From 673c18cbf2c80de0aa5aa03b24cd026cf742412b Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Fri, 4 Jul 2025 06:54:20 +0000 Subject: nft config studio wg swgp wg to ca, studio use ::b ip6, ca use ::a ip6 so it can do acme.sh --- etc/nftables.conf | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/etc/nftables.conf b/etc/nftables.conf index 1ea06d6b..1bc5fec6 100644 --- a/etc/nftables.conf +++ b/etc/nftables.conf @@ -10,6 +10,7 @@ flush ruleset define pub_iface = "eth0" define wg_iface = "wg0" +define website_ip6 = "2606:a8c0:3:773::b" table inet my_table { chain my_input { @@ -31,7 +32,9 @@ table inet my_table { udp dport wireguard accept udp dport swgp accept # for acme.sh standalone mode builtin webserver to renew ssl cert + # for forward to studio tcp dport http accept + tcp dport https accept # email related ports tcp dport smtp accept tcp dport pop3 accept @@ -41,6 +44,7 @@ table inet my_table { tcp dport imaps accept tcp dport pop3s accept tcp dport monerod-p2p accept + tcp dport ssh-isp accept pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited counter comment "count any other traffic" @@ -79,6 +83,12 @@ table inet nat { # https://www.procustodibus.com/blog/2022/09/wireguard-port-forward-from-internet iifname $pub_iface tcp dport monerod-p2p dnat ip to 10.0.0.1:monerod-p2p iifname $pub_iface tcp dport monerod-p2p dnat ip6 to [fdc9:281f:04d7:9ee9::1]:monerod-p2p + iifname $pub_iface tcp dport ssh-isp dnat ip to 10.0.0.3:ssh + iifname $pub_iface tcp dport ssh-isp dnat ip6 to [fdc9:281f:04d7:9ee9::3]:ssh + iifname $pub_iface tcp dport http dnat ip to 10.0.0.3:http + iifname $pub_iface ip6 daddr $website_ip6 tcp dport http dnat ip6 to [fdc9:281f:04d7:9ee9::3]:http + iifname $pub_iface tcp dport https dnat ip to 10.0.0.3:https + iifname $pub_iface tcp dport https dnat ip6 to [fdc9:281f:04d7:9ee9::3]:https } # for all packets to $pub_iface, after routing, replace source address with primary IP of $pub_iface interface chain postrouting { -- cgit v1.2.3-70-g09d2