Fix internal routing to main server

dnsmasq.conf

@@ -78,7 +78,14 @@ server=8.8.4.4
 # Add domains which you want to force to an IP address here.
 # The example below send any host in double-click.net to a local
 # web-server.
-#address=/double-click.net/127.0.0.1
+address=/git.lyte.dev/10.0.0.10
+address=/h.lyte.dev/10.0.0.10
+address=/a.lyte.dev/10.0.0.10
+address=/.h.lyte.dev/10.0.0.10
+address=/#.h.lyte.dev/10.0.0.10
+address=/bw.lyte.dev/10.0.0.10
+address=/files.lyte.dev/10.0.0.10
+address=/grafana.lyte.dev/10.0.0.10
 
 # --address (and --server) work with IPv6 addresses too.
 #address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83
@@ -225,7 +232,7 @@ dhcp-range=10.0.0.5,10.0.0.250,255.255.255.0,10m
 # do not matter, it's permissible to give name, address and MAC in any
 # order.
 dhcp-host=f0:2f:74:c9:9b:61,dragon,10.0.0.5,12h
-# dhcp-host=????,faceless,10.0.0.10,12h
+dhcp-host=00:50:b6:24:27:0b,faceless,10.0.0.10,12h
 
 # Always allocate the host with Ethernet address 11:22:33:44:55:66
 # The IP address 192.168.0.60

firewall-edit.sh

@@ -3,6 +3,7 @@
 # TODO: diff with existing before just overwriting what's here in git?
 
 my_config="$(dirname "$(realpath "$0")")/nftables.conf"
+t="/tmp/nftables.conf"
 
 # we don't care about existing rules - just use ours, thanks
 # sudo nft -s list ruleset >> "$f"
@@ -12,9 +13,10 @@ cat "$my_config"
 echo "Do you want to load this config? [y/N]"
 read -r l
 [[ $l == "y" ]] && {
-	printf "flush ruleset\n\n" > "/tmp/nftables.txt"
+	printf "flush ruleset\n\n" > "$t"
-	cat "$my_config" >> "/tmp/nftables.conf"
+	cat "$my_config" >> "$t"
-	sudo nft -f "/tmp/nftables.conf"
+	sudo nft -f "$t"
 	sudo cp "$my_config" "/etc/nftables.conf"
+	rm "$t"
 	echo "Done loading!"
 }

nftables.conf

@@ -1,15 +1,22 @@
+define WAN = eth0
+define LAN = lan0
+
+define FACELESS_TCP_PORTS = { 443, 80, 2222, 2200 }
+# define FACELESS_UDP_PORTS = 60000-60009
+define DRAGON_TCP_PORTS = { 2221 }
+# define DRAGON_UDP_PORTS = 60020-60029
+
 table inet filter {
 	chain input {
 		type filter hook input priority filter; policy accept;
-		udp dport 546 accept
+		iifname "lo" accept
-		udp dport 53 accept
 		ct state { established, related } accept
 		ct state invalid drop
-		iifname "lo" accept
 		ip protocol icmp accept
 		meta l4proto ipv6-icmp accept
-		tcp dport 22 accept
+		tcp dport { 22 } accept
-		accept
+		udp dport { 546, 53, 67 } accept
+		drop
 	}
 
 	chain forward {
@@ -19,9 +26,33 @@ table inet filter {
 
 	chain output {
 		type filter hook output priority filter; policy accept;
+        accept
 	}
 }
 
+table ip nat {
+    chain postrouting {
+        type nat hook postrouting priority 100; policy accept;
+        oifname $LAN masquerade
+    }
+
+    chain prerouting {
+        type nat hook prerouting priority -100; policy accept;
+
+        # ip daddr 10.0.0.1 tcp dport ( 2221 ) dnat to 10.0.0.5:22
+        # ip daddr 10.0.0.1 udp dport ( 60020 ) dnat to 10.0.0.5:60020
+        # ip daddr 10.0.0.1 udp dport ( 60021 ) dnat to 10.0.0.5:60021
+
+        # ip daddr 10.0.0.1 tcp dport ( 80 ) dnat to 10.0.0.10:80
+        # ip daddr 10.0.0.1 tcp dport ( 443 ) dnat to 10.0.0.10:443
+        # ip daddr 10.0.0.1 tcp dport ( 2222 ) dnat to 10.0.0.10:2222
+        # ip daddr 10.0.0.1 tcp dport ( 2200 ) dnat to 10.0.0.10:22
+
+        iifname $WAN tcp dport { 443, 80 } dnat to 10.0.0.10
+        # iifname "lan0" tcp dport { 443, 80 } dnat to 10.0.0.10
+    }
+}
+
 # the following two blocks were generated by restarting systemd-networkd and
 # dumping nftables