diff --git a/etc-hosts b/etc-hosts index 32010bc..69f74b1 100644 --- a/etc-hosts +++ b/etc-hosts @@ -7,7 +7,8 @@ 127.0.0.1 localhost ::1 localhost -127.0.1.1 router.h.lyte.dev router +# 127.0.1.1 router.h.lyte.dev router + # 10.0.0.1 router.h.lyte.dev router 10.0.0.1 vpn.h.lyte.dev diff --git a/nftables.conf b/nftables.conf index 81ecd93..f34333d 100644 --- a/nftables.conf +++ b/nftables.conf @@ -13,9 +13,10 @@ table inet filter { ip protocol icmp accept meta l4proto ipv6-icmp accept # do these need ipv6-specific entries, too? - tcp dport { 51821, 22, 2201, 2221, 25565 } accept comment "globally allowed ipv6 ports" - udp dport { 51821, 51820, 546, 53, 67 } accept comment "allow dhcpv6-client, dns, dhcp, and wireguard" - udp dport { 60000-60009 } accept comment "allow mosh common ports" + tcp dport { 51821, 22, 2201, 2221, 25565, 34197 } accept + udp dport { 51821, 51820, 53, 67, 34197 } accept + udp dport { 60000-60009 } accept + udp dport dhcpv6-client accept drop } @@ -31,36 +32,6 @@ table inet filter { } table ip nat { - chain postrouting { - type nat hook postrouting priority 100; policy accept; - oifname $LAN masquerade - } - - chain prerouting { - type nat hook prerouting priority -100; policy accept; - - # ip daddr 10.0.0.1 tcp dport { 80, 443 } dnat to 10.0.0.210 - iifname $LAN accept - - # faceless - # allow HTTP, HTTPS, and ssh to faceless - iifname $WAN tcp dport { 443, 80, 22 } dnat to 10.0.0.210 - # allow mosh - iifname $WAN udp dport 60010-60019 dnat to 10.0.0.210 - - # allow host ssh plus some stuff for the ranch talk - iifname $WAN tcp dport { 2221, 5588, 5589 } dnat to 10.0.0.10 - # allow mosh - iifname $WAN udp dport 60020-60029 dnat to 10.0.0.10 - - # ourcraft - iifname $WAN tcp dport { 25565, 34197 } dnat to 10.0.0.244 - iifname $WAN udp dport { 25565, 34197 } dnat to 10.0.0.244 - } -} - -# nat ipv4 for lan -table ip io.systemd.nat { set masq_saddr { type ipv4_addr flags interval @@ -72,8 +43,21 @@ table ip io.systemd.nat { } chain prerouting { + iifname $LAN accept type nat hook prerouting priority dstnat + 1; policy accept; fib daddr type local dnat ip addr . port to meta l4proto . th dport map @map_port_ipport + + # faceless + iifname $WAN tcp dport { 443, 80, 22 } dnat to 10.0.0.210 + iifname $WAN udp dport 60010-60019 dnat to 10.0.0.210 + + # dragon + iifname $WAN tcp dport { 2221, 5588, 5589 } dnat to 10.0.0.10 + iifname $WAN udp dport 60020-60029 dnat to 10.0.0.10 + + # ourcraft + iifname $WAN tcp dport { 25565, 34197 } dnat to 10.0.0.244 + iifname $WAN udp dport { 25565, 34197 } dnat to 10.0.0.244 } chain output { @@ -83,32 +67,22 @@ table ip io.systemd.nat { chain postrouting { type nat hook postrouting priority srcnat + 1; policy accept; + oifname $LAN masquerade ip saddr @masq_saddr masquerade } } -table ip6 io.systemd.nat { - chain input { - type filter hook input priority filter; policy accept; - iifname "lo" accept - ct state invalid drop - ct state { established, related } accept - # icmpv6 accept - # icmp accept - meta l4proto ipv6-icmp accept - tcp dport { 51821, 22, 2201, 2221, 25565, 34197 } accept comment "globally allowed ipv6 ports" - udp dport { 51821, 51820, 546, 53, 67, 25565, 34197 } accept comment "allow dhcpv6-client, dns, dhcp, and wireguard" - # udp dport { 60000-60009 } accept comment "allow mosh common ports" - drop - } - - chain forward { - type filter hook forward priority filter; policy accept; - accept - } - - chain output { - type filter hook output priority filter; policy accept; - accept - } -} +# table ip filter { +# chain output { +# type filter hook output priority 100; policy accept; +# } +# +# chain input { +# type filter hook input priority 0; policy accept; +# } +# +# chain forward { +# type filter hook forward priority 0; policy accept; +# } +# } +#