From 1d54e783ae1de8a68e2f7bc9ec90631c594c311f Mon Sep 17 00:00:00 2001 From: Renken Date: Sat, 6 Jan 2024 12:25:31 +0100 Subject: config: shione: nftables: srt input/output Accept incoming UDP packets over VPN, allow incoming and outgoing SRT connections over both public network and VPN. --- config/shione/nftables/files/etc/nftables.conf | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'config/shione/nftables') diff --git a/config/shione/nftables/files/etc/nftables.conf b/config/shione/nftables/files/etc/nftables.conf index ed6634b..516718d 100644 --- a/config/shione/nftables/files/etc/nftables.conf +++ b/config/shione/nftables/files/etc/nftables.conf @@ -5,6 +5,9 @@ flush ruleset define eth_iface = enp1s0 define wg_iface = wg0 define wg_port = 51820 +define dns_port = 53 +define srt_input_udp_port = 60001 +define srt_output_port = 60000 table inet filter { chain input_ipv4 { @@ -36,8 +39,11 @@ table inet filter { # ip saddr 10.8.0.0/32 # Allow VPN to use DNS. - tcp dport { 53 } accept - udp dport { 53 } accept + tcp dport { $dns_port } accept + udp dport { + $dns_port, + $srt_input_udp_port, + } accept } chain input { @@ -58,6 +64,10 @@ table inet filter { https, } accept + udp dport { + $srt_output_port, + } accept + # allow loopback traffic, anything else jump to chain for further evaluation iifname vmap { lo : accept, $eth_iface : jump input_world, $wg_iface : jump input_vpn } -- cgit v1.2.3