diff --git a/hosts/vps/configuration.nix b/hosts/vps/configuration.nix index c8c1e29..297fb86 100644 --- a/hosts/vps/configuration.nix +++ b/hosts/vps/configuration.nix @@ -30,7 +30,7 @@ }; }; environment.etc."iptables.rules".source = ../../iptables; - networking.firewall.enable = false; + networking.firewall.enable = lib.mkForce false; networking.nftables.enable = false; systemd.services.iptables-restore = { description = "Apply iptables ruleset"; diff --git a/iptables b/iptables new file mode 100644 index 0000000..e3c05c2 --- /dev/null +++ b/iptables @@ -0,0 +1,126 @@ +# Generated by iptables-save v1.8.11 (nf_tables) on Fri Jan 2 03:44:23 2026 +*mangle +:PREROUTING ACCEPT [95853893:179831236298] +:INPUT ACCEPT [94316554:179510512585] +:FORWARD ACCEPT [1536524:320567864] +:OUTPUT ACCEPT [49857522:93072472240] +:POSTROUTING ACCEPT [51393797:93393029789] +COMMIT +# Completed on Fri Jan 2 03:44:23 2026 +# Generated by iptables-save v1.8.11 (nf_tables) on Fri Jan 2 03:44:23 2026 +*raw +:PREROUTING ACCEPT [95853893:179831236298] +:OUTPUT ACCEPT [49857522:93072472240] +COMMIT +# Completed on Fri Jan 2 03:44:23 2026 +# Generated by iptables-save v1.8.11 (nf_tables) on Fri Jan 2 03:44:23 2026 +*filter +:INPUT ACCEPT [94315678:179510353216] +:FORWARD ACCEPT [46534:2774394] +:OUTPUT ACCEPT [49857520:93072471971] + + +# --- Incoming (INPUT) rules for VPS itself --- +# Accept SSH on port 3456 (new SSH port) +# allow SSH to VPS +-A INPUT -p tcp --dport 3456 -m conntrack --ctstate NEW -j ACCEPT + +# allow established connections (responses) +-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + +# (Optionally, add other INPUT rules for any services the VPS itself runs, if any, like HTTP/HTTPS if needed) + +# If a default DROP policy is desired on INPUT, or an explicit drop rule: +# -A INPUT -j DROP # (optional: lock down any other input) + +# --- Forwarding (FORWARD) rules for VPN traffic --- +# allow return traffic for established sessions +-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT + +# Syncthing between 10.8.0.2 and home server +# 10.8.0.2 -> 10.77.0.0 Syncthing +-A FORWARD -s 10.8.0.2/32 -d 10.77.0.2/32 -p tcp --dport 22000 -j ACCEPT +-A FORWARD -s 10.8.0.3/32 -d 10.77.0.2/32 -p tcp --dport 22000 -j ACCEPT +-A FORWARD -s 10.8.0.4/32 -d 10.77.0.2/32 -p tcp --dport 22000 -j ACCEPT +-A FORWARD -s 10.8.0.5/32 -d 10.77.0.2/32 -p tcp --dport 22000 -j ACCEPT +# home -> 10.8.0.0 Syncthing +-A FORWARD -s 10.77.0.2/32 -d 10.8.0.2/32 -p tcp --dport 22000 -j ACCEPT +-A FORWARD -s 10.77.0.2/32 -d 10.8.0.3/32 -p tcp --dport 22000 -j ACCEPT +-A FORWARD -s 10.77.0.2/32 -d 10.8.0.4/32 -p tcp --dport 22000 -j ACCEPT +-A FORWARD -s 10.77.0.2/32 -d 10.8.0.5/32 -p tcp --dport 22000 -j ACCEPT + +# Matrix/Synapse access from 10.8 subnet to home server +# allow Matrix client port +-A FORWARD -s 10.8.0.0/24 -d 10.77.0.2/32 -p tcp --dport 