89 lines
3.2 KiB
Django/Jinja
89 lines
3.2 KiB
Django/Jinja
# {{ ansible_managed }}
|
|
# vim:set ts=2 sw=2 et:
|
|
|
|
flush ruleset
|
|
|
|
table ip filter {
|
|
chain prerouting {
|
|
type nat hook prerouting priority -100;
|
|
|
|
iifname {{ vpn_interface }} tcp dport {{ syncthing_protocol_port }} ip saddr {{ vpn_subnet }} ip daddr {{ syncthing_nginx_ip }} dnat to {{ syncthing_app_ip }}
|
|
}
|
|
|
|
chain input {
|
|
type filter hook input priority 0; policy drop;
|
|
|
|
# allow established/related connections
|
|
ct state { established, related } accept
|
|
|
|
# early drop of invalid connections
|
|
ct state invalid drop
|
|
|
|
# allow from loopback
|
|
iifname lo accept
|
|
|
|
# allow icmp
|
|
ip protocol icmp accept
|
|
|
|
iifname vmap {
|
|
{{ network_interface }} : goto wlan_chain,
|
|
{{ vpn_interface }} : goto vpn_chain,
|
|
{{ vpn_media_interface }} : goto media_vpn_chain
|
|
}
|
|
|
|
log
|
|
}
|
|
|
|
chain wlan_chain {
|
|
tcp dport {{ ssh_port }} accept comment "SSH"
|
|
tcp dport {{ forgejo_ssh_port }} accept comment "Forgejo SSH"
|
|
tcp dport { {{ http_port }}, {{ https_port }} } accept comment "HTTP/HTTPS"
|
|
|
|
udp dport {{ vpn_port }} accept comment "Wireguard"
|
|
udp dport {{ vpn_media_port }} accept comment "Wireguard media"
|
|
}
|
|
|
|
set vpn_set {
|
|
typeof ip saddr . ip daddr
|
|
flags interval
|
|
elements = { {{ vpn_subnet }} . {{ vpn_listen_address }}/{{ vpn_prefix }} }
|
|
}
|
|
|
|
chain vpn_chain {
|
|
meta l4proto { tcp, udp } th dport 53 ip saddr . ip daddr @vpn_set accept comment "DNS"
|
|
|
|
tcp dport { {{ http_port }}, {{ https_port }} } ip saddr . ip daddr @vpn_set accept comment "HTTP/HTTPS" # TODO: remove?
|
|
|
|
tcp dport 80 ip saddr {{ vpn_subnet }} ip daddr {{ transmission_nginx_ip }} accept comment "Transmission Web"
|
|
|
|
tcp dport { 80, 443 } ip saddr {{ vpn_subnet }} ip daddr {{ syncthing_nginx_ip }} accept comment "Syncthing Web"
|
|
tcp dport {{ syncthing_protocol_port }} ip saddr {{ vpn_subnet }} ip daddr {{ syncthing_app_ip }} accept comment "Syncthing protocol"
|
|
|
|
tcp dport 80 ip saddr {{ vpn_subnet }} ip daddr {{ radicale_nginx_ip }} accept comment "Radicale"
|
|
|
|
tcp dport {{ mpd_port }} ip saddr . ip daddr @vpn_set accept comment "MPD"
|
|
tcp dport {{ mpd_http_stream_port }} ip saddr . ip daddr @vpn_set accept comment "MPD HTTP stream"
|
|
tcp dport {{ mpd_http_mobile_stream_port }} ip saddr . ip daddr @vpn_set accept comment "MPD HTTP mobile stream"
|
|
}
|
|
|
|
set vpn_media_set {
|
|
typeof ip saddr . ip daddr
|
|
flags interval
|
|
elements = { {{ vpn_media_subnet }} . {{ vpn_media_listen_address }}/{{ vpn_media_prefix }} }
|
|
}
|
|
|
|
chain media_vpn_chain {
|
|
meta l4proto { tcp, udp } th dport 53 ip saddr . ip daddr @vpn_media_set accept comment "DNS"
|
|
|
|
tcp dport { 80, 443 } ip saddr {{ vpn_media_subnet }} ip daddr {{ jellyfin_nginx_ip }} accept comment "Jellyfin"
|
|
}
|
|
|
|
# docker's user configurable forward hook chain
|
|
chain DOCKER-USER {
|
|
iifname {{ vpn_interface }} ip saddr {{ vpn_subnet }} ip daddr {{ transmission_nginx_ip }} accept
|
|
iifname {{ vpn_interface }} ip saddr {{ vpn_subnet }} ip daddr {{ syncthing_nginx_ip }} accept
|
|
iifname {{ vpn_interface }} ip saddr {{ vpn_subnet }} ip daddr {{ radicale_nginx_ip }} accept
|
|
|
|
iifname {{ vpn_media_interface }} ip saddr {{ vpn_media_subnet }} ip daddr {{ jellyfin_nginx_ip }} accept
|
|
}
|
|
}
|