I have a small VPS running WireGuard. However, I would like to set up an IP redirection with nftables. The problem is that I've been trying for days but I can't get ahead. It is probably a simple mistake on my part. When I call curl 10.3.10.24, I still get to 10.3.10.24 and not 10.3.10.1. Both IPs are behind the WireGuard tunnel. Below is my config. I am grateful for any answer :)
net.ipv4.ip_forward = 1
#!/usr/sbin/nft -f
flush ruleset
#Interfaces
define pub_iface = ens3
define wg_port = 51821
table inet basic-filter {
chain input {
type filter hook input priority 0; policy drop;
ct state { established, related } accept
iif lo accept
ip protocol icmp accept
ip6 nexthdr ipv6-icmp accept
meta l4proto ipv6-icmp accept
iif $pub_iface tcp dport 22 accept
iif $pub_iface udp dport $wg_port accept
iif $pub_iface udp dport 51822 accept
iifname wg0 accept
ct state invalid drop
reject
}
chain forward {
type filter hook forward priority 0; policy drop;
ct state { established, related } accept
iifname wg0 oifname $pub_iface accept
iifname wg1 oifname $pub_iface accept
iifname wg0 ip saddr 10.212.0.0/16 ip daddr 10.0.0.0/12 oifname wg0 accept
ct status dnat accept
ct state invalid drop
reject with icmpx type host-unreachable
}
chain postrouting {
type nat hook postrouting priority 100; policy accept;
iifname wg0 oifname wg0 masquerade
iifname wg0 oifname $pub_iface masquerade
iifname wg1 oifname $pub_iface masquerade
ct status dnat masquerade
}
chain prerouting {
type nat hook prerouting priority -100; policy accept;
#ip daddr 10.3.10.24 tcp dport { 80 } dnat to 10.3.10.1:80
}
}
