Fix IPv6... again

This commit is contained in:
Daniel Flanagan 2022-02-07 16:51:23 -06:00
parent 7ec4eebc65
commit c7e9fbe549

View file

@ -1,5 +1,6 @@
define WAN = wan0 define WAN = wan0
define LAN = lan0 define LAN = lan0
define VPN = wg-vpn
table inet filter { table inet filter {
chain input { chain input {
@ -7,11 +8,13 @@ table inet filter {
iifname "lo" accept iifname "lo" accept
ct state invalid drop ct state invalid drop
ct state { established, related } accept ct state { established, related } accept
icmpv6 type {echo-request,nd-neighbor-solicit,nd-neighbor-advert,nd-router-solicit,nd-router-advert,mld-listener-query,destination-unreachable,packet-too-big,time-exceeded,parameter-problem} accept
ip protocol icmpv6 accept ip protocol icmpv6 accept
ip protocol icmp accept ip protocol icmp accept
meta l4proto ipv6-icmp accept meta l4proto ipv6-icmp accept
tcp dport { 22 } accept comment "allow ssh to router" # do these need ipv6-specific entries, too?
udp dport { 546, 53, 67 } accept comment "allow dhcpv6-client, dns, and dhcp" tcp dport { 51821, 22, 2200, 2221, 2222, 25565 } accept comment "globally allowed ipv6 ports"
udp dport { 51821, 51820, 546, 53, 67 } accept comment "allow dhcpv6-client, dns, dhcp, and wireguard"
udp dport { 60000-60009 } accept comment "allow mosh common ports" udp dport { 60000-60009 } accept comment "allow mosh common ports"
drop drop
} }
@ -88,11 +91,11 @@ table ip6 io.systemd.nat {
iifname "lo" accept iifname "lo" accept
ct state invalid drop ct state invalid drop
ct state { established, related } accept ct state { established, related } accept
# ip6 protocol icmpv6 accept # icmpv6 accept
# ip6 protocol icmp accept # icmp accept
meta l4proto ipv6-icmp accept meta l4proto ipv6-icmp accept
tcp dport { 22, 2200, 2221, 2200, 25565 } accept tcp dport { 51821, 2200, 2221, 2222, 25565 } accept comment "globally allowed ipv6 ports"
udp dport { 546, 53, 67 } accept comment "allow dhcpv6-client, dns, and dhcp" udp dport { 51821, 51820, 546, 53, 67 } accept comment "allow dhcpv6-client, dns, dhcp, and wireguard"
udp dport { 60000-60009 } accept comment "allow mosh common ports" udp dport { 60000-60009 } accept comment "allow mosh common ports"
drop drop
} }