sonny/debian-setup
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update syncthing setup

Browse source
This commit is contained in:
sonny 2025-03-12 22:36:46 +01:00
parent dcbdfdc422
commit 734b1a3321
9 changed files with 363 additions and 195 deletions
Download patch file Download diff file Expand all files Collapse all files

20
templates/nftables.j2
View file

@ -4,6 +4,11 @@
flush ruleset
table ip filter {
chain prerouting {
type nat hook prerouting priority -100;
iifname {{ vpn_interface }} tcp dport {{ syncthing_protocol_port }} ip saddr {{ vpn_subnet }} ip daddr {{ syncthing_nginx_ip }} dnat to {{ syncthing_app_ip }}
}
chain input {
type filter hook input priority 0; policy drop;
@ -21,15 +26,15 @@ table ip filter {
ip protocol icmp accept
iifname vmap {
{{ network_interface }} : goto wlan-chain,
{{ vpn_interface }} : goto vpn-chain,
{{ vpn_media_interface }} : goto media-vpn-chain
{{ network_interface }} : goto wlan_chain,
{{ vpn_interface }} : goto vpn_chain,
{{ vpn_media_interface }} : goto media_vpn_chain
}
log
}
chain wlan-chain {
chain wlan_chain {
tcp dport {{ ssh_port }} accept comment "SSH"
tcp dport {{ forgejo_ssh_port }} accept comment "Forgejo SSH"
tcp dport { {{ http_port }}, {{ https_port }} } accept comment "HTTP/HTTPS"
@ -44,14 +49,15 @@ table ip filter {
elements = { {{ vpn_subnet }} . {{ vpn_listen_address }}/{{ vpn_prefix }} }
}
chain vpn-chain {
chain vpn_chain {
meta l4proto { tcp, udp } th dport 53 ip saddr . ip daddr @vpn_set accept comment "DNS"
tcp dport { {{ http_port }}, {{ https_port }} } ip saddr . ip daddr @vpn_set accept comment "HTTP/HTTPS"
tcp dport { 80, 443 } ip saddr {{ vpn_subnet }} ip daddr {{ transmission_nginx_ip }} accept comment "Transmission Web"
tcp dport { {{ syncthing_gui_port }}, {{ syncthing_protocol_port }} } ip saddr . ip daddr @vpn_set accept comment "Syncthing"
tcp dport { 80, 443 } ip saddr {{ vpn_subnet }} ip daddr {{ syncthing_nginx_ip }} accept comment "Syncthing Web"
tcp dport {{ syncthing_protocol_port }} ip saddr {{ vpn_subnet }} ip daddr {{ syncthing_app_ip }} accept comment "Syncthing protocol"
tcp dport {{ mpd_port }} ip saddr . ip daddr @vpn_set accept comment "MPD"
tcp dport {{ mpd_http_stream_port }} ip saddr . ip daddr @vpn_set accept comment "MPD HTTP stream"
@ -64,7 +70,7 @@ table ip filter {
elements = { {{ vpn_media_subnet }} . {{ vpn_media_listen_address }}/{{ vpn_media_prefix }} }
}
chain media-vpn-chain {
chain media_vpn_chain {
meta l4proto { tcp, udp } th dport 53 ip saddr . ip daddr @vpn_media_set accept comment "DNS"
tcp dport {{ jellyfin_http_port }} ip saddr . ip daddr @vpn_media_set accept comment "Jellyfin HTTP"