diff options
Diffstat (limited to 'hosts/vidhar/network/ruleset.nft')
| -rw-r--r-- | hosts/vidhar/network/ruleset.nft | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index 1edae167..7897fb3d 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft | |||
| @@ -60,6 +60,7 @@ table inet filter { | |||
| 60 | counter fw-lo {} | 60 | counter fw-lo {} |
| 61 | counter fw-lan {} | 61 | counter fw-lan {} |
| 62 | counter fw-gpon {} | 62 | counter fw-gpon {} |
| 63 | counter fw-kimai {} | ||
| 63 | 64 | ||
| 64 | counter fw-cups {} | 65 | counter fw-cups {} |
| 65 | 66 | ||
| @@ -94,6 +95,8 @@ table inet filter { | |||
| 94 | counter immich-rx {} | 95 | counter immich-rx {} |
| 95 | counter paperless-rx {} | 96 | counter paperless-rx {} |
| 96 | counter hledger-rx {} | 97 | counter hledger-rx {} |
| 98 | counter audiobookshelf-rx {} | ||
| 99 | counter kimai-rx {} | ||
| 97 | 100 | ||
| 98 | counter established-rx {} | 101 | counter established-rx {} |
| 99 | 102 | ||
| @@ -125,6 +128,8 @@ table inet filter { | |||
| 125 | counter immich-tx {} | 128 | counter immich-tx {} |
| 126 | counter paperless-tx {} | 129 | counter paperless-tx {} |
| 127 | counter hledger-tx {} | 130 | counter hledger-tx {} |
| 131 | counter audiobookshelf-tx {} | ||
| 132 | counter kimai-tx {} | ||
| 128 | 133 | ||
| 129 | counter tx {} | 134 | counter tx {} |
| 130 | 135 | ||
| @@ -148,8 +153,13 @@ table inet filter { | |||
| 148 | 153 | ||
| 149 | oifname { lan, gpon, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept | 154 | oifname { lan, gpon, bifrost } meta l4proto $icmp_protos jump forward_icmp_accept |
| 150 | iifname lan oifname { gpon, bifrost } counter name fw-lan accept | 155 | iifname lan oifname { gpon, bifrost } counter name fw-lan accept |
| 156 | iifname ve-kimai oifname gpon counter name fw-kimai accept | ||
| 151 | 157 | ||
| 152 | iifname gpon oifname lan ct state { established, related } counter name fw-gpon accept | 158 | iifname gpon oifname lan ct state { established, related } counter name fw-gpon accept |
| 159 | iifname gpon oifname ve-kimai ct state { established, related } counter name fw-kimai accept | ||
| 160 | |||
| 161 | iifname bifrost oifname ve-kimai tcp dport 80 ip6 saddr $bifrost_surtr ip6 daddr 2a03:4000:52:ada:6::2 counter name kimai-rx accept | ||
| 162 | iifname ve-kimai oifname bifrost tcp sport 80 ip6 saddr 2a03:4000:52:ada:6::2 ip6 daddr $bifrost_surtr counter name kimai-tx accept | ||
| 153 | 163 | ||
| 154 | 164 | ||
| 155 | limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop | 165 | limit name lim_reject log level debug prefix "drop forward: " counter name reject-ratelimit-fw drop |
| @@ -203,6 +213,7 @@ table inet filter { | |||
| 203 | iifname bifrost tcp dport 2283 ip6 saddr $bifrost_surtr counter name immich-rx accept | 213 | iifname bifrost tcp dport 2283 ip6 saddr $bifrost_surtr counter name immich-rx accept |
| 204 | iifname bifrost tcp dport 28981 ip6 saddr $bifrost_surtr counter name paperless-rx accept | 214 | iifname bifrost tcp dport 28981 ip6 saddr $bifrost_surtr counter name paperless-rx accept |
| 205 | iifname bifrost tcp dport 5000 ip6 saddr $bifrost_surtr counter name hledger-rx accept | 215 | iifname bifrost tcp dport 5000 ip6 saddr $bifrost_surtr counter name hledger-rx accept |
| 216 | iifname bifrost tcp dport 28982 ip6 saddr $bifrost_surtr counter name audiobookshelf-rx accept | ||
| 206 | 217 | ||
| 207 | ct state { established, related } counter name established-rx accept | 218 | ct state { established, related } counter name established-rx accept |
| 208 | 219 | ||
| @@ -254,6 +265,7 @@ table inet filter { | |||
| 254 | iifname bifrost tcp sport 2283 ip6 daddr $bifrost_surtr counter name immich-tx accept | 265 | iifname bifrost tcp sport 2283 ip6 daddr $bifrost_surtr counter name immich-tx accept |
| 255 | iifname bifrost tcp sport 28981 ip6 daddr $bifrost_surtr counter name paperless-tx accept | 266 | iifname bifrost tcp sport 28981 ip6 daddr $bifrost_surtr counter name paperless-tx accept |
| 256 | iifname bifrost tcp sport 5000 ip6 daddr $bifrost_surtr counter name hledger-tx accept | 267 | iifname bifrost tcp sport 5000 ip6 daddr $bifrost_surtr counter name hledger-tx accept |
| 268 | iifname bifrost tcp sport 28982 ip6 daddr $bifrost_surtr counter name audiobookshelf-tx accept | ||
| 257 | 269 | ||
| 258 | 270 | ||
| 259 | counter name tx | 271 | counter name tx |
| @@ -262,7 +274,7 @@ table inet filter { | |||
| 262 | 274 | ||
| 263 | table inet nat { | 275 | table inet nat { |
| 264 | counter gpon-nat {} | 276 | counter gpon-nat {} |
| 265 | # counter container-nat {} | 277 | counter kimai-nat {} |
| 266 | 278 | ||
| 267 | chain postrouting { | 279 | chain postrouting { |
| 268 | type nat hook postrouting priority srcnat | 280 | type nat hook postrouting priority srcnat |
| @@ -270,7 +282,7 @@ table inet nat { | |||
| 270 | 282 | ||
| 271 | 283 | ||
| 272 | meta nfproto ipv4 oifname gpon counter name gpon-nat masquerade | 284 | meta nfproto ipv4 oifname gpon counter name gpon-nat masquerade |
| 273 | # iifname ve-* oifname gpon counter name container-nat masquerade | 285 | iifname ve-kimai oifname gpon counter name kimai-nat masquerade |
| 274 | } | 286 | } |
| 275 | } | 287 | } |
| 276 | 288 | ||