Refactor nftables, vpn and transmission configuration
This commit is contained in:
parent
465a5d2887
commit
dcbdfdc422
24 changed files with 292 additions and 192 deletions
|
|
@ -4,6 +4,7 @@
|
|||
flush ruleset
|
||||
|
||||
table ip filter {
|
||||
|
||||
chain input {
|
||||
type filter hook input priority 0; policy drop;
|
||||
|
||||
|
|
@ -19,32 +20,53 @@ table ip filter {
|
|||
# allow icmp
|
||||
ip protocol icmp accept
|
||||
|
||||
iifname "{{ network_interface }}" tcp dport {{ ssh_port }} accept comment "SSH"
|
||||
iifname "{{ network_interface }}" tcp dport {{ forgejo_ssh_port }} accept comment "Forgejo SSH"
|
||||
iifname "{{ network_interface }}" tcp dport { {{ http_port }}, {{ https_port }} } accept comment "HTTP/HTTPS"
|
||||
iifname "{{ network_interface }}" tcp dport {{ transmission_port }} accept comment "Transmission"
|
||||
|
||||
iifname "{{ network_interface }}" udp dport {{ vpn_port }} accept comment "Wireguard"
|
||||
iifname "{{ network_interface }}" udp dport {{ vpn_media_port }} accept comment "Wireguard media"
|
||||
|
||||
# TODO: create combined rule
|
||||
iifname "{{ vpn_interface }}" tcp dport 53 ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "DNS TCP"
|
||||
iifname "{{ vpn_interface }}" udp dport 53 ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "DNS UDP"
|
||||
|
||||
iifname "{{ vpn_interface }}" tcp dport { {{ http_port }}, {{ https_port }} } ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "HTTP/HTTPS"
|
||||
iifname "{{ vpn_interface }}" tcp dport {{ transmission_web_port }} ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "Transmission Web"
|
||||
iifname "{{ vpn_interface }}" tcp dport { {{ syncthing_gui_port }}, {{ syncthing_protocol_port }} } ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "Syncthing"
|
||||
|
||||
iifname "{{ vpn_interface }}" tcp dport {{ mpd_port }} ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "MPD"
|
||||
iifname "{{ vpn_interface }}" tcp dport {{ mpd_http_stream_port }} ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "MPD HTTP stream"
|
||||
iifname "{{ vpn_interface }}" tcp dport {{ mpd_http_mobile_stream_port }} ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "MPD HTTP mobile stream"
|
||||
|
||||
# TODO: create combined rule
|
||||
iifname "{{ vpn_media_interface }}" tcp dport 53 ip saddr {{ vpn_media_source_range }} ip daddr {{ vpn_media_destination_range }} accept comment "DNS TCP"
|
||||
iifname "{{ vpn_media_interface }}" udp dport 53 ip saddr {{ vpn_media_source_range }} ip daddr {{ vpn_media_destination_range }} accept comment "DNS UDP"
|
||||
|
||||
iifname "{{ vpn_media_interface }}" tcp dport {{ jellyfin_http_port }} ip saddr {{ vpn_media_source_range }} ip daddr {{ vpn_media_destination_range }} accept comment "Jellyfin HTTP"
|
||||
iifname vmap {
|
||||
{{ network_interface }} : goto wlan-chain,
|
||||
{{ vpn_interface }} : goto vpn-chain,
|
||||
{{ vpn_media_interface }} : goto media-vpn-chain
|
||||
}
|
||||
|
||||
log
|
||||
}
|
||||
|
||||
chain wlan-chain {
|
||||
tcp dport {{ ssh_port }} accept comment "SSH"
|
||||
tcp dport {{ forgejo_ssh_port }} accept comment "Forgejo SSH"
|
||||
tcp dport { {{ http_port }}, {{ https_port }} } accept comment "HTTP/HTTPS"
|
||||
|
||||
udp dport {{ vpn_port }} accept comment "Wireguard"
|
||||
udp dport {{ vpn_media_port }} accept comment "Wireguard media"
|
||||
}
|
||||
|
||||
set vpn_set {
|
||||
typeof ip saddr . ip daddr
|
||||
flags interval
|
||||
elements = { {{ vpn_subnet }} . {{ vpn_listen_address }}/{{ vpn_prefix }} }
|
||||
}
|
||||
|
||||
chain vpn-chain {
|
||||
meta l4proto { tcp, udp } th dport 53 ip saddr . ip daddr @vpn_set accept comment "DNS"
|
||||
|
||||
tcp dport { {{ http_port }}, {{ https_port }} } ip saddr . ip daddr @vpn_set accept comment "HTTP/HTTPS"
|
||||
|
||||
tcp dport { 80, 443 } ip saddr {{ vpn_subnet }} ip daddr {{ transmission_nginx_ip }} accept comment "Transmission Web"
|
||||
|
||||
tcp dport { {{ syncthing_gui_port }}, {{ syncthing_protocol_port }} } ip saddr . ip daddr @vpn_set accept comment "Syncthing"
|
||||
|
||||
tcp dport {{ mpd_port }} ip saddr . ip daddr @vpn_set accept comment "MPD"
|
||||
tcp dport {{ mpd_http_stream_port }} ip saddr . ip daddr @vpn_set accept comment "MPD HTTP stream"
|
||||
tcp dport {{ mpd_http_mobile_stream_port }} ip saddr . ip daddr @vpn_set accept comment "MPD HTTP mobile stream"
|
||||
}
|
||||
|
||||
set vpn_media_set {
|
||||
typeof ip saddr . ip daddr
|
||||
flags interval
|
||||
elements = { {{ vpn_media_subnet }} . {{ vpn_media_listen_address }}/{{ vpn_media_prefix }} }
|
||||
}
|
||||
|
||||
chain media-vpn-chain {
|
||||
meta l4proto { tcp, udp } th dport 53 ip saddr . ip daddr @vpn_media_set accept comment "DNS"
|
||||
|
||||
tcp dport {{ jellyfin_http_port }} ip saddr . ip daddr @vpn_media_set accept comment "Jellyfin HTTP"
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue