Maurice/alpine-server-setup
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Updates

Browse Source
This commit is contained in:
Maurice
2025-09-30 13:04:56 +02:00
parent 777f78ce6f
commit 9a0277a48d
10 changed files with 39 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
services/firewall/install.sh
View File

@@ -3,4 +3,15 @@ echo "Setting up firewall..."
apk add nftables
rc-update add nftables boot
cat << EOF > /etc/nftables.nft
#!/usr/sbin/nft -f
# The state of stateful objects saved on the nftables service stop.
include "/var/lib/nftables/*.nft"
# Rules
include "/etc/nftables.d/*.nft"
EOF
rc-service nftables start

18
services/firewall/rules.nft
View File

@@ -1,3 +1,4 @@
#!/usr/sbin/nft -f
flush ruleset
define wan = eth0
@@ -36,16 +37,10 @@ define icmpv6_slaac = {
define lan_clients = { 10.0.0.3 }
table inet firewall {
# chain prerouting {
# type nat hook prerouting priority 0;
# # Example of port forwarding HTTP (80) from specific LAN clients to a local server
# ip saddr 10.0.0.4 ip daddr $self tcp dport 80 dnat to $self:9999
# }
chain postrouting {
type nat hook postrouting priority 100;
# Masquerade WireGuard VPN traffic to LAN subnet
# Masquerade WireGuard VPN WAN traffic to LAN subnet
oifname $wan ip saddr $vpn_net masquerade
}
@@ -71,12 +66,11 @@ table inet firewall {
ip saddr $lan_net tcp dport 22 accept # Allow SSH from LAN network
# AdGuard admin access (8888) only from LAN and VPN
ip saddr $lan_net tcp dport 8888 accept
ip saddr $vpn_net tcp dport 8888 accept
ip saddr { $lan_net, $vpn_net } tcp dport 8888 accept
# AdGuard DNS, DHCP, DoT, DoQ ports only from LAN
ip saddr $lan_net udp dport { 53, 67, 68, 784 } accept
ip saddr $lan_net tcp dport { 53, 853 } accept
# AdGuard DNS, DHCP, DoT, DoQ ports only from LAN and VPN
ip saddr { $lan_net, $vpn_net} udp dport { 53, 67, 68, 784 } accept
ip saddr { $lan_net, $vpn_net} tcp dport { 53, 853 } accept
# Rules for WAN interface only
iifname $wan udp dport 51820 accept # Allow Wireguard incoming from WAN

2
services/firewall/update.sh
View File

@@ -2,4 +2,4 @@
ln -sf ./rules.nft /etc/nftables.d/firewall.nft
echo "Reloading firewall rules..."
nft -f /etc/nftables.d/firewall.nft
nft -f /etc/nftables.nft