commit 54189e64dcd62ca033c0b48d612a477612e05c96
Author: nihonium <nihonium@rape.lol>
Date:   Wed Dec 21 20:38:04 2022 +0300

    iptable rules

diff --git a/rules.v4 b/rules.v4
new file mode 100644
index 0000000..7994fa8
--- /dev/null
+++ b/rules.v4
@@ -0,0 +1,67 @@
+##########################
+# Rules for table FILTER #
+##########################
+*filter
+# Delault policies for chains
+:INPUT DROP [118:6794]
+:FORWARD DROP [135:8672]
+:OUTPUT ACCEPT [585300:650020709]
+
+# Allow SSH and Wireguard traffic
+-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
+-A INPUT -p udp -m udp --dport 51820 -j ACCEPT
+
+# Allow ICMP for debugging
+-A INPUT -p icmp -j ACCEPT
+-A OUTPUT -p icmp -j ACCEPT
+
+# Allow a return path for any outgoing traffic initiated by local processes
+-A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
+
+# Allow established and related connections for FORWARD chain
+-A FORWARD -o wg0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
+-A FORWARD -i wg0 -j ACCEPT
+
+# Allow new connections for all services on iota
+# Nginx
+-A FORWARD -i eth0 -o wg0 -p tcp -m multiport --dports 80,443,8222 -m conntrack --ctstate NEW -j ACCEPT
+# SSH
+-A FORWARD -i eth0 -o wg0 -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
+# Ejabberd
+-A FORWARD -i eth0 -o wg0 -p tcp -m multiport --dports 5222,5223,5269,5280,5443,5349 -m conntrack --ctstate NEW -j ACCEPT
+-A FORWARD -i eth0 -o wg0 -p udp --dport 3478 -m conntrack --ctstate NEW -j ACCEPT
+# Gitea SSH
+-A FORWARD -i eth0 -o wg0 -p tcp --dport 22222 -m conntrack --ctstate NEW -j ACCEPT
+
+COMMIT
+
+#######################
+# Rules for table NAT #
+#######################
+*nat
+# Default policies for chains
+:PREROUTING ACCEPT [3303:233473]
+:INPUT ACCEPT [2173:121219]
+:OUTPUT ACCEPT [851:52598]
+:POSTROUTING ACCEPT [1807:110254]
+
+# SNAT and DNAT for services on iota
+# To make this rules valid you should allow new connections to corresponding ports above
+
+# Port forwarding for services
+#
+# Nginx
+-A PREROUTING -i eth0 -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 10.1.0.2
+-A PREROUTING -i eth0 -p tcp --dport 8223 -j DNAT --to-destination 10.1.0.2:8222
+# SSH
+-A PREROUTING -i eth0 -p tcp --dport 8222 -j DNAT --to-destination 10.1.0.2:22
+# Ejabberd
+-A PREROUTING -i eth0 -p tcp -m multiport --dports 5222,5223,5269,5280,5443,5349 -j DNAT --to-destination 10.1.0.2
+-A PREROUTING -i eth0 -p udp --dport 3478 -j DNAT --to-destination 10.1.0.2
+# Gitea SSH
+-A PREROUTING -i eth0 -p tcp --dport 22222 -j DNAT --to-destination 10.1.0.2
+
+# For all traffic came from wg0 interface we rewrite source IP with IP of the gateway
+-A POSTROUTING -o eth0 -s 10.1.0.0/24 -j SNAT --to-source 45.89.228.240
+
+COMMIT