WOrk on ipv6 crap again
This commit is contained in:
parent
944fdb581b
commit
d602b789d0
2 changed files with 34 additions and 59 deletions
|
@ -7,7 +7,8 @@
|
||||||
|
|
||||||
127.0.0.1 localhost
|
127.0.0.1 localhost
|
||||||
::1 localhost
|
::1 localhost
|
||||||
127.0.1.1 router.h.lyte.dev router
|
# 127.0.1.1 router.h.lyte.dev router
|
||||||
|
|
||||||
# 10.0.0.1 router.h.lyte.dev router
|
# 10.0.0.1 router.h.lyte.dev router
|
||||||
|
|
||||||
10.0.0.1 vpn.h.lyte.dev
|
10.0.0.1 vpn.h.lyte.dev
|
||||||
|
|
|
@ -13,9 +13,10 @@ table inet filter {
|
||||||
ip protocol icmp accept
|
ip protocol icmp accept
|
||||||
meta l4proto ipv6-icmp accept
|
meta l4proto ipv6-icmp accept
|
||||||
# do these need ipv6-specific entries, too?
|
# do these need ipv6-specific entries, too?
|
||||||
tcp dport { 51821, 22, 2201, 2221, 25565 } accept comment "globally allowed ipv6 ports"
|
tcp dport { 51821, 22, 2201, 2221, 25565, 34197 } accept
|
||||||
udp dport { 51821, 51820, 546, 53, 67 } accept comment "allow dhcpv6-client, dns, dhcp, and wireguard"
|
udp dport { 51821, 51820, 53, 67, 34197 } accept
|
||||||
udp dport { 60000-60009 } accept comment "allow mosh common ports"
|
udp dport { 60000-60009 } accept
|
||||||
|
udp dport dhcpv6-client accept
|
||||||
drop
|
drop
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -31,36 +32,6 @@ table inet filter {
|
||||||
}
|
}
|
||||||
|
|
||||||
table ip nat {
|
table ip nat {
|
||||||
chain postrouting {
|
|
||||||
type nat hook postrouting priority 100; policy accept;
|
|
||||||
oifname $LAN masquerade
|
|
||||||
}
|
|
||||||
|
|
||||||
chain prerouting {
|
|
||||||
type nat hook prerouting priority -100; policy accept;
|
|
||||||
|
|
||||||
# ip daddr 10.0.0.1 tcp dport { 80, 443 } dnat to 10.0.0.210
|
|
||||||
iifname $LAN accept
|
|
||||||
|
|
||||||
# faceless
|
|
||||||
# allow HTTP, HTTPS, and ssh to faceless
|
|
||||||
iifname $WAN tcp dport { 443, 80, 22 } dnat to 10.0.0.210
|
|
||||||
# allow mosh
|
|
||||||
iifname $WAN udp dport 60010-60019 dnat to 10.0.0.210
|
|
||||||
|
|
||||||
# allow host ssh plus some stuff for the ranch talk
|
|
||||||
iifname $WAN tcp dport { 2221, 5588, 5589 } dnat to 10.0.0.10
|
|
||||||
# allow mosh
|
|
||||||
iifname $WAN udp dport 60020-60029 dnat to 10.0.0.10
|
|
||||||
|
|
||||||
# ourcraft
|
|
||||||
iifname $WAN tcp dport { 25565, 34197 } dnat to 10.0.0.244
|
|
||||||
iifname $WAN udp dport { 25565, 34197 } dnat to 10.0.0.244
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
# nat ipv4 for lan
|
|
||||||
table ip io.systemd.nat {
|
|
||||||
set masq_saddr {
|
set masq_saddr {
|
||||||
type ipv4_addr
|
type ipv4_addr
|
||||||
flags interval
|
flags interval
|
||||||
|
@ -72,8 +43,21 @@ table ip io.systemd.nat {
|
||||||
}
|
}
|
||||||
|
|
||||||
chain prerouting {
|
chain prerouting {
|
||||||
|
iifname $LAN accept
|
||||||
type nat hook prerouting priority dstnat + 1; policy accept;
|
type nat hook prerouting priority dstnat + 1; policy accept;
|
||||||
fib daddr type local dnat ip addr . port to meta l4proto . th dport map @map_port_ipport
|
fib daddr type local dnat ip addr . port to meta l4proto . th dport map @map_port_ipport
|
||||||
|
|
||||||
|
# faceless
|
||||||
|
iifname $WAN tcp dport { 443, 80, 22 } dnat to 10.0.0.210
|
||||||
|
iifname $WAN udp dport 60010-60019 dnat to 10.0.0.210
|
||||||
|
|
||||||
|
# dragon
|
||||||
|
iifname $WAN tcp dport { 2221, 5588, 5589 } dnat to 10.0.0.10
|
||||||
|
iifname $WAN udp dport 60020-60029 dnat to 10.0.0.10
|
||||||
|
|
||||||
|
# ourcraft
|
||||||
|
iifname $WAN tcp dport { 25565, 34197 } dnat to 10.0.0.244
|
||||||
|
iifname $WAN udp dport { 25565, 34197 } dnat to 10.0.0.244
|
||||||
}
|
}
|
||||||
|
|
||||||
chain output {
|
chain output {
|
||||||
|
@ -83,32 +67,22 @@ table ip io.systemd.nat {
|
||||||
|
|
||||||
chain postrouting {
|
chain postrouting {
|
||||||
type nat hook postrouting priority srcnat + 1; policy accept;
|
type nat hook postrouting priority srcnat + 1; policy accept;
|
||||||
|
oifname $LAN masquerade
|
||||||
ip saddr @masq_saddr masquerade
|
ip saddr @masq_saddr masquerade
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
table ip6 io.systemd.nat {
|
# table ip filter {
|
||||||
chain input {
|
# chain output {
|
||||||
type filter hook input priority filter; policy accept;
|
# type filter hook output priority 100; policy accept;
|
||||||
iifname "lo" accept
|
# }
|
||||||
ct state invalid drop
|
#
|
||||||
ct state { established, related } accept
|
# chain input {
|
||||||
# icmpv6 accept
|
# type filter hook input priority 0; policy accept;
|
||||||
# icmp accept
|
# }
|
||||||
meta l4proto ipv6-icmp accept
|
#
|
||||||
tcp dport { 51821, 22, 2201, 2221, 25565, 34197 } accept comment "globally allowed ipv6 ports"
|
# chain forward {
|
||||||
udp dport { 51821, 51820, 546, 53, 67, 25565, 34197 } accept comment "allow dhcpv6-client, dns, dhcp, and wireguard"
|
# type filter hook forward priority 0; policy accept;
|
||||||
# udp dport { 60000-60009 } accept comment "allow mosh common ports"
|
# }
|
||||||
drop
|
# }
|
||||||
}
|
#
|
||||||
|
|
||||||
chain forward {
|
|
||||||
type filter hook forward priority filter; policy accept;
|
|
||||||
accept
|
|
||||||
}
|
|
||||||
|
|
||||||
chain output {
|
|
||||||
type filter hook output priority filter; policy accept;
|
|
||||||
accept
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
Loading…
Reference in a new issue