blob: d6db11f6553501a4fb482bf39dc7b69d3eb9ac55 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i tinc_dn42 -j ACCEPT
-A INPUT -p icmpv6 -j ACCEPT
# traceroute
-A INPUT -p udp -m multiport --dports 33434:33534 -j REJECT --reject-with icmp6-port-unreachable
# DNS
-A INPUT -p udp --dport 53 -j ACCEPT
-A INPUT -p tcp --dport 53 -j ACCEPT
# BGP
-A INPUT -p tcp --dport 179 -j ACCEPT
# LG
-A INPUT -i eth0 -p tcp --dport 6042 -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 6142 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp6-port-unreachable
-A FORWARD -s fd00::/8 -d fd00::/8 -j ACCEPT
-A FORWARD -s fd00::/8 -d fd00::/8 -j ACCEPT
# post/prerouting, must allow forward as well
-A FORWARD -s fd00::/8 -d fcee::1/128 -j ACCEPT
-A FORWARD -s fcee::1/128 -d fd00::/8 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp6-port-unreachable
COMMIT
*mangle
-A PREROUTING -i eth0 -j MARK --set-mark 0x4242
COMMIT
*nat
-A PREROUTING -d fd3e:bc05:2d6::80/128 -p tcp --dport 80 -j DNAT --to-destination fcee::1
-A PREROUTING -d fd3e:bc05:2d6::80/128 -p tcp --dport 443 -j DNAT --to-destination fcee::1
-A POSTROUTING -d fd00::/8 -m mark --mark 0x4242 -j MASQUERADE
COMMIT
|
