kp2pml30/dotfiles
1
0
Fork 0
mirror of https://github.com/kp2pml30/dotfiles.git synced 2026-02-16 23:34:42 +04:00
Code Issues Projects Releases Packages Wiki Activity Actions

try to migrate to nix

Browse source
This commit is contained in:
kp2pml30 2025-01-11 20:48:22 +04:00
parent f2f4ead62f
commit 94da1ce936
26 changed files with 830 additions and 181 deletions
Download patch file Download diff file Expand all files Collapse all files

49
vps/iptables.erb Normal file
View file

@ -0,0 +1,49 @@
% # run it like this: `erb ports='[]' iptables.erb | iptables-restore`
% # NOTE: it discards docker iptable rules
*filter
-N DOCKER-USER
-N DOCKER-ISOLATION-STAGE-1
# don't restrict output at all
-A OUTPUT -j ACCEPT
# allow all loopback
-A INPUT -i lo -j ACCEPT
-A FORWARD -i lo -j ACCEPT
# allow all established
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A DOCKER-USER -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# allow wireguard
-A INPUT -i wg0 -j ACCEPT
-A FORWARD -i wg0 -j ACCEPT
-A DOCKER-USER -i wg0 -j ACCEPT
# allow all docker
-A DOCKER-USER -i docker0 -j DOCKER-ISOLATION-STAGE-1
% require 'json'
% prts = [22, 80, 443] + JSON.parse(ports)
# apply it with `iptables-restore < ./iptables`
# allow all loopback
-A INPUT -i lo -j ACCEPT
# custom ports
% prts.each { |port|
% ['tcp', 'udp'].each { |proto|
-A FORWARD -p <%= proto %> --dport <%= port %> -j ACCEPT
-A INPUT -p <%= proto %> --dport <%= port %> -j ACCEPT
-A DOCKER-USER -p <%= proto %> -m conntrack --ctorigdstport <%= port %> --ctdir ORIGINAL -j ACCEPT
% }
% }
%
# disallow all other
-A INPUT -j DROP
-A FORWARD -j DROP
-A DOCKER-USER -j DROP
COMMIT