From 8ce2d46747834f1b06f2c250f0d0fa055799a767 Mon Sep 17 00:00:00 2001
From: Xiao Pan <xyz@flylightning.xyz>
Date: Fri, 4 Jul 2025 15:16:05 +0800
Subject: init xyzru VPS

---
 etc/nftables.conf | 34 ----------------------------------
 1 file changed, 34 deletions(-)

(limited to 'etc/nftables.conf')

diff --git a/etc/nftables.conf b/etc/nftables.conf
index 1bc5fec6..dc22f26a 100644
--- a/etc/nftables.conf
+++ b/etc/nftables.conf
@@ -10,7 +10,6 @@ flush ruleset
 
 define pub_iface = "eth0"
 define wg_iface = "wg0"
-define website_ip6 = "2606:a8c0:3:773::b"
 table inet my_table {
 
 	chain my_input {
@@ -25,26 +24,9 @@ table inet my_table {
 		meta l4proto ipv6-icmp accept
 
 		tcp dport ssh accept
-		#tcp dport qbt-nox accept
-		#tcp dport qbt accept
-		#udp dport qbt accept
 		#tcp dport iperf3 accept
 		udp dport wireguard accept
 		udp dport swgp accept
-		# for acme.sh standalone mode builtin webserver to renew ssl cert
-		# for forward to studio
-		tcp dport http accept
-		tcp dport https accept
-		# email related ports
-		tcp dport smtp accept
-		tcp dport pop3 accept
-		tcp dport imap accept
-		tcp dport submissions accept
-		tcp dport submission accept
-		tcp dport imaps accept
-		tcp dport pop3s accept
-		tcp dport monerod-p2p accept
-		tcp dport ssh-isp accept
 
 		pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
 		counter comment "count any other traffic"
@@ -74,22 +56,6 @@ table inet my_table {
 # https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families
 table inet nat {
 	# newer kernel no need for `chain prerouting { type nat hook prerouting priority -100; policy accept; }` if has `chain postrouting`
-	# also vice versa, no need `chain postrouting` if has `chain prerouting`
-	# more see https://www.procustodibus.com/blog/2021/11/wireguard-nftables/
-	chain prerouting {
-		type nat hook prerouting priority -100
-		policy accept
-		# port forwarding from client
-		# https://www.procustodibus.com/blog/2022/09/wireguard-port-forward-from-internet
-		iifname $pub_iface tcp dport monerod-p2p dnat ip to 10.0.0.1:monerod-p2p
-		iifname $pub_iface tcp dport monerod-p2p dnat ip6 to [fdc9:281f:04d7:9ee9::1]:monerod-p2p
-		iifname $pub_iface tcp dport ssh-isp dnat ip to 10.0.0.3:ssh
-		iifname $pub_iface tcp dport ssh-isp dnat ip6 to [fdc9:281f:04d7:9ee9::3]:ssh
-		iifname $pub_iface tcp dport http dnat ip to 10.0.0.3:http
-		iifname $pub_iface ip6 daddr $website_ip6 tcp dport http dnat ip6 to [fdc9:281f:04d7:9ee9::3]:http
-		iifname $pub_iface tcp dport https dnat ip to 10.0.0.3:https
-		iifname $pub_iface tcp dport https dnat ip6 to [fdc9:281f:04d7:9ee9::3]:https
-	}
 	# for all packets to $pub_iface, after routing, replace source address with primary IP of $pub_iface interface
 	chain postrouting {
 		type nat hook postrouting priority 100
-- 
cgit v1.2.3-70-g09d2