YOU ARE THE MAN! WORKING BEAUTIFULLY! I did have to change
iptables v1.8.7 (nf_tables): Can’t use -i with OUTPUT
to
“iptables -A OUTPUT -o eth0 -p udp --sport 51821 -j ACCEPT”
I assume that’s correct?
After playing with it a while, the only thing I couldn’t make work was using my pi as an internet gateway for local devices. Based on reading other posts, I thought I could just set a static IP on my laptop’s Wifi Connection to —192.1.168.1.100 and set the Gateway for that connection to 192.168.1.28---- and that the traffic would be routed through Nord. What am I missing?
Everything else works. I can have Nord Running on the pi and connect remotely via wireguard. When connected through my wireguard VPN, I am able to access internal IPs, and my external internet requests are being forwarded through Nord. FANTASTIC!
Also, Can you help me write the equivalent of the whitelist rule for both my Local LAN and the NordVPN? I want to turn off Nord’s ‘whitelist feature’ and have all the rules in one place. I dont want things happening out of order and getting messed up. Would it be whitelisting the 10.5.0.0 and 10.6.0.0 subnet or whitelisting ports 51821 and 51820? I would feel better getting your help with the syntax and putting that in the right spot in our script, to prevent problems and ensure that I havent opened something up I shouldn’t. This is what we have so far, incorporating the changes you provided today, including the reorder.
Finally, is there anything else you would recommend hardening for security? I think I’ve seen elsewhere some extra conditions on the Nord inbound rules that doesn’t allow it unless its an existing connection? I dont remember the syntax or where I saw it. I dont want to open up SSH etc. Anything I do on the LAN, I will do after connecting through wireguard. Based on my understanding of what you have architected, the only thing we are allowing in and out over the PI is just wireguard and nord.
OUR CURRENT IPTABLES AND FIREWALL RULES
echo ‘10 isp’ >> /etc/iproute2/rt_tables
ip route add to default via 192.168.1.1 table isp
ip rule add iif lo sport 51821 to default lookup isp prio 15010
iptables -t nat -A POSTROUTING -s 10.6.0.0/24 -o nordlynx -m comment --comment wireguard-nat-rule -j MASQUERADE
iptables -A INPUT -i eth0 -p udp --dport 51821 -j ACCEPT
iptables -A OUTPUT -o eth0 -p udp --sport 51821 -j ACCEPT
iptables -A INPUT -i eth0 -j DROP
iptables -A OUTPUT -o eth0 -j DROP