summaryrefslogtreecommitdiff
path: root/etc/nftables.conf
diff options
context:
space:
mode:
Diffstat (limited to 'etc/nftables.conf')
-rw-r--r--etc/nftables.conf34
1 files changed, 0 insertions, 34 deletions
diff --git a/etc/nftables.conf b/etc/nftables.conf
index 1bc5fec6..dc22f26a 100644
--- a/etc/nftables.conf
+++ b/etc/nftables.conf
@@ -10,7 +10,6 @@ flush ruleset
define pub_iface = "eth0"
define wg_iface = "wg0"
-define website_ip6 = "2606:a8c0:3:773::b"
table inet my_table {
chain my_input {
@@ -25,26 +24,9 @@ table inet my_table {
meta l4proto ipv6-icmp accept
tcp dport ssh accept
- #tcp dport qbt-nox accept
- #tcp dport qbt accept
- #udp dport qbt accept
#tcp dport iperf3 accept
udp dport wireguard accept
udp dport swgp accept
- # for acme.sh standalone mode builtin webserver to renew ssl cert
- # for forward to studio
- tcp dport http accept
- tcp dport https accept
- # email related ports
- tcp dport smtp accept
- tcp dport pop3 accept
- tcp dport imap accept
- tcp dport submissions accept
- tcp dport submission accept
- tcp dport imaps accept
- tcp dport pop3s accept
- tcp dport monerod-p2p accept
- tcp dport ssh-isp accept
pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
counter comment "count any other traffic"
@@ -74,22 +56,6 @@ table inet my_table {
# https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families
table inet nat {
# newer kernel no need for `chain prerouting { type nat hook prerouting priority -100; policy accept; }` if has `chain postrouting`
- # also vice versa, no need `chain postrouting` if has `chain prerouting`
- # more see https://www.procustodibus.com/blog/2021/11/wireguard-nftables/
- chain prerouting {
- type nat hook prerouting priority -100
- policy accept
- # port forwarding from client
- # https://www.procustodibus.com/blog/2022/09/wireguard-port-forward-from-internet
- iifname $pub_iface tcp dport monerod-p2p dnat ip to 10.0.0.1:monerod-p2p
- iifname $pub_iface tcp dport monerod-p2p dnat ip6 to [fdc9:281f:04d7:9ee9::1]:monerod-p2p
- iifname $pub_iface tcp dport ssh-isp dnat ip to 10.0.0.3:ssh
- iifname $pub_iface tcp dport ssh-isp dnat ip6 to [fdc9:281f:04d7:9ee9::3]:ssh
- iifname $pub_iface tcp dport http dnat ip to 10.0.0.3:http
- iifname $pub_iface ip6 daddr $website_ip6 tcp dport http dnat ip6 to [fdc9:281f:04d7:9ee9::3]:http
- iifname $pub_iface tcp dport https dnat ip to 10.0.0.3:https
- iifname $pub_iface tcp dport https dnat ip6 to [fdc9:281f:04d7:9ee9::3]:https
- }
# for all packets to $pub_iface, after routing, replace source address with primary IP of $pub_iface interface
chain postrouting {
type nat hook postrouting priority 100