WOrk on ipv6 crap again

This commit is contained in:
Daniel Flanagan 2022-03-23 13:30:12 -05:00
parent 944fdb581b
commit d602b789d0
2 changed files with 34 additions and 59 deletions

View file

@ -7,7 +7,8 @@
127.0.0.1 localhost 127.0.0.1 localhost
::1 localhost ::1 localhost
127.0.1.1 router.h.lyte.dev router # 127.0.1.1 router.h.lyte.dev router
# 10.0.0.1 router.h.lyte.dev router # 10.0.0.1 router.h.lyte.dev router
10.0.0.1 vpn.h.lyte.dev 10.0.0.1 vpn.h.lyte.dev

View file

@ -13,9 +13,10 @@ table inet filter {
ip protocol icmp accept ip protocol icmp accept
meta l4proto ipv6-icmp accept meta l4proto ipv6-icmp accept
# do these need ipv6-specific entries, too? # do these need ipv6-specific entries, too?
tcp dport { 51821, 22, 2201, 2221, 25565 } accept comment "globally allowed ipv6 ports" tcp dport { 51821, 22, 2201, 2221, 25565, 34197 } accept
udp dport { 51821, 51820, 546, 53, 67 } accept comment "allow dhcpv6-client, dns, dhcp, and wireguard" udp dport { 51821, 51820, 53, 67, 34197 } accept
udp dport { 60000-60009 } accept comment "allow mosh common ports" udp dport { 60000-60009 } accept
udp dport dhcpv6-client accept
drop drop
} }
@ -31,36 +32,6 @@ table inet filter {
} }
table ip nat { table ip nat {
chain postrouting {
type nat hook postrouting priority 100; policy accept;
oifname $LAN masquerade
}
chain prerouting {
type nat hook prerouting priority -100; policy accept;
# ip daddr 10.0.0.1 tcp dport { 80, 443 } dnat to 10.0.0.210
iifname $LAN accept
# faceless
# allow HTTP, HTTPS, and ssh to faceless
iifname $WAN tcp dport { 443, 80, 22 } dnat to 10.0.0.210
# allow mosh
iifname $WAN udp dport 60010-60019 dnat to 10.0.0.210
# allow host ssh plus some stuff for the ranch talk
iifname $WAN tcp dport { 2221, 5588, 5589 } dnat to 10.0.0.10
# allow mosh
iifname $WAN udp dport 60020-60029 dnat to 10.0.0.10
# ourcraft
iifname $WAN tcp dport { 25565, 34197 } dnat to 10.0.0.244
iifname $WAN udp dport { 25565, 34197 } dnat to 10.0.0.244
}
}
# nat ipv4 for lan
table ip io.systemd.nat {
set masq_saddr { set masq_saddr {
type ipv4_addr type ipv4_addr
flags interval flags interval
@ -72,8 +43,21 @@ table ip io.systemd.nat {
} }
chain prerouting { chain prerouting {
iifname $LAN accept
type nat hook prerouting priority dstnat + 1; policy accept; type nat hook prerouting priority dstnat + 1; policy accept;
fib daddr type local dnat ip addr . port to meta l4proto . th dport map @map_port_ipport fib daddr type local dnat ip addr . port to meta l4proto . th dport map @map_port_ipport
# faceless
iifname $WAN tcp dport { 443, 80, 22 } dnat to 10.0.0.210
iifname $WAN udp dport 60010-60019 dnat to 10.0.0.210
# dragon
iifname $WAN tcp dport { 2221, 5588, 5589 } dnat to 10.0.0.10
iifname $WAN udp dport 60020-60029 dnat to 10.0.0.10
# ourcraft
iifname $WAN tcp dport { 25565, 34197 } dnat to 10.0.0.244
iifname $WAN udp dport { 25565, 34197 } dnat to 10.0.0.244
} }
chain output { chain output {
@ -83,32 +67,22 @@ table ip io.systemd.nat {
chain postrouting { chain postrouting {
type nat hook postrouting priority srcnat + 1; policy accept; type nat hook postrouting priority srcnat + 1; policy accept;
oifname $LAN masquerade
ip saddr @masq_saddr masquerade ip saddr @masq_saddr masquerade
} }
} }
table ip6 io.systemd.nat { # table ip filter {
chain input { # chain output {
type filter hook input priority filter; policy accept; # type filter hook output priority 100; policy accept;
iifname "lo" accept # }
ct state invalid drop #
ct state { established, related } accept # chain input {
# icmpv6 accept # type filter hook input priority 0; policy accept;
# icmp accept # }
meta l4proto ipv6-icmp accept #
tcp dport { 51821, 22, 2201, 2221, 25565, 34197 } accept comment "globally allowed ipv6 ports" # chain forward {
udp dport { 51821, 51820, 546, 53, 67, 25565, 34197 } accept comment "allow dhcpv6-client, dns, dhcp, and wireguard" # type filter hook forward priority 0; policy accept;
# udp dport { 60000-60009 } accept comment "allow mosh common ports" # }
drop # }
} #
chain forward {
type filter hook forward priority filter; policy accept;
accept
}
chain output {
type filter hook output priority filter; policy accept;
accept
}
}