diff --git a/dnsmasq.conf b/dnsmasq.conf index cb9766c..c5c28ea 100644 --- a/dnsmasq.conf +++ b/dnsmasq.conf @@ -8,9 +8,10 @@ dhcp-range=tag:lan0,::1,constructor:lan0,ra-names,12h local=/h.lyte.dev/ -dhcp-host=f0:2f:74:c9:9b:61,dragon,10.0.0.10,12h -dhcp-host=00:50:b6:24:27:0b,faceless,10.0.0.25,12h -dhcp-host=d0:50:99:26:89:86,ourcraft,10.0.0.244,2m +dhcp-host=dragon,10.0.0.10,12h +dhcp-host=faceless,10.0.0.25,12h +dhcp-host=kubeworker3,10.0.0.244,2m +# dhcp-host=kubeworker3,d0:50:99:26:89:86,ourcraft,10.0.0.244,2m address=/dragon.h.lyte.dev/10.0.0.10 address=/git.lyte.dev/10.0.0.25 diff --git a/nftables.conf b/nftables.conf index 655c75f..46dffe3 100644 --- a/nftables.conf +++ b/nftables.conf @@ -82,29 +82,28 @@ table ip io.systemd.nat { } } -# nat ipv6 for lan table ip6 io.systemd.nat { - set masq_saddr { - type ipv6_addr - flags interval + chain input { + type filter hook input priority filter; policy accept; + iifname "lo" accept + ct state invalid drop + ct state { established, related } accept + # ip6 protocol icmpv6 accept + # ip6 protocol icmp accept + meta l4proto ipv6-icmp accept + tcp dport { 22, 2200, 2221, 2200, 25565 } accept + udp dport { 546, 53, 67 } accept comment "allow dhcpv6-client, dns, and dhcp" + udp dport { 60000-60009 } accept comment "allow mosh common ports" + drop } - map map_port_ipport { - type inet_proto . inet_service : ipv6_addr . inet_service - } - - chain prerouting { - type nat hook prerouting priority dstnat + 1; policy accept; - fib daddr type local dnat ip6 to meta l4proto . th dport map @map_port_ipport + chain forward { + type filter hook forward priority filter; policy accept; + accept } chain output { - type nat hook output priority -99; policy accept; - ip6 daddr != ::1 oif "lo" dnat ip6 to meta l4proto . th dport map @map_port_ipport - } - - chain postrouting { - type nat hook postrouting priority srcnat + 1; policy accept; - ip6 saddr @masq_saddr masquerade + type filter hook output priority filter; policy accept; + accept } }