firewall: make ipv4 work

This commit is contained in:
Daniel Barlow 2024-02-08 22:59:47 +00:00
parent 273c66b2d3
commit aca3e11631

View file

@ -184,8 +184,9 @@ in {
family = "ip"; family = "ip";
rules = [ rules = [
(accept "udp dport 547") (accept "udp dport 67") # dhcp
(accept "tcp dport 22") (accept "udp dport 53") # dns
(accept "tcp dport 22") # ssh
]; ];
}; };
@ -194,6 +195,7 @@ in {
family = "ip"; family = "ip";
rules = [ rules = [
(accept "udp sport 53")
]; ];
}; };
@ -204,10 +206,11 @@ in {
hook = "input"; hook = "input";
rules = [ rules = [
"iifname lo accept" "iifname lo accept"
"icmp type { echo-request, echo-reply } accept"
"iifname int jump input-ip4-lan" "iifname int jump input-ip4-lan"
"iifname ppp0 jump input-ip4-wan" "iifname ppp0 jump input-ip4-wan"
"oifname \"int\" iifname \"ppp0\" jump incoming-allowed-ip4" "oifname \"int\" iifname \"ppp0\" jump incoming-allowed-ip4"
"ct state vmap established,related accept" "ct state established,related accept"
"log prefix \"DENIED CHAIN=input-ip4 \"" "log prefix \"DENIED CHAIN=input-ip4 \""
]; ];
}; };
@ -219,7 +222,7 @@ in {
hook = "forward"; hook = "forward";
rules = [ rules = [
"iifname \"int\" accept" "iifname \"int\" accept"
"ct state vmap { established : accept, related : accept, invalid : drop }" "ct state established,related accept"
"oifname \"int\" iifname \"ppp0\" jump incoming-allowed-ip4" "oifname \"int\" iifname \"ppp0\" jump incoming-allowed-ip4"
"log prefix \"DENIED CHAIN=forward-ip4 \"" "log prefix \"DENIED CHAIN=forward-ip4 \""
]; ];