diff options
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/dnsmasq.conf | 2 | ||||
| -rw-r--r-- | etc/netns/ns0/nftables.conf | 7 | ||||
| -rw-r--r-- | etc/services | 1 | ||||
| -rw-r--r-- | etc/systemd/system/sshd-ns0.service | 19 |
4 files changed, 23 insertions, 6 deletions
diff --git a/etc/dnsmasq.conf b/etc/dnsmasq.conf index 9ab206b1..743f55aa 100644 --- a/etc/dnsmasq.conf +++ b/etc/dnsmasq.conf @@ -118,7 +118,7 @@ no-resolv #except-interface= # Or which to listen on by address (remember to include 127.0.0.1 if # you use this.) -listen-address=::1,127.0.0.1 +#listen-address= # If you want dnsmasq to provide only DNS service on an interface, # configure it as shown above, and then use the following line to # disable DHCP and TFTP on it. diff --git a/etc/netns/ns0/nftables.conf b/etc/netns/ns0/nftables.conf index aeda6c57..d0643505 100644 --- a/etc/netns/ns0/nftables.conf +++ b/etc/netns/ns0/nftables.conf @@ -22,18 +22,17 @@ table inet my_table { ct state invalid drop comment "early drop of invalid connections" ct state {established, related} accept comment "allow tracked connections" iifname lo accept comment "allow from loopback" - iifname $wg_iface ip saddr { 10.0.0.1, 10.0.0.7 } accept comment "allow from wireguard insp and pp ip" - iifname $wg_iface ip6 saddr { fdc9:281f:04d7:9ee9::1, fdc9:281f:04d7:9ee9::7} accept comment "allow from wireguard insp and pp ip" + iifname $wg_iface ip saddr 10.0.0.1 accept comment "allow from wireguard insp ip" + iifname $wg_iface ip6 saddr fdc9:281f:04d7:9ee9::1 accept comment "allow from wireguard insp ip" ip protocol icmp accept meta l4proto ipv6-icmp accept - #tcp dport ssh accept + tcp dport ssh accept #tcp dport qbt-nox accept tcp dport qbt accept udp dport qbt accept #tcp dport iperf3 accept udp dport wireguard accept - udp dport swgp accept pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited counter comment "count any other traffic" diff --git a/etc/services b/etc/services index 5dcce50a..6c6dd6ab 100644 --- a/etc/services +++ b/etc/services @@ -11524,7 +11524,6 @@ inspider 49150/tcp # https://www.reddit.com/r/verizon/comments/to1q43/verizon_5g_home_internet_blocking_ssh_service_port/ wireguard 49432/udp iperf3 53497/tcp -swgp 54635/udp # qbittorrent-nox web ui port for remote access browser gui qbt-nox 57151/tcp # qbittorrent/ options/ connection/ listening port diff --git a/etc/systemd/system/sshd-ns0.service b/etc/systemd/system/sshd-ns0.service new file mode 100644 index 00000000..d66b8932 --- /dev/null +++ b/etc/systemd/system/sshd-ns0.service @@ -0,0 +1,19 @@ +# modified from /usr/lib/systemd/system/sshd.service + +[Unit] +After=network.target sshdgenkeys.service +Before=ssh-access.target +Description=OpenSSH Daemon +Documentation=man:sshd(8) man:sshd_config(5) +Wants=sshdgenkeys.service ssh-access.target +After=ns0.service + +[Service] +Type=notify-reload +ExecStart=/usr/bin/sshd -D +KillMode=process +Restart=always +NetworkNamespacePath=/run/netns/ns0 + +[Install] +WantedBy=multi-user.target |