diff options
author | Renken <renken@shione.net> | 2024-01-06 12:25:31 +0100 |
---|---|---|
committer | Renken <renken@shione.net> | 2024-02-20 22:54:06 +0100 |
commit | 1d54e783ae1de8a68e2f7bc9ec90631c594c311f (patch) | |
tree | 337ed2f7ae5b7d04c63257a32d56a6d814a7f0e6 | |
parent | 59feba0fcc996e76d05d62c5ee015e4a358ef2ba (diff) | |
download | shione-1d54e783ae1de8a68e2f7bc9ec90631c594c311f.tar.gz shione-1d54e783ae1de8a68e2f7bc9ec90631c594c311f.zip |
config: shione: nftables: srt input/output
Accept incoming UDP packets over VPN, allow incoming and outgoing SRT
connections over both public network and VPN.
-rw-r--r-- | config/shione/nftables/files/etc/nftables.conf | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/config/shione/nftables/files/etc/nftables.conf b/config/shione/nftables/files/etc/nftables.conf index ed6634b..516718d 100644 --- a/config/shione/nftables/files/etc/nftables.conf +++ b/config/shione/nftables/files/etc/nftables.conf @@ -5,6 +5,9 @@ flush ruleset define eth_iface = enp1s0 define wg_iface = wg0 define wg_port = 51820 +define dns_port = 53 +define srt_input_udp_port = 60001 +define srt_output_port = 60000 table inet filter { chain input_ipv4 { @@ -36,8 +39,11 @@ table inet filter { # ip saddr 10.8.0.0/32 # Allow VPN to use DNS. - tcp dport { 53 } accept - udp dport { 53 } accept + tcp dport { $dns_port } accept + udp dport { + $dns_port, + $srt_input_udp_port, + } accept } chain input { @@ -58,6 +64,10 @@ table inet filter { https, } accept + udp dport { + $srt_output_port, + } accept + # allow loopback traffic, anything else jump to chain for further evaluation iifname vmap { lo : accept, $eth_iface : jump input_world, $wg_iface : jump input_vpn } |