127 lines
4.9 KiB
Plaintext
127 lines
4.9 KiB
Plaintext
# Generated by iptables-save v1.8.11 (nf_tables) on Fri Jan 2 03:44:23 2026
|
||
*mangle
|
||
:PREROUTING ACCEPT [95853893:179831236298]
|
||
:INPUT ACCEPT [94316554:179510512585]
|
||
:FORWARD ACCEPT [1536524:320567864]
|
||
:OUTPUT ACCEPT [49857522:93072472240]
|
||
:POSTROUTING ACCEPT [51393797:93393029789]
|
||
COMMIT
|
||
# Completed on Fri Jan 2 03:44:23 2026
|
||
# Generated by iptables-save v1.8.11 (nf_tables) on Fri Jan 2 03:44:23 2026
|
||
*raw
|
||
:PREROUTING ACCEPT [95853893:179831236298]
|
||
:OUTPUT ACCEPT [49857522:93072472240]
|
||
COMMIT
|
||
# Completed on Fri Jan 2 03:44:23 2026
|
||
# Generated by iptables-save v1.8.11 (nf_tables) on Fri Jan 2 03:44:23 2026
|
||
*filter
|
||
:INPUT ACCEPT [94315678:179510353216]
|
||
:FORWARD ACCEPT [46534:2774394]
|
||
:OUTPUT ACCEPT [49857520:93072471971]
|
||
|
||
|
||
# --- Incoming (INPUT) rules for VPS itself ---
|
||
# Accept SSH on port 3456 (new SSH port)
|
||
# allow SSH to VPS
|
||
-A INPUT -p tcp --dport 3456 -m conntrack --ctstate NEW -j ACCEPT
|
||
|
||
# allow established connections (responses)
|
||
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||
|
||
# (Optionally, add other INPUT rules for any services the VPS itself runs, if any, like HTTP/HTTPS if needed)
|
||
|
||
# If a default DROP policy is desired on INPUT, or an explicit drop rule:
|
||
# -A INPUT -j DROP # (optional: lock down any other input)
|
||
|
||
# --- Forwarding (FORWARD) rules for VPN traffic ---
|
||
# allow return traffic for established sessions
|
||
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
||
|
||
# Syncthing between 10.8.0.2 and home server
|
||
# 10.8.0.2 -> 10.77.0.0 Syncthing
|
||
-A FORWARD -s 10.8.0.2/32 -d 10.77.0.2/32 -p tcp --dport 22000 -j ACCEPT
|
||
-A FORWARD -s 10.8.0.3/32 -d 10.77.0.2/32 -p tcp --dport 22000 -j ACCEPT
|
||
-A FORWARD -s 10.8.0.4/32 -d 10.77.0.2/32 -p tcp --dport 22000 -j ACCEPT
|
||
-A FORWARD -s 10.8.0.5/32 -d 10.77.0.2/32 -p tcp --dport 22000 -j ACCEPT
|
||
# home -> 10.8.0.0 Syncthing
|
||
-A FORWARD -s 10.77.0.2/32 -d 10.8.0.2/32 -p tcp --dport 22000 -j ACCEPT
|
||
-A FORWARD -s 10.77.0.2/32 -d 10.8.0.3/32 -p tcp --dport 22000 -j ACCEPT
|
||
-A FORWARD -s 10.77.0.2/32 -d 10.8.0.4/32 -p tcp --dport 22000 -j ACCEPT
|
||
-A FORWARD -s 10.77.0.2/32 -d 10.8.0.5/32 -p tcp --dport 22000 -j ACCEPT
|
||
|
||
# Matrix/Synapse access from 10.8 subnet to home server
|
||
# allow Matrix client port
|
||
-A FORWARD -s 10.8.0.0/24 -d 10.77.0.2/32 -p tcp --dport 8008 -j ACCEPT
|
||
# allow Matrix federation port
|
||
-A FORWARD -s 10.8.0.0/24 -d 10.77.0.2/32 -p tcp --dport 8448 -j ACCEPT
|
||
# allow TURN/other (if used)
|
||
-A FORWARD -s 10.8.0.0/24 -d 10.77.0.2/32 -p tcp --dport 8999 -j ACCEPT
|
||
|
||
# ICMP between 10.8 subnet and home
|
||