8008 -j ACCEPT +# allow Matrix federation port +-A FORWARD -s 10.8.0.0/24 -d 10.77.0.2/32 -p tcp --dport 8448 -j ACCEPT +# allow TURN/other (if used) +-A FORWARD -s 10.8.0.0/24 -d 10.77.0.2/32 -p tcp --dport 8999 -j ACCEPT + +# ICMP between 10.8 subnet and home +# ping home from 10.8 clients +-A FORWARD -s 10.8.0.0/24 -d 10.77.0.2/32 -p icmp -j ACCEPT +# ping 10.8 clients from home +-A FORWARD -s 10.77.0.2/32 -d 10.8.0.0/24 -p icmp -j ACCEPT + +# New Friend's subnet (10.9) access rule +# allow new subnet to access port 9999 on home +-A FORWARD -s 10.9.0.2/24 -d 10.77.0.2/32 -p tcp --dport 9999 -j ACCEPT +# allow ping to home +-A FORWARD -s 10.9.0.2/24 -d 10.77.0.2/32 -p icmp -j ACCEPT +# allow ping reply from home +-A FORWARD -s 10.77.0.2/32 -d 10.9.0.2/24 -p icmp -j ACCEPT + +# Allow VPN subnets to reach Internet (MASQUERADE will SNAT them) +# 10.8 clients to internet +-A FORWARD -s 10.8.0.0/24 -o eth0 -j ACCEPT +# 10.9 clients to internet +-A FORWARD -s 10.9.0.2/24 -o eth0 -j ACCEPT + +# Drop all other traffic between these subnets and home or between subnets (isolation) +# drop any 10.8 -> home not allowed +-A FORWARD -s 10.8.0.0/24 -d 10.77.0.0/24 -j DROP +# drop any home -> 10.8 not allowed +-A FORWARD -s 10.77.0.0/24 -d 10.8.0.0/24 -j DROP + +# drop any 10.9 -> home not allowed (except 9999/ping above) +-A FORWARD -s 10.9.0.0/24 -d 10.77.0.0/24 -j DROP +# drop any home -> 10.9 not allowed +-A FORWARD -s 10.77.0.0/24 -d 10.9.0.0/24 -j DROP + +# drop 10.9 -> 10.8 (no client-to-client) +-A FORWARD -s 10.9.0.0/24 -d 10.8.0.0/24 -j DROP +# drop 10.8 -> 10.9 +-A FORWARD -s 10.8.0.0/24 -d 10.9.0.0/24 -j DROP + +COMMIT + +*nat +:PREROUTING ACCEPT [3368888:178175988] +:INPUT ACCEPT [3348703:174454011] +:OUTPUT ACCEPT [30120:1902454] +:POSTROUTING ACCEPT [32339:2018208] +# Port forwarding (DNAT) rules: +# forward SSH (port 22) to home server +-A PREROUTING -p tcp --dport 22 -j DNAT --to-destination 10.77.0.2:22 +# forward port 51412 to home (TCP) +-A PREROUTING -p tcp --dport 51412 -j DNAT --to-destination 10.77.0.2:51412 +# forward port 51412 to home (UDP) +-A PREROUTING -p udp --dport 51412 -j DNAT --to-destination 10.77.0.2:51412 +# (Remove the above 51412 rules if not used; keep 22 as it’s for Gitea’s SSH access) + +# Masquerade (SNAT) rules: +# masquerade replies from home for SSH +-A POSTROUTING -d 10.77.0.2/32 -p tcp --dport 22 -j MASQUERADE +# masquerade replies for 51412 (TCP) +-A POSTROUTING -d 10.77.0.2/32 -p tcp --dport 51412 -j MASQUERADE +#masquerade replies for 51412 (UDP) +-A POSTROUTING -d 10.77.0.2/32 -p udp --dport 51412 -j MASQUERADE +# (If 51412 rules removed above, remove their masquerade lines too) + +# NAT for 10.8.0.x clients to internet +-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE +# NAT for 10.9.0.x clients to internet +-A POSTROUTING -s 10.9.0.0/24 -o eth0 -j MASQUERADE + +COMMIT