Skip to content

Instantly share code, notes, and snippets.

@Nill-R

Nill-R/nftables.conf

Last active October 12, 2022 10:31
Show Gist options
  • Save Nill-R/e52d799a74b122d418af0752b7da2013 to your computer and use it in GitHub Desktop.
Save Nill-R/e52d799a74b122d418af0752b7da2013 to your computer and use it in GitHub Desktop.
Download ZIP
VPN killswitch by nftables
Raw
nftables.conf
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
counter dns {
}
counter dot {
}
counter l2tp{
}
counter l2tp_4500 {
}
counter l2tp_50 {
}
counter l2tp_51 {
}
counter l2tp_500 {
}
counter openvpn_udp {
}
counter openvpn_tcp {
}
counter wireguard {
}
chain input {
type filter hook input priority 0;
}
chain forward {
type filter hook forward priority 0;
}
chain output {
type filter hook output priority 0;
policy drop;
udp dport 53 counter name dns
udp dport 853 counter name dot
udp dport l2tp counter name l2tp
udp dport 50 counter name l2tp_50
udp dport 51 counter name l2tp_51
udp dport 500 counter name l2tp_500
udp dport 1194 counter name openvpn_udp
tcp dport 1194 counter name openvpn_tcp
udp dport 51820 counter name wireguard
oif "lo" accept
oifname "en*" udp sport { 67, 68 } udp dport { 67, 68 } accept
oifname "en*" meta l4proto { tcp, udp } th dport 53 accept
oifname "en*" meta l4proto { tcp, udp } th dport 853 accept
#L2TP
oifname "en*" udp dport l2tp accept
oifname "en*" udp dport 4500 accept
oifname "en*" udp dport 50 accept
oifname "en*" udp dport 51 accept
oifname "en*" udp dport 500 accept
#OpenVPN
oifname "en*" udp dport 1194 accept
oifname "en*" tcp dport 1194 accept
#Wireguard
oifname "en*" udp dport 51820 accept
oifname "ppp*" accept
oifname "wg*" accept
reject
}
}
# You can use nft list counters for view counters
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment