make git and bento publicly available

2023-12-06 17:08:05 +01:00
parent 6cfaa64fd2
commit 847ae4a2db
1 changed files with 6 additions and 0 deletions
--- a/hosts/fw.cloonar.com/modules/firewall.nix
+++ b/hosts/fw.cloonar.com/modules/firewall.nix
@@ -156,6 +156,9 @@
            # iifname "multimedia" ip saddr <chromecast IP> tcp dport { llmnr } counter accept
            # iifname "multimedia" ip saddr <chromecast IP> udp dport { mdns, llmnr } counter accept

+            # Accept web to git server
+            iifname "wan" oifname "server" tcp dst 10.42.97.50 dport { 22, 80, 443 } counter accept 
+
            # Allow returning traffic from wg_cloonar and drop everthing else
            iifname "wg_cloonar" ct state { established, related } counter accept
            iifname "wg_cloonar" drop
@@ -172,6 +175,7 @@
            iifname "wg_ghetto_at" ct state { established, related } counter accept
            iifname "wg_ghetto_at" drop

+            # Allow returning traffic from wan and drop everthing else
            iifname "wan" ct state { established, related } accept comment "Allow established traffic"
            iifname "wan" icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP"
            iifname "wan" counter drop comment "Drop all other unsolicited traffic from wan"
@@ -213,12 +217,14 @@
        table ip nat {
          chain prerouting {
            type nat hook prerouting priority filter; policy accept;
+            iifname "wan" tcp dport { 22, 80, 443 } dnat to 10.42.97.50
          }

          # Setup NAT masquerading on external interfaces
          chain postrouting {
            type nat hook postrouting priority filter; policy accept;
            oifname { "wan", "wrwks", "wg_epicenter", "wg_ghetto_at" } masquerade
+            ip daddr 10.42.97.50 masquerade
          }
        }
      '';