Just need IPv6
This commit is contained in:
parent
4a36006457
commit
09b5a6d69c
4 changed files with 50 additions and 42 deletions
|
|
@ -4,5 +4,7 @@ Name=eth0
|
||||||
|
|
||||||
[Network]
|
[Network]
|
||||||
DHCP=yes
|
DHCP=yes
|
||||||
Gateway=0.0.0.0/1
|
IPForward=ipv4
|
||||||
IPForward=yes
|
|
||||||
|
IPv6AcceptRA=yes
|
||||||
|
IPv6PrivacyExtensions=kernel
|
||||||
|
|
|
||||||
|
|
@ -4,5 +4,9 @@ Name=lan0
|
||||||
|
|
||||||
[Network]
|
[Network]
|
||||||
Address=10.0.0.1/24
|
Address=10.0.0.1/24
|
||||||
IPForward=yes
|
|
||||||
IPMasquerade=ipv4
|
IPMasquerade=ipv4
|
||||||
|
|
||||||
|
IPv6SendRA=yes
|
||||||
|
|
||||||
|
# [IPv6PrefixDelegation]
|
||||||
|
# RouterLifetimeSec=3600
|
||||||
|
|
|
||||||
|
|
@ -1,7 +1,7 @@
|
||||||
#!/usr/bin/env fish
|
#!/usr/bin/env fish
|
||||||
|
|
||||||
function rmlink
|
function rmlink
|
||||||
rm -f $argv[1]
|
rm -f $argv[2]
|
||||||
ezln $argv[1] $argv[2]
|
ezln $argv[1] $argv[2]
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,21 +1,25 @@
|
||||||
define WAN = eth0
|
define WAN = eth0
|
||||||
define LAN = lan0
|
define LAN = lan0
|
||||||
|
|
||||||
|
define ROUTER_TCP_PORTS = { 22 }
|
||||||
|
define ROUTER_UDP_PORTS = { 546, 53, 67 }
|
||||||
|
define ROUTER_INET_PORTS = { 546, 53, 67 }
|
||||||
define FACELESS_TCP_PORTS = { 443, 80, 2222, 2200 }
|
define FACELESS_TCP_PORTS = { 443, 80, 2222, 2200 }
|
||||||
# define FACELESS_UDP_PORTS = 60000-60009
|
# define FACELESS_UDP_PORTS = { }
|
||||||
define DRAGON_TCP_PORTS = { 2221 }
|
define DRAGON_TCP_PORTS = { 2221 }
|
||||||
# define DRAGON_UDP_PORTS = 60020-60029
|
# define DRAGON_UDP_PORTS = { }
|
||||||
|
|
||||||
table inet filter {
|
table inet filter {
|
||||||
chain input {
|
chain input {
|
||||||
type filter hook input priority filter; policy accept;
|
type filter hook input priority filter; policy accept;
|
||||||
iifname "lo" accept
|
iifname "lo" accept
|
||||||
|
icmpv6 type {echo-request,nd-neighbor-solicit,nd-neighbor-advert,nd-router-solicit,nd-router-advert,mld-listener-query} accept
|
||||||
ct state { established, related } accept
|
ct state { established, related } accept
|
||||||
ct state invalid drop
|
ct state invalid drop
|
||||||
ip protocol icmp accept
|
ip protocol icmp accept
|
||||||
meta l4proto ipv6-icmp accept
|
meta l4proto ipv6-icmp accept
|
||||||
tcp dport { 22 } accept
|
tcp dport $ROUTER_TCP_PORTS accept
|
||||||
udp dport { 546, 53, 67 } accept
|
udp dport $ROUTER_UDP_PORTS accept
|
||||||
drop
|
drop
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -39,17 +43,15 @@ table ip nat {
|
||||||
chain prerouting {
|
chain prerouting {
|
||||||
type nat hook prerouting priority -100; policy accept;
|
type nat hook prerouting priority -100; policy accept;
|
||||||
|
|
||||||
# ip daddr 10.0.0.1 tcp dport ( 2221 ) dnat to 10.0.0.5:22
|
