset: Clears any existing rules.
table inet filter: Creates a filter table for IPv4 and IPv6.
chain input: Handles incoming traffic.
chain forward: Handles forwarded traffic.
chain output: Handles outgoing traffic.
table nat nat: Creates a NAT table.
chain postrouting: Handles traffic after routing decisions.
iifname and oifname: Specify input and output interfaces, respectively.
masquerade: Performs NAT, hiding the internal IP address.
Load the nftables configuration: nft -f /etc/nftables.conf
Enable and start the nftables service to ensure the rules are loaded on boot: systemctl enable nftables and systemctl start nftables
Verification: Use nft list ruleset to verify the rules are loaded correctly.
Pitfalls: Ensure the interface names (wg0, eth0) are correct for your system. Incorrect interface names will break connectivity.
DNS: If you are using a custom DNS server, ensure it is reachable through the firewall. Add a rule to the input chain to allow UDP traffic on port 53 to your DNS server's IP address.
IPv6: If you are using IPv6, create a separate ip6 table with similar rules.
Install nftables.
Configure /etc/nftables.conf with appropriate interface names and IP addresses.
Load the nftables configuration using nft -f /etc/nftables.conf.
Enable and start the nftables service.
Verify the ruleset using nft list ruleset.
Test connectivity through the VPN.
Add DNS rules if necessary.