# Generated by iptables-save v1.8.11 (nf_tables) on Fri Jan  2 03:44:23 2026
*mangle
:PREROUTING ACCEPT [95853893:179831236298]
:INPUT ACCEPT [94316554:179510512585]
:FORWARD ACCEPT [1536524:320567864]
:OUTPUT ACCEPT [49857522:93072472240]
:POSTROUTING ACCEPT [51393797:93393029789]
COMMIT
# Completed on Fri Jan  2 03:44:23 2026
# Generated by iptables-save v1.8.11 (nf_tables) on Fri Jan  2 03:44:23 2026
*raw
:PREROUTING ACCEPT [95853893:179831236298]
:OUTPUT ACCEPT [49857522:93072472240]
COMMIT
# Completed on Fri Jan  2 03:44:23 2026
# Generated by iptables-save v1.8.11 (nf_tables) on Fri Jan  2 03:44:23 2026
*filter
:INPUT ACCEPT [94315678:179510353216]
:FORWARD ACCEPT [46534:2774394]
:OUTPUT ACCEPT [49857520:93072471971]


# --- Incoming (INPUT) rules for VPS itself ---
# Accept SSH on port 3456 (new SSH port)
# allow SSH to VPS
-A INPUT -p tcp --dport 3456 -m conntrack --ctstate NEW -j ACCEPT

# allow established connections (responses)
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# (Optionally, add other INPUT rules for any services the VPS itself runs, if any, like HTTP/HTTPS if needed)

# If a default DROP policy is desired on INPUT, or an explicit drop rule:
# -A INPUT -j DROP   # (optional: lock down any other input)

# --- Forwarding (FORWARD) rules for VPN traffic ---
# allow return traffic for established sessions
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# Syncthing between 10.8.0.2 and home server
# 10.8.0.2 -> 10.77.0.0 Syncthing
-A FORWARD -s 10.8.0.2/32 -d 10.77.0.2/32 -p tcp --dport 22000 -j ACCEPT
-A FORWARD -s 10.8.0.3/32 -d 10.77.0.2/32 -p tcp --dport 22000 -j ACCEPT
-A FORWARD -s 10.8.0.4/32 -d 10.77.0.2/32 -p tcp --dport 22000 -j ACCEPT
-A FORWARD -s 10.8.0.5/32 -d 10.77.0.2/32 -p tcp --dport 22000 -j ACCEPT
# home -> 10.8.0.0 Syncthing
-A FORWARD -s 10.77.0.2/32 -d 10.8.0.2/32 -p tcp --dport 22000 -j ACCEPT
-A FORWARD -s 10.77.0.2/32 -d 10.8.0.3/32 -p tcp --dport 22000 -j ACCEPT
-A FORWARD -s 10.77.0.2/32 -d 10.8.0.4/32 -p tcp --dport 22000 -j ACCEPT
-A FORWARD -s 10.77.0.2/32 -d 10.8.0.5/32 -p tcp --dport 22000 -j ACCEPT

# Matrix/Synapse access from 10.8 subnet to home server
# allow Matrix client port
-A FORWARD -s 10.8.0.0/24 -d 10.77.0.2/32 -p tcp --dport 8008 -j ACCEPT
# allow Matrix federation port
-A FORWARD -s 10.8.0.0/24 -d 10.77.0.2/32 -p tcp --dport 8448 -j ACCEPT
# allow TURN/other (if used)
-A FORWARD -s 10.8.0.0/24 -d 10.77.0.2/32 -p tcp --dport 8999 -j ACCEPT

# ICMP between 10.8 subnet and home
# ping home from 10.8 clients
-A FORWARD -s 10.8.0.0/24 -d 10.77.0.2/32 -p icmp -j ACCEPT
# ping 10.8 clients from home
-A FORWARD -s 10.77.0.2/32 -d 10.8.0.0/24 -p icmp -j ACCEPT

# New Friend's subnet (10.9) access rule
# allow new subnet to access port 9999 on home
-A FORWARD -s 10.9.0.2/24 -d 10.77.0.2/32 -p tcp --dport 9999 -j ACCEPT
# allow ping to home
-A FORWARD -s 10.9.0.2/24 -d 10.77.0.2/32 -p icmp -j ACCEPT
# allow ping reply from home
-A FORWARD -s 10.77.0.2/32 -d 10.9.0.2/24 -p icmp -j ACCEPT

# Allow VPN subnets to reach Internet (MASQUERADE will SNAT them)
# 10.8 clients to internet
-A FORWARD -s 10.8.0.0/24 -o eth0 -j ACCEPT
# 10.9 clients to internet
-A FORWARD -s 10.9.0.2/24 -o eth0 -j ACCEPT

# Drop all other traffic between these subnets and home or between subnets (isolation)
# drop any 10.8 -> home not allowed
-A FORWARD -s 10.8.0.0/24 -d 10.77.0.0/24 -j DROP
# drop any home -> 10.8 not allowed
-A FORWARD -s 10.77.0.0/24 -d 10.8.0.0/24 -j DROP

# drop any 10.9 -> home not allowed (except 9999/ping above)
-A FORWARD -s 10.9.0.0/24 -d 10.77.0.0/24 -j DROP
# drop any home -> 10.9 not allowed
-A FORWARD -s 10.77.0.0/24 -d 10.9.0.0/24 -j DROP

# drop 10.9 -> 10.8 (no client-to-client)
-A FORWARD -s 10.9.0.0/24 -d 10.8.0.0/24 -j DROP
# drop 10.8 -> 10.9
-A FORWARD -s 10.8.0.0/24 -d 10.9.0.0/24 -j DROP

COMMIT

*nat
:PREROUTING ACCEPT [3368888:178175988]
:INPUT ACCEPT [3348703:174454011]
:OUTPUT ACCEPT [30120:1902454]
:POSTROUTING ACCEPT [32339:2018208]
# Port forwarding (DNAT) rules:
# forward SSH (port 22) to home server
-A PREROUTING -p tcp --dport 22 -j DNAT --to-destination 10.77.0.2:22
# forward port 51412 to home (TCP)
-A PREROUTING -p tcp --dport 51412 -j DNAT --to-destination 10.77.0.2:51412
# forward port 51412 to home (UDP)
-A PREROUTING -p udp --dport 51412 -j DNAT --to-destination 10.77.0.2:51412
# (Remove the above 51412 rules if not used; keep 22 as it’s for Gitea’s SSH access)

# Masquerade (SNAT) rules:
# masquerade replies from home for SSH
-A POSTROUTING -d 10.77.0.2/32 -p tcp --dport 22 -j MASQUERADE
# masquerade replies for 51412 (TCP)
-A POSTROUTING -d 10.77.0.2/32 -p tcp --dport 51412 -j MASQUERADE
#masquerade replies for 51412 (UDP)
-A POSTROUTING -d 10.77.0.2/32 -p udp --dport 51412 -j MASQUERADE
# (If 51412 rules removed above, remove their masquerade lines too)

# NAT for 10.8.0.x clients to internet
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
# NAT for 10.9.0.x clients to internet
-A POSTROUTING -s 10.9.0.0/24 -o eth0 -j MASQUERADE

COMMIT