Update firewall

This commit is contained in:
Daniel Flanagan 2022-01-31 17:06:53 -06:00
parent 63dfe9c488
commit 13c9b7d82f

View file

@ -1,13 +1,6 @@
define WAN = wan0 define WAN = wan0
define LAN = lan0 define LAN = lan0
define ROUTER_TCP_PORTS = { 22 }
define ROUTER_UDP_PORTS = { 546, 53, 67 }
define FACELESS_TCP_PORTS = { 443, 80, 2222, 2200 }
# define FACELESS_UDP_PORTS = { }
define DRAGON_TCP_PORTS = { 2221 }
# define DRAGON_UDP_PORTS = { }
table inet filter { table inet filter {
chain input { chain input {
type filter hook input priority filter; policy accept; type filter hook input priority filter; policy accept;
@ -17,8 +10,9 @@ table inet filter {
ip protocol icmpv6 accept ip protocol icmpv6 accept
ip protocol icmp accept ip protocol icmp accept
meta l4proto ipv6-icmp accept meta l4proto ipv6-icmp accept
tcp dport $ROUTER_TCP_PORTS accept tcp dport { 22 } accept comment "allow ssh to router"
udp dport $ROUTER_UDP_PORTS accept udp dport { 546, 53, 67 } accept comment "allow dhcpv6-client, dns, and dhcp"
udp dport { 60000-60009 } accept comment "allow mosh common ports"
drop drop
} }
@ -44,51 +38,22 @@ table ip nat {
# ip daddr 10.0.0.1 tcp dport { 80, 443 } dnat to 10.0.0.25 # ip daddr 10.0.0.1 tcp dport { 80, 443 } dnat to 10.0.0.25
iifname $WAN tcp dport $FACELESS_TCP_PORTS dnat to 10.0.0.25 # faceless
# iifname $WAN udp dport $FACELESS_UDP_PORTS dnat to 10.0.0.25 # allow HTTP, HTTPS, gitea's SSH, and host ssh to faceless
iifname $WAN udp dport 60000-60009 dnat to 10.0.0.25 iifname $WAN tcp dport { 443, 80, 2222, 2200 } dnat to 10.0.0.25
# allow mosh
iifname $WAN udp dport 60010-60019 dnat to 10.0.0.25
iifname $WAN tcp dport $DRAGON_TCP_PORTS dnat to 10.0.0.10 # allow host ssh
# iifname $WAN udp dport $DRAGON_UDP_PORTS dnat to 10.0.0.10 iifname $WAN tcp dport { 2221 } dnat to 10.0.0.10
# allow mosh
iifname $WAN udp dport 60020-60029 dnat to 10.0.0.10 iifname $WAN udp dport 60020-60029 dnat to 10.0.0.10
# ourcraft
iifname $WAN tcp dport { 25565 } dnat to 10.0.0.244 iifname $WAN tcp dport { 25565 } dnat to 10.0.0.244
} }
} }
table ip6 filter {
chain input {
type nat hook postrouting priority 100; policy accept;
oifname $LAN masquerade
type nat hook postrouting priority 100; policy accept;
oifname $LAN masquerade
prerouting
}
chain forward {
type nat hook prerouting priority -100; policy accept;
# ip daddr 10.0.0.1 tcp dport { 80, 443 } dnat to 10.0.0.25
iifname $WAN tcp dport $FACELESS_TCP_PORTS dnat to 10.0.0.25
# iifname $WAN udp dport $FACELESS_UDP_PORTS dnat to 10.0.0.25
iifname $WAN udp dport 60000-60009 dnat to 10.0.0.25
iifname $WAN tcp dport $DRAGON_TCP_PORTS dnat to 10.0.0.10
# iifname $WAN udp dport $DRAGON_UDP_PORTS dnat to 10.0.0.10
iifname $WAN udp dport 60020-60029 dnat to 10.0.0.10
iifname $WAN tcp dport { 25565 } dnat to 10.0.0.244
}
chain output {
}
}
# the following two blocks were generated by restarting systemd-networkd and
# dumping nftables
# nat ipv4 for lan # nat ipv4 for lan
table ip io.systemd.nat { table ip io.systemd.nat {
set masq_saddr { set masq_saddr {
@ -117,6 +82,7 @@ table ip io.systemd.nat {
} }
} }
# nat ipv6 for lan
table ip6 io.systemd.nat { table ip6 io.systemd.nat {
set masq_saddr { set masq_saddr {
type ipv6_addr type ipv6_addr