diff options
Diffstat (limited to 'etc/nftables.conf')
| -rw-r--r-- | etc/nftables.conf | 30 |
1 files changed, 9 insertions, 21 deletions
diff --git a/etc/nftables.conf b/etc/nftables.conf index 1ea06d6b..0f1aceeb 100644 --- a/etc/nftables.conf +++ b/etc/nftables.conf @@ -19,28 +19,27 @@ table inet my_table { ct state invalid drop comment "early drop of invalid connections" ct state {established, related} accept comment "allow tracked connections" iifname lo accept comment "allow from loopback" - iifname $wg_iface accept comment "allow from wireguard" + iifname $wg_iface ip saddr 10.0.0.1 accept comment "allow from wireguard insp ip" + iifname $wg_iface ip6 saddr fdc9:281f:04d7:9ee9::1 accept comment "allow from wireguard insp ip" ip protocol icmp accept meta l4proto ipv6-icmp accept tcp dport ssh accept - #tcp dport qbt-nox accept - #tcp dport qbt accept - #udp dport qbt accept #tcp dport iperf3 accept udp dport wireguard accept - udp dport swgp accept - # for acme.sh standalone mode builtin webserver to renew ssl cert tcp dport http accept + tcp dport https accept + # http3 quic + # seems no need open port 80 udp for http3, see https://serverfault.com/q/1185886 + udp dport https accept # email related ports tcp dport smtp accept - tcp dport pop3 accept - tcp dport imap accept + #tcp dport pop3 accept + #tcp dport imap accept tcp dport submissions accept tcp dport submission accept tcp dport imaps accept - tcp dport pop3s accept - tcp dport monerod-p2p accept + #tcp dport pop3s accept pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited counter comment "count any other traffic" @@ -72,14 +71,6 @@ table inet nat { # newer kernel no need for `chain prerouting { type nat hook prerouting priority -100; policy accept; }` if has `chain postrouting` # also vice versa, no need `chain postrouting` if has `chain prerouting` # more see https://www.procustodibus.com/blog/2021/11/wireguard-nftables/ - chain prerouting { - type nat hook prerouting priority -100 - policy accept - # port forwarding from client - # https://www.procustodibus.com/blog/2022/09/wireguard-port-forward-from-internet - iifname $pub_iface tcp dport monerod-p2p dnat ip to 10.0.0.1:monerod-p2p - iifname $pub_iface tcp dport monerod-p2p dnat ip6 to [fdc9:281f:04d7:9ee9::1]:monerod-p2p - } # for all packets to $pub_iface, after routing, replace source address with primary IP of $pub_iface interface chain postrouting { type nat hook postrouting priority 100 @@ -87,8 +78,5 @@ table inet nat { # Needed for VPN. Needed for port forwarding from cilent with VPN through server # https://www.procustodibus.com/blog/2022/09/wireguard-port-forward-from-internet/#default-route oifname $pub_iface masquerade - # needed for port forwarding from client without VPN through server - # https://www.procustodibus.com/blog/2022/09/wireguard-port-forward-from-internet/#masquerading - #oifname $wg_iface masquerade } } |