From c7e9fbe549de231a435cc600c428df223bd905bf Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Mon, 7 Feb 2022 16:51:23 -0600 Subject: [PATCH] Fix IPv6... again --- nftables.conf | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/nftables.conf b/nftables.conf index bfa3bc0..ce4e51f 100644 --- a/nftables.conf +++ b/nftables.conf @@ -1,5 +1,6 @@ define WAN = wan0 define LAN = lan0 +define VPN = wg-vpn table inet filter { chain input { @@ -7,11 +8,13 @@ table inet filter { iifname "lo" accept ct state invalid drop ct state { established, related } accept + icmpv6 type {echo-request,nd-neighbor-solicit,nd-neighbor-advert,nd-router-solicit,nd-router-advert,mld-listener-query,destination-unreachable,packet-too-big,time-exceeded,parameter-problem} accept ip protocol icmpv6 accept ip protocol icmp accept meta l4proto ipv6-icmp accept - tcp dport { 22 } accept comment "allow ssh to router" - udp dport { 546, 53, 67 } accept comment "allow dhcpv6-client, dns, and dhcp" + # do these need ipv6-specific entries, too? + tcp dport { 51821, 22, 2200, 2221, 2222, 25565 } accept comment "globally allowed ipv6 ports" + udp dport { 51821, 51820, 546, 53, 67 } accept comment "allow dhcpv6-client, dns, dhcp, and wireguard" udp dport { 60000-60009 } accept comment "allow mosh common ports" drop } @@ -88,11 +91,11 @@ table ip6 io.systemd.nat { iifname "lo" accept ct state invalid drop ct state { established, related } accept - # ip6 protocol icmpv6 accept - # ip6 protocol icmp accept + # icmpv6 accept + # icmp accept meta l4proto ipv6-icmp accept - tcp dport { 22, 2200, 2221, 2200, 25565 } accept - udp dport { 546, 53, 67 } accept comment "allow dhcpv6-client, dns, and dhcp" + tcp dport { 51821, 2200, 2221, 2222, 25565 } accept comment "globally allowed ipv6 ports" + udp dport { 51821, 51820, 546, 53, 67 } accept comment "allow dhcpv6-client, dns, dhcp, and wireguard" udp dport { 60000-60009 } accept comment "allow mosh common ports" drop }