openvpn

If you want to keep these ports untouched:

22   SSH
25 SMTP
53 DNS
80 HTTP
110 POP3
143 IMAP
443 HTTPS/OpenVPN
587 SMTP Submission
943 OpenVPN Admin
993 IMAPS
995 POP3S

and redirect everything else to OpenVPN worker ports (916 TCP, 921 UDP), use:

nft flush table ip nat

nft add table ip nat
nft 'add chain ip nat prerouting { type nat hook prerouting priority dstnat; policy accept; }'

# TCP redirect everything except important ports
nft 'add rule ip nat prerouting tcp dport != { 22,25,53,80,110,143,443,587,943,993,995 } redirect to 916'

# UDP redirect everything except DNS
nft 'add rule ip nat prerouting udp dport != { 53 } redirect to 921'

Verify:

nft list table ip nat

Expected:

table ip nat {
chain prerouting {
type nat hook prerouting priority dstnat; policy accept;
tcp dport != { 22,25,53,80,110,143,443,587,943,993,995 } redirect to :916
udp dport != { 53 } redirect to :921
}
}

To monitor whether connections are hitting the redirect rule:

watch -n1 'nft list table ip nat'

The packet counters should increase when you test ports such as 9201, 8080, 5555, etc.

Comments