# ip daddr 10.0.0.1 tcp dport { 80, 443 } dnat to 10.0.0.10
|
||||||
# ip daddr 10.0.0.1 udp dport ( 60020 ) dnat to 10.0.0.5:60020
|
|
||||||
# ip daddr 10.0.0.1 udp dport ( 60021 ) dnat to 10.0.0.5:60021
|
|
||||||
|
|
||||||
# ip daddr 10.0.0.1 tcp dport ( 80 ) dnat to 10.0.0.10:80
|
iifname $WAN tcp dport $FACELESS_TCP_PORTS dnat to 10.0.0.10
|
||||||
# ip daddr 10.0.0.1 tcp dport ( 443 ) dnat to 10.0.0.10:443
|
# iifname $WAN udp dport $FACELESS_UDP_PORTS dnat to 10.0.0.10
|
||||||
# ip daddr 10.0.0.1 tcp dport ( 2222 ) dnat to 10.0.0.10:2222
|
iifname $WAN udp dport 60000-60009 dnat to 10.0.0.10
|
||||||
# ip daddr 10.0.0.1 tcp dport ( 2200 ) dnat to 10.0.0.10:22
|
|
||||||
|
|
||||||
iifname $WAN tcp dport { 443, 80 } dnat to 10.0.0.10
|
iifname $WAN tcp dport $DRAGON_TCP_PORTS dnat to 10.0.0.5
|
||||||
# iifname "lan0" tcp dport { 443, 80 } dnat to 10.0.0.10
|
# iifname $WAN udp dport $DRAGON_UDP_PORTS dnat to 10.0.0.5
|
||||||
|
iifname $WAN udp dport 60020-60029 dnat to 10.0.0.5
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -85,28 +87,28 @@ table ip io.systemd.nat {
|
||||||
}
|
}
|
||||||
|
|
||||||
# nat ipv6 for lan (probably unnecessary?)
|
# nat ipv6 for lan (probably unnecessary?)
|
||||||
table ip6 io.systemd.nat {
|
# table ip6 io.systemd.nat {
|
||||||
set masq_saddr {
|
# set masq_saddr {
|
||||||
type ipv6_addr
|
# type ipv6_addr
|
||||||
flags interval
|
# flags interval
|
||||||
}
|
# }
|
||||||
|
#
|
||||||
map map_port_ipport {
|
# map map_port_ipport {
|
||||||
type inet_proto . inet_service : ipv6_addr . inet_service
|
# type inet_proto . inet_service : ipv6_addr . inet_service
|
||||||
}
|
# }
|
||||||
|
#
|
||||||
chain prerouting {
|
# chain prerouting {
|
||||||
type nat hook prerouting priority dstnat + 1; policy accept;
|
# type nat hook prerouting priority dstnat + 1; policy accept;
|
||||||
fib daddr type local dnat ip6 addr . port to meta l4proto . th dport map @map_port_ipport
|
# fib daddr type local dnat ip6 addr . port to meta l4proto . th dport map @map_port_ipport
|
||||||
}
|
# }
|
||||||
|
#
|
||||||
chain output {
|
# chain output {
|
||||||
type nat hook output priority -99; policy accept;
|
# type nat hook output priority -99; policy accept;
|
||||||
ip6 daddr != ::1 oif "lo" dnat ip6 addr . port to meta l4proto . th dport map @map_port_ipport
|
# ip6 daddr != ::1 oif "lo" dnat ip6 addr . port to meta l4proto . th dport map @map_port_ipport
|
||||||
}
|
# }
|
||||||
|
#
|
||||||
chain postrouting {
|
# chain postrouting {
|
||||||
type nat hook postrouting priority srcnat + 1; policy accept;
|
# type nat hook postrouting priority srcnat + 1; policy accept;
|
||||||
ip6 saddr @masq_saddr masquerade
|
# ip6 saddr @masq_saddr masquerade
|
||||||
}
|
# }
|
||||||
}
|
# }
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue