109 lines
3.1 KiB
Text
Executable file
109 lines
3.1 KiB
Text
Executable file
define WAN = wan0
|
|
define LAN = lan0
|
|
define VPN = wg-vpn
|
|
|
|
table inet filter {
|
|
chain input {
|
|
type filter hook input priority filter; policy accept;
|
|
iifname "lo" accept
|
|
ct state invalid drop
|
|
ct state { established, related } accept
|
|
icmpv6 type {echo-request,nd-neighbor-solicit,nd-neighbor-advert,nd-router-solicit,nd-router-advert,mld-listener-query,destination-unreachable,packet-too-big,time-exceeded,parameter-problem} accept
|
|
ip protocol icmpv6 accept
|
|
ip protocol icmp accept
|
|
meta l4proto ipv6-icmp accept
|
|
# do these need ipv6-specific entries, too?
|
|
tcp dport { 64022, 10578, 51821, 51820, 22, 53, 67, 2201, 2221, 8448, 8008, 25565, 34197 } accept
|
|
udp dport { 64020, 10578, 51821, 51820, 22, 53, 67, 2201, 2221, 25565, 34197 } accept
|
|
udp dport { 60000-60009 } accept
|
|
udp dport dhcpv6-client accept
|
|
drop
|
|
}
|
|
|
|
chain forward {
|
|
type filter hook forward priority filter; policy accept;
|
|
accept
|
|
}
|
|
|
|
chain output {
|
|
type filter hook output priority filter; policy accept;
|
|
accept
|
|
}
|
|
}
|
|
|
|
table ip nat {
|
|
set masq_saddr {
|
|
type ipv4_addr
|
|
flags interval
|
|
elements = { 10.0.0.0/8 }
|
|
}
|
|
|
|
map map_port_ipport {
|
|
type inet_proto . inet_service : ipv4_addr . inet_service
|
|
}
|
|
|
|
chain prerouting {
|
|
iifname $LAN accept
|
|
type nat hook prerouting priority dstnat + 1; policy accept;
|
|
fib daddr type local dnat ip addr . port to meta l4proto . th dport map @map_port_ipport
|
|
|
|
# chromebox
|
|
iifname $WAN tcp dport { 443, 80, 22, 8008, 8448, 7777 } dnat to 10.0.0.5
|
|
iifname $WAN udp dport { 7777 } dnat to 10.0.0.5
|
|
iifname $WAN udp dport 60010-60019 dnat to 10.0.0.5
|
|
|
|
# old dragon?
|
|
# iifname $WAN tcp dport { 2221, 5588, 5589 } dnat to 10.0.0.10
|
|
# iifname $WAN udp dport 60020-60029 dnat to 10.0.0.10
|
|
|
|
iifname $WAN tcp dport { 10578, 5588, 5589 } dnat to 10.0.0.11
|
|
iifname $WAN udp dport { 10578 } dnat to 10.0.0.11
|
|
|
|
# dragon reinstall?
|
|
iifname $WAN tcp dport { 2221, 5588, 5589 } dnat to 10.0.0.10
|
|
iifname $WAN udp dport { 2221, 5588, 5589 } dnat to 10.0.0.10
|
|
iifname $WAN udp dport 60020-60029 dnat to 10.0.0.10
|
|
# iifname $WAN udp dport 9876-9877 dnat to 10.0.0.10 # valheim
|
|
|
|
# beefcake (ben access)
|
|
iifname $WAN tcp dport { 64022 } dnat to 10.0.0.9
|
|
iifname $WAN udp dport { 64020 } dnat to 10.0.0.9
|
|
|
|
# mnemonic
|
|
iifname $WAN tcp dport { 8022 } dnat to 10.0.0.248
|
|
|
|
# ourcraft
|
|
iifname $WAN tcp dport { 2456, 2457, 25565, 34197 } dnat to 10.0.0.100
|
|
iifname $WAN udp dport { 2456, 2457, 25565, 34197 } dnat to 10.0.0.100
|
|
|
|
# router
|
|
iifname $WAN tcp dport { 2201 } dnat to 10.0.0.1
|
|
iifname $WAN udp dport { 2201 } dnat to 10.0.0.1
|
|
}
|
|
|
|
chain output {
|
|
type nat hook output priority -99; policy accept;
|
|
ip daddr != 127.0.0.0/8 oif "lo" dnat ip addr . port to meta l4proto . th dport map @map_port_ipport
|
|
}
|
|
|
|
chain postrouting {
|
|
type nat hook postrouting priority srcnat + 1; policy accept;
|
|
oifname $LAN masquerade
|
|
ip saddr @masq_saddr masquerade
|
|
}
|
|
}
|
|
|
|
# table ip filter {
|
|
# chain output {
|
|
# type filter hook output priority 100; policy accept;
|
|
# }
|
|
#
|
|
# chain input {
|
|
# type filter hook input priority 0; policy accept;
|
|
# }
|
|
#
|
|
# chain forward {
|
|
# type filter hook forward priority 0; policy accept;
|
|
# }
|
|
# }
|
|
#
|