# ping home from 10.8 clients
|
||
-A FORWARD -s 10.8.0.0/24 -d 10.77.0.2/32 -p icmp -j ACCEPT
|
||
# ping 10.8 clients from home
|
||
-A FORWARD -s 10.77.0.2/32 -d 10.8.0.0/24 -p icmp -j ACCEPT
|
||
|
||
# New Friend's subnet (10.9) access rule
|
||
# allow new subnet to access port 9999 on home
|
||
-A FORWARD -s 10.9.0.2/24 -d 10.77.0.2/32 -p tcp --dport 9999 -j ACCEPT
|
||
# allow ping to home
|
||
-A FORWARD -s 10.9.0.2/24 -d 10.77.0.2/32 -p icmp -j ACCEPT
|
||
# allow ping reply from home
|
||
-A FORWARD -s 10.77.0.2/32 -d 10.9.0.2/24 -p icmp -j ACCEPT
|
||
|
||
# Allow VPN subnets to reach Internet (MASQUERADE will SNAT them)
|
||
# 10.8 clients to internet
|
||
-A FORWARD -s 10.8.0.0/24 -o eth0 -j ACCEPT
|
||
# 10.9 clients to internet
|
||
-A FORWARD -s 10.9.0.2/24 -o eth0 -j ACCEPT
|
||
|
||
# Drop all other traffic between these subnets and home or between subnets (isolation)
|
||
# drop any 10.8 -> home not allowed
|
||
-A FORWARD -s 10.8.0.0/24 -d 10.77.0.0/24 -j DROP
|
||
# drop any home -> 10.8 not allowed
|
||
-A FORWARD -s 10.77.0.0/24 -d 10.8.0.0/24 -j DROP
|
||
|
||
# drop any 10.9 -> home not allowed (except 9999/ping above)
|
||
-A FORWARD -s 10.9.0.0/24 -d 10.77.0.0/24 -j DROP
|
||
# drop any home -> 10.9 not allowed
|
||
-A FORWARD -s 10.77.0.0/24 -d 10.9.0.0/24 -j DROP
|
||
|
||
# drop 10.9 -> 10.8 (no client-to-client)
|
||
-A FORWARD -s 10.9.0.0/24 -d 10.8.0.0/24 -j DROP
|
||
# drop 10.8 -> 10.9
|
||
-A FORWARD -s 10.8.0.0/24 -d 10.9.0.0/24 -j DROP
|
||
|
||
COMMIT
|
||
|
||
*nat
|
||
:PREROUTING ACCEPT [3368888:178175988]
|
||
:INPUT ACCEPT [3348703:174454011]
|
||
:OUTPUT ACCEPT [30120:1902454]
|
||
:POSTROUTING ACCEPT [32339:2018208]
|
||
# Port forwarding (DNAT) rules:
|
||
# forward SSH (port 22) to home server
|
||
-A PREROUTING -p tcp --dport 22 -j DNAT --to-destination 10.77.0.2:22
|
||
# forward port 51412 to home (TCP)
|
||
-A PREROUTING -p tcp --dport 51412 -j DNAT --to-destination 10.77.0.2:51412
|
||
# forward port 51412 to home (UDP)
|
||
-A PREROUTING -p udp --dport 51412 -j DNAT --to-destination 10.77.0.2:51412
|
||
# (Remove the above 51412 rules if not used; keep 22 as it’s for Gitea’s SSH access)
|
||
|
||
# Masquerade (SNAT) rules:
|
||
# masquerade replies from home for SSH
|
||
-A POSTROUTING -d 10.77.0.2/32 -p tcp --dport 22 -j MASQUERADE
|
||
# masquerade replies for 51412 (TCP)
|
||
-A POSTROUTING -d 10.77.0.2/32 -p tcp --dport 51412 -j MASQUERADE
|
||
#masquerade replies for 51412 (UDP)
|
||
-A POSTROUTING -d 10.77.0.2/32 -p udp --dport 51412 -j MASQUERADE
|
||
# (If 51412 rules removed above, remove their masquerade lines too)
|
||
|
||
# NAT for 10.8.0.x clients to internet
|
||
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
|
||
# NAT for 10.9.0.x clients to internet
|
||
-A POSTROUTING -s 10.9.0.0/24 -o eth0 -j MASQUERADE
|
||
|
||
COMMIT
|