diff options
| author | Xiao Pan <xyz@flylightning.xyz> | 2025-05-02 10:21:43 +0000 |
|---|---|---|
| committer | Xiao Pan <xyz@flylightning.xyz> | 2025-05-02 10:21:43 +0000 |
| commit | a537ea97976a7800c46ad9f7d74a2f6a5579ada0 (patch) | |
| tree | 7c4d26adaf272a4f83b28ad03d1350ebadbf4e12 | |
| parent | d0236ca818c0922464926fd89d9f902e0a98c88a (diff) | |
Add nft rules to port forward insp xmrd p2p when insp VPN into it
Also added monero-p2p port number to /etc/services for nft to use
| -rw-r--r-- | etc/nftables.conf | 18 | ||||
| -rw-r--r-- | etc/services | 3 |
2 files changed, 19 insertions, 2 deletions
diff --git a/etc/nftables.conf b/etc/nftables.conf index b824edee..1ea06d6b 100644 --- a/etc/nftables.conf +++ b/etc/nftables.conf @@ -40,6 +40,7 @@ table inet my_table { tcp dport submission accept tcp dport imaps accept tcp dport pop3s accept + tcp dport monerod-p2p accept pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited counter comment "count any other traffic" @@ -68,11 +69,26 @@ table inet my_table { # Need inet to masquerade both ipv4 and ipv6? If use ip it will only masquerade ipv4? If use ip6 it will only masquerade ipv6? # https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families table inet nat { - # newer kernel no need for `chain prerouting { type nat hook prerouting priority -100; policy accept; }`, more see https://www.procustodibus.com/blog/2021/11/wireguard-nftables/ + # newer kernel no need for `chain prerouting { type nat hook prerouting priority -100; policy accept; }` if has `chain postrouting` + # also vice versa, no need `chain postrouting` if has `chain prerouting` + # more see https://www.procustodibus.com/blog/2021/11/wireguard-nftables/ + chain prerouting { + type nat hook prerouting priority -100 + policy accept + # port forwarding from client + # https://www.procustodibus.com/blog/2022/09/wireguard-port-forward-from-internet + iifname $pub_iface tcp dport monerod-p2p dnat ip to 10.0.0.1:monerod-p2p + iifname $pub_iface tcp dport monerod-p2p dnat ip6 to [fdc9:281f:04d7:9ee9::1]:monerod-p2p + } # for all packets to $pub_iface, after routing, replace source address with primary IP of $pub_iface interface chain postrouting { type nat hook postrouting priority 100 policy accept + # Needed for VPN. Needed for port forwarding from cilent with VPN through server + # https://www.procustodibus.com/blog/2022/09/wireguard-port-forward-from-internet/#default-route oifname $pub_iface masquerade + # needed for port forwarding from client without VPN through server + # https://www.procustodibus.com/blog/2022/09/wireguard-port-forward-from-internet/#masquerading + #oifname $wg_iface masquerade } } diff --git a/etc/services b/etc/services index 33ccdca8..a7275932 100644 --- a/etc/services +++ b/etc/services @@ -11516,9 +11516,10 @@ nusrp 49001/tcp nusdp-disc 49001/udp inspider 49150/tcp # my services +monerod-p2p 18080/tcp +wireguard 49432/udp # My ISP verizon block incomming to gateway port 22. So I need to use another port to ssh into my home server. # https://www.reddit.com/r/verizon/comments/to1q43/verizon_5g_home_internet_blocking_ssh_service_port/ -wireguard 49432/udp ssh-isp 49812/tcp iperf3 53497/tcp swgp 54635/udp |