WOrk on ipv6 crap again

2022-03-23 13:30:12 -05:00 · 2022-03-23 13:30:12 -05:00 · d602b789d0
parent 944fdb581b
commit d602b789d0
2 changed files with 34 additions and 59 deletions
--- a/3
+++ b/3
@ -7,7 +7,8 @@

 127.0.0.1 localhost
 ::1 localhost
-127.0.1.1 router.h.lyte.dev router
+# 127.0.1.1 router.h.lyte.dev router
+
 # 10.0.0.1 router.h.lyte.dev router

 10.0.0.1 vpn.h.lyte.dev
--- a/nftables.conf
+++ b/nftables.conf
@ -13,9 +13,10 @@ table inet filter {
 		ip protocol icmp accept
 		meta l4proto ipv6-icmp accept
 		# do these need ipv6-specific entries, too?
-		tcp dport { 51821, 22, 2201, 2221, 25565 } accept comment "globally allowed ipv6 ports"
-		udp dport { 51821, 51820, 546, 53, 67 } accept comment "allow dhcpv6-client, dns, dhcp, and wireguard"
-		udp dport { 60000-60009 } accept comment "allow mosh common ports"
+		tcp dport { 51821, 22, 2201, 2221, 25565, 34197 } accept
+		udp dport { 51821, 51820, 53, 67, 34197 } accept
+		udp dport { 60000-60009 } accept
+		udp dport dhcpv6-client accept
 		drop
 	}

@ -31,36 +32,6 @@ table inet filter {
 }

 table ip nat {
-	chain postrouting {
-		type nat hook postrouting priority 100; policy accept;
-		oifname $LAN masquerade
-	}
-
-	chain prerouting {
-		type nat hook prerouting priority -100; policy accept;
-
-		# ip daddr 10.0.0.1 tcp dport { 80, 443 } dnat to 10.0.0.210
-		iifname $LAN accept
-
-		# faceless
-		# allow HTTP, HTTPS, and ssh to faceless
-		iifname $WAN tcp dport { 443, 80, 22 } dnat to 10.0.0.210 
-		# allow mosh
-		iifname $WAN udp dport 60010-60019 dnat to 10.0.0.210
-
-		# allow host ssh plus some stuff for the ranch talk
-		iifname $WAN tcp dport { 2221, 5588, 5589 } dnat to 10.0.0.10
-		# allow mosh
-		iifname $WAN udp dport 60020-60029 dnat to 10.0.0.10
-
-		# ourcraft
-		iifname $WAN tcp dport { 25565, 34197 } dnat to 10.0.0.244
-		iifname $WAN udp dport { 25565, 34197 } dnat to 10.0.0.244
-	}
-}
-
-# nat ipv4 for lan
-table ip io.systemd.nat {
 	set masq_saddr {
 		type ipv4_addr
 		flags interval
@ -72,8 +43,21 @@ table ip io.systemd.nat {
 	}

 	chain prerouting {
+		iifname $LAN accept
 		type nat hook prerouting priority dstnat + 1; policy accept;
 		fib daddr type local dnat ip addr . port to meta l4proto . th dport map @map_port_ipport
+
+		# faceless
+		iifname $WAN tcp dport { 443, 80, 22 } dnat to 10.0.0.210 
+		iifname $WAN udp dport 60010-60019 dnat to 10.0.0.210
+
+		# dragon
+		iifname $WAN tcp dport { 2221, 5588, 5589 } dnat to 10.0.0.10
+		iifname $WAN udp dport 60020-60029 dnat to 10.0.0.10
+
+		# ourcraft
+		iifname $WAN tcp dport { 25565, 34197 } dnat to 10.0.0.244
+		iifname $WAN udp dport { 25565, 34197 } dnat to 10.0.0.244
 	}

 	chain output {
@ -83,32 +67,22 @@ table ip io.systemd.nat {

 	chain postrouting {
 		type nat hook postrouting priority srcnat + 1; policy accept;
+		oifname $LAN masquerade
 		ip saddr @masq_saddr masquerade
 	}
 }

-table ip6 io.systemd.nat {
-	chain input {
-		type filter hook input priority filter; policy accept;
-		iifname "lo" accept
-		ct state invalid drop
-		ct state { established, related } accept
-		# icmpv6 accept
-		# icmp accept
-		meta l4proto ipv6-icmp accept
-		tcp dport { 51821, 22, 2201, 2221, 25565, 34197 } accept comment "globally allowed ipv6 ports"
-		udp dport { 51821, 51820, 546, 53, 67, 25565, 34197 } accept comment "allow dhcpv6-client, dns, dhcp, and wireguard"
-		# udp dport { 60000-60009 } accept comment "allow mosh common ports"
-		drop
-	}
-
-	chain forward {
-		type filter hook forward priority filter; policy accept;
-		accept
-	}
-
-	chain output {
-		type filter hook output priority filter; policy accept;
-		accept
-	}
-}
+# table ip filter {
+# 	chain output {
+# 		type filter hook output priority 100; policy accept;
+# 	}
+# 
+# 	chain input {
+# 		type filter hook input priority 0; policy accept;
+# 	}
+# 
+# 	chain forward {
+# 		type filter hook forward priority 0; policy accept;
+# 	}
+# }
+#