########################## # Rules for table FILTER # ########################## *filter # Delault policies for chains :INPUT DROP [118:6794] :FORWARD DROP [135:8672] :OUTPUT ACCEPT [585300:650020709] # Allow SSH and Wireguard traffic -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p udp -m udp --dport 51820 -j ACCEPT # Allow ICMP for debugging -A INPUT -p icmp -j ACCEPT -A OUTPUT -p icmp -j ACCEPT # Allow a return path for any outgoing traffic initiated by local processes -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow established and related connections for FORWARD chain -A FORWARD -o wg0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i wg0 -j ACCEPT # Allow new connections for all services on iota # Nginx -A FORWARD -i eth0 -o wg0 -p tcp -m multiport --dports 80,443,8222 -m conntrack --ctstate NEW -j ACCEPT # SSH -A FORWARD -i eth0 -o wg0 -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT # Ejabberd -A FORWARD -i eth0 -o wg0 -p tcp -m multiport --dports 5222,5223,5269,5280,5443,5349 -m conntrack --ctstate NEW -j ACCEPT -A FORWARD -i eth0 -o wg0 -p udp --dport 3478 -m conntrack --ctstate NEW -j ACCEPT # Gitea SSH -A FORWARD -i eth0 -o wg0 -p tcp --dport 22222 -m conntrack --ctstate NEW -j ACCEPT COMMIT ####################### # Rules for table NAT # ####################### *nat # Default policies for chains :PREROUTING ACCEPT [3303:233473] :INPUT ACCEPT [2173:121219] :OUTPUT ACCEPT [851:52598] :POSTROUTING ACCEPT [1807:110254] # SNAT and DNAT for services on iota # To make this rules valid you should allow new connections to corresponding ports above # Port forwarding for services # # Nginx -A PREROUTING -i eth0 -p tcp -m multiport --dports 80,443 -j DNAT --to-destination 10.1.0.2 -A PREROUTING -i eth0 -p tcp --dport 8223 -j DNAT --to-destination 10.1.0.2:8222 # SSH -A PREROUTING -i eth0 -p tcp --dport 8222 -j DNAT --to-destination 10.1.0.2:22 # Ejabberd -A PREROUTING -i eth0 -p tcp -m multiport --dports 5222,5223,5269,5280,5443,5349 -j DNAT --to-destination 10.1.0.2 -A PREROUTING -i eth0 -p udp --dport 3478 -j DNAT --to-destination 10.1.0.2 # Gitea SSH -A PREROUTING -i eth0 -p tcp --dport 22222 -j DNAT --to-destination 10.1.0.2 # For all traffic came from wg0 interface we rewrite source IP with IP of the gateway -A POSTROUTING -o eth0 -s 10.1.0.0/24 -j SNAT --to-source 45.89.228.240 COMMIT