wireguard-manager/templates/nftables.ejs

#!/usr/sbin/nft -f

# Lösche alte Tabelle
flush ruleset

table inet <%= interface.ifName %> {

    <% addressGroupList.forEach((addressGroup) => { %>
    set addressGroup_<%= addressGroup.name %> {
        type ipv4_addr
        flags interval
        elements = { <%= addressGroup.addressList.join(", ") %> }
    }
    <% }) %>

    <% addressGroupList.forEach((addressGroup) => { %>
    set addressGroup_<%= addressGroup.name %> {
        type ipv4_addr
        flags interval
        elements = { <%= addressGroup.addressList.join(", ") %> }
    }
    <% }) %>

    chain input_<%= interface.ifName %> {
		type filter hook input priority 0; policy drop;
		
		# Traffic vom Interface akzeptieren
		iif "<%= interface %>" tcp dport { 22, 53 } accept
		iif "<%= interface %>" udp dport 53 accept
		iif "<%= interface %>" icmp type echo-request accept
		iif "<%= interface %>" ip saddr @allowed_sources_<%= instanceId %> counter accept
	}

	chain forward_<%= interface.ifName %> {
		type filter hook forward priority 0; policy drop;

		# Eingehende Pakete von erlaubten IPs weiterleiten
		iif "<%= interface %>" ip saddr @allowed_sources_<%= instanceId %> ip daddr @allowed_destinations_<%= instanceId %> accept
		
		# Rückläufige Antworten zulassen (established connections)
		oif "<%= interface %>" ip saddr @allowed_destinations_<%= instanceId %> ip daddr @allowed_sources_<%= instanceId %> ct state established accept
	}

	chain output_<%= interface.ifName %> {
		type filter hook output priority 0; policy accept;

		# Host -> WG Interface
		oif "<%= interface %>" ip daddr @allowed_destinations_<%= instanceId %> accept
	}

	chain postrouting_<%= interface.ifName %> {
		type route hook output priority 100; policy accept;
		ip saddr <%= localSubnet %> oif "<%= outboundInterface %>" masquerade
	}

}
<% accessRuleList.forEach((accessRule) => { %>
    <%= accessRule.proto %> dport <%= accessRule.dstport %> ip saddr
    # Description: <%= accessRule.description %>
<% }) %>