define WAN = wan0 define LAN = lan0 define VPN = wg-vpn table inet filter { chain input { type filter hook input priority filter; policy accept; iifname "lo" accept ct state invalid drop ct state { established, related } accept icmpv6 type {echo-request,nd-neighbor-solicit,nd-neighbor-advert,nd-router-solicit,nd-router-advert,mld-listener-query,destination-unreachable,packet-too-big,time-exceeded,parameter-problem} accept ip protocol icmpv6 accept ip protocol icmp accept meta l4proto ipv6-icmp accept # do these need ipv6-specific entries, too? tcp dport { 51821, 22, 2200, 2221, 2222, 25565 } accept comment "globally allowed ipv6 ports" udp dport { 51821, 51820, 546, 53, 67 } accept comment "allow dhcpv6-client, dns, dhcp, and wireguard" udp dport { 60000-60009 } accept comment "allow mosh common ports" drop } chain forward { type filter hook forward priority filter; policy accept; accept } chain output { type filter hook output priority filter; policy accept; accept } } table ip nat { chain postrouting { type nat hook postrouting priority 100; policy accept; oifname $LAN masquerade } chain prerouting { type nat hook prerouting priority -100; policy accept; # ip daddr 10.0.0.1 tcp dport { 80, 443 } dnat to 10.0.0.210 iifname $LAN accept # faceless # allow HTTP, HTTPS, gitea's SSH, and host ssh to faceless iifname $WAN tcp dport { 443, 80, 2222, 2200 } dnat to 10.0.0.210 # allow mosh iifname $WAN udp dport 60010-60019 dnat to 10.0.0.210 # allow host ssh iifname $WAN tcp dport { 2221, 5588, 5555 } dnat to 10.0.0.10 # allow mosh iifname $WAN udp dport 60020-60029 dnat to 10.0.0.10 # ourcraft iifname $WAN tcp dport { 25565 } dnat to 10.0.0.244 } } # nat ipv4 for lan table ip io.systemd.nat { set masq_saddr { type ipv4_addr flags interval elements = { 10.0.0.0/24 } } map map_port_ipport { type inet_proto . inet_service : ipv4_addr . inet_service } chain prerouting { type nat hook prerouting priority dstnat + 1; policy accept; fib daddr type local dnat ip addr . port to meta l4proto . th dport map @map_port_ipport } chain output { type nat hook output priority -99; policy accept; ip daddr != 127.0.0.0/8 oif "lo" dnat ip addr . port to meta l4proto . th dport map @map_port_ipport } chain postrouting { type nat hook postrouting priority srcnat + 1; policy accept; ip saddr @masq_saddr masquerade } } table ip6 io.systemd.nat { chain input { type filter hook input priority filter; policy accept; iifname "lo" accept ct state invalid drop ct state { established, related } accept # icmpv6 accept # icmp accept meta l4proto ipv6-icmp accept tcp dport { 51821, 2200, 2221, 2222, 25565 } accept comment "globally allowed ipv6 ports" udp dport { 51821, 51820, 546, 53, 67 } accept comment "allow dhcpv6-client, dns, dhcp, and wireguard" udp dport { 60000-60009 } accept comment "allow mosh common ports" drop } chain forward { type filter hook forward priority filter; policy accept; accept } chain output { type filter hook output priority filter; policy accept; accept } }