rules fixup
This commit is contained in:
Danilo Reyes
@@ -12,9 +12,6 @@ let
|
|||||||
wgGuestsSubnet = "${config.my.ips.wg-gs}/24";
|
wgGuestsSubnet = "${config.my.ips.wg-gs}/24";
|
||||||
wgServerSubnet = "${config.my.ips.wg-vps}/24";
|
wgServerSubnet = "${config.my.ips.wg-vps}/24";
|
||||||
wgFriend1 = config.my.ips.wg-friend1;
|
wgFriend1 = config.my.ips.wg-friend1;
|
||||||
wgFriend2 = config.my.ips.wg-friend2;
|
|
||||||
wgFriend3 = config.my.ips.wg-friend3;
|
|
||||||
wgFriend4 = config.my.ips.wg-friend4;
|
|
||||||
wgGuest1 = config.my.ips.wg-g1;
|
wgGuest1 = config.my.ips.wg-g1;
|
||||||
giteaSshPort = 22;
|
giteaSshPort = 22;
|
||||||
giteaSshPortStr = toString giteaSshPort;
|
giteaSshPortStr = toString giteaSshPort;
|
||||||
@@ -65,7 +62,7 @@ in
|
|||||||
};
|
};
|
||||||
nftables = {
|
nftables = {
|
||||||
enable = true;
|
enable = true;
|
||||||
tables."vps-snat" = {
|
tables.vps-snat = {
|
||||||
family = "ip";
|
family = "ip";
|
||||||
content = ''
|
content = ''
|
||||||
chain postrouting {
|
chain postrouting {
|
||||||
@@ -82,14 +79,8 @@ in
|
|||||||
allowedTCPPorts = [ sshPort ] ++ webPorts;
|
allowedTCPPorts = [ sshPort ] ++ webPorts;
|
||||||
allowedUDPPorts = [ wgPort ];
|
allowedUDPPorts = [ wgPort ];
|
||||||
extraForwardRules = ''
|
extraForwardRules = ''
|
||||||
iifname "${wgInterface}" ip saddr ${wgFriend1}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
|
iifname "${wgInterface}" ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
|
||||||
iifname "${wgInterface}" ip saddr ${wgFriend2}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
|
iifname "${wgInterface}" ip saddr ${homeServer}/32 ip daddr ${wgFriendsSubnet} tcp dport ${syncthingPort} accept
|
||||||
iifname "${wgInterface}" ip saddr ${wgFriend3}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
|
|
||||||
iifname "${wgInterface}" ip saddr ${wgFriend4}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
|
|
||||||
iifname "${wgInterface}" ip saddr ${homeServer}/32 ip daddr ${wgFriend1}/32 tcp dport ${syncthingPort} accept
|
|
||||||
iifname "${wgInterface}" ip saddr ${homeServer}/32 ip daddr ${wgFriend2}/32 tcp dport ${syncthingPort} accept
|
|
||||||
iifname "${wgInterface}" ip saddr ${homeServer}/32 ip daddr ${wgFriend3}/32 tcp dport ${syncthingPort} accept
|
|
||||||
iifname "${wgInterface}" ip saddr ${homeServer}/32 ip daddr ${wgFriend4}/32 tcp dport ${syncthingPort} accept
|
|
||||||
|
|
||||||
iifname "${wgInterface}" ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 tcp dport { ${synapseClientPort}, ${synapseFederationPort}, ${syncplayPort} } accept
|
iifname "${wgInterface}" ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 tcp dport { ${synapseClientPort}, ${synapseFederationPort}, ${syncplayPort} } accept
|
||||||
|
|
||||||
@@ -101,8 +92,6 @@ in
|
|||||||
iifname "${wgInterface}" ip saddr ${wgFriendsSubnet} oifname "${externalInterface}" accept
|
iifname "${wgInterface}" ip saddr ${wgFriendsSubnet} oifname "${externalInterface}" accept
|
||||||
iifname "${wgInterface}" ip saddr ${wgGuestsSubnet} oifname "${externalInterface}" accept
|
iifname "${wgInterface}" ip saddr ${wgGuestsSubnet} oifname "${externalInterface}" accept
|
||||||
|
|
||||||
iifname "${externalInterface}" ip daddr ${homeServer}/32 tcp dport ${giteaSshPortStr} accept
|
|
||||||
|
|
||||||
ip saddr ${wgFriendsSubnet} ip daddr ${wgServerSubnet} drop
|
ip saddr ${wgFriendsSubnet} ip daddr ${wgServerSubnet} drop
|
||||||
ip saddr ${wgServerSubnet} ip daddr ${wgFriendsSubnet} drop
|
ip saddr ${wgServerSubnet} ip daddr ${wgFriendsSubnet} drop
|
||||||
ip saddr ${wgGuestsSubnet} ip daddr ${wgServerSubnet} drop
|
ip saddr ${wgGuestsSubnet} ip daddr ${wgServerSubnet} drop
|
||||||
|
|||||||
Reference in New Issue
Block a user