diff options
| author | W. Kosior <koszko@koszko.org> | 2025-03-21 09:37:33 +0100 |
|---|---|---|
| committer | W. Kosior <koszko@koszko.org> | 2025-03-21 09:37:33 +0100 |
| commit | 02016d0edb8e566746a5fd72f39aee6b5d00b3a4 (patch) | |
| tree | 45c0deae37f3ef34b1d2bb7316d98a9da5a8f4ba | |
| parent | df209c32cfb8ba61947702e951e14fdf5073d623 (diff) | |
| download | koszko-org-guix-server-02016d0edb8e566746a5fd72f39aee6b5d00b3a4.tar.gz koszko-org-guix-server-02016d0edb8e566746a5fd72f39aee6b5d00b3a4.zip | |
Update/improve NATing and filtering.
| -rw-r--r-- | salamina.scm | 21 |
1 files changed, 18 insertions, 3 deletions
diff --git a/salamina.scm b/salamina.scm index d09efd8..e1af51d 100644 --- a/salamina.scm +++ b/salamina.scm @@ -589,22 +589,37 @@ proxy65_acl = { \"koszko.org\" } *filter :INPUT ACCEPT -:FORWARD ACCEPT +:FORWARD DROP :OUTPUT ACCEPT +-A FORWARD --source 10.8.0.0/24 --in-interface eth+ -j DROP +-A FORWARD ! --source 10.8.0.0/24 --in-interface tun0 -j DROP +-A FORWARD --source 10.8.0.1 -j DROP +~@* +-A FORWARD --source ~a -j DROP +-A FORWARD --match conntrack --ctstate DNAT -j ACCEPT + COMMIT *nat +~1@* ~:{-A ~a -p ~a --destination 10.8.0.1 --dport 53 \ -j DNAT --to-destination 10.8.0.1:5353~%~}\ +~@* -A PREROUTING -p tcp --destination ~a --dport 11022 \ -j DNAT --to-destination 10.8.0.36:11022 +~@* +-A PREROUTING -p tcp --destination ~a --dport 12022 \ + -j DNAT --to-destination 10.8.0.14:12022 + +-A POSTROUTING ! --source 10.8.0.0/24 --destination 10.8.0.0/24 \ + -j SNAT --to-source 10.8.0.1 COMMIT -" '((OUTPUT udp) (OUTPUT tcp) (PREROUTING udp) (PREROUTING tcp)) - %salamina-v4-addr)))))) +" %salamina-v4-addr + '((OUTPUT udp) (OUTPUT tcp) (PREROUTING udp) (PREROUTING tcp)))))))) (define (make-koszko-zone-entries domain) |