aboutsummaryrefslogtreecommitdiffstats
path: root/config/shione/nftables
diff options
context:
space:
mode:
authorRenken <renken@shione.net>2024-01-06 12:25:31 +0100
committerRenken <renken@shione.net>2024-02-20 22:54:06 +0100
commit1d54e783ae1de8a68e2f7bc9ec90631c594c311f (patch)
tree337ed2f7ae5b7d04c63257a32d56a6d814a7f0e6 /config/shione/nftables
parent59feba0fcc996e76d05d62c5ee015e4a358ef2ba (diff)
downloadshione-1d54e783ae1de8a68e2f7bc9ec90631c594c311f.tar.gz
shione-1d54e783ae1de8a68e2f7bc9ec90631c594c311f.zip
config: shione: nftables: srt input/output
Accept incoming UDP packets over VPN, allow incoming and outgoing SRT connections over both public network and VPN.
Diffstat (limited to 'config/shione/nftables')
-rw-r--r--config/shione/nftables/files/etc/nftables.conf14
1 files changed, 12 insertions, 2 deletions
diff --git a/config/shione/nftables/files/etc/nftables.conf b/config/shione/nftables/files/etc/nftables.conf
index ed6634b..516718d 100644
--- a/config/shione/nftables/files/etc/nftables.conf
+++ b/config/shione/nftables/files/etc/nftables.conf
@@ -5,6 +5,9 @@ flush ruleset
define eth_iface = enp1s0
define wg_iface = wg0
define wg_port = 51820
+define dns_port = 53
+define srt_input_udp_port = 60001
+define srt_output_port = 60000
table inet filter {
chain input_ipv4 {
@@ -36,8 +39,11 @@ table inet filter {
# ip saddr 10.8.0.0/32
# Allow VPN to use DNS.
- tcp dport { 53 } accept
- udp dport { 53 } accept
+ tcp dport { $dns_port } accept
+ udp dport {
+ $dns_port,
+ $srt_input_udp_port,
+ } accept
}
chain input {
@@ -58,6 +64,10 @@ table inet filter {
https,
} accept
+ udp dport {
+ $srt_output_port,
+ } accept
+
# allow loopback traffic, anything else jump to chain for further evaluation
iifname vmap { lo : accept, $eth_iface : jump input_world, $wg_iface : jump input_vpn }