From 190194593f520bca5f790a253259babc57a953db Mon Sep 17 00:00:00 2001 From: Renken Date: Tue, 30 Jul 2024 20:55:43 +0200 Subject: [PATCH] nftables: allow syncthing access over vpn GUI is also accessible over VPN. However, it will be replaced by sync.shione.net later on routed through nginx. --- .../shione/nftables/files/etc/nftables.conf | 38 +++++++++++-------- 1 file changed, 23 insertions(+), 15 deletions(-) diff --git a/config/shione/nftables/files/etc/nftables.conf b/config/shione/nftables/files/etc/nftables.conf index 3365e34..aa9f5c4 100644 --- a/config/shione/nftables/files/etc/nftables.conf +++ b/config/shione/nftables/files/etc/nftables.conf @@ -1,6 +1,6 @@ #!/usr/sbin/nft -f -flush ruleset +flush ruleset define eth_iface = enp1s0 define wg_iface = wg0 @@ -9,19 +9,21 @@ define dns_port = 53 define srt_input_udp_port = 60001 define srt_output_port = 60000 define srb2kart_port = 5029 - +define syncthing_port = 22000 +define syncthing_gui_port = 8384 + table inet filter { chain input_ipv4 { # accepting ping (icmp-echo-request) for diagnostic purposes. # However, it also lets probes discover this host is alive. # This sample accepts them within a certain rate limit: - icmp type echo-request limit rate 5/second accept + icmp type echo-request limit rate 5/second accept } - chain input_ipv6 { + chain input_ipv6 { # accept neighbour discovery otherwise connectivity breaks icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept - + # accepting ping (icmpv6-echo-request) for diagnostic purposes. # However, it also lets probes discover this host is alive. # This sample accepts them within a certain rate limit: @@ -40,20 +42,26 @@ table inet filter { # ip saddr 10.8.0.0/32 # Allow VPN to use DNS. - tcp dport { $dns_port } accept + tcp dport { + $dns_port + $syncthing_port, + $syncthing_gui_port, + } accept + udp dport { $dns_port, $srt_input_udp_port, + $syncthing_port, } accept } - chain input { + chain input { # By default, drop all traffic unless it meets a filter # criteria specified by the rules that follow below. type filter hook input priority 0; policy drop; # Allow traffic from established and related packets, drop invalid - ct state vmap { established : accept, related : accept, invalid : drop } + ct state vmap { established : accept, related : accept, invalid : drop } # Jump to chain according to layer 3 protocol using a verdict map meta protocol vmap { ip : jump input_ipv4, ip6 : jump input_ipv6 } @@ -78,10 +86,10 @@ table inet filter { # Reject with polite "port unreachable" icmp response reject - } - - chain forward { - # Drop everything (assumes this device is not a router) + } + + chain forward { + # Drop everything (assumes this device is not a router) # type filter hook forward priority filter; type filter hook forward priority 0; policy drop; @@ -89,7 +97,7 @@ table inet filter { meta l4proto { icmp, ipv6-icmp } accept # Allow traffic from established and related packets, drop invalid - ct state vmap { established : accept, related : accept, invalid : drop } + ct state vmap { established : accept, related : accept, invalid : drop } # Forward traffic within the VPN and between it and the outside world. iifname $wg_iface oifname $wg_iface counter accept; @@ -98,7 +106,7 @@ table inet filter { # Reject with polite "host unreachable" icmp response reject with icmpx type host-unreachable - } + } chain prerouting { type nat hook prerouting priority 0; @@ -109,6 +117,6 @@ table inet filter { # Masquerade all packets from WireGuard VPN to the outside world. iifname $wg_iface oifname $eth_iface masquerade } - + # no need to define output chain, default policy is accept if undefined. }