Add mugam.

1 files changed, 39 insertions, 0 deletions

diff --git a/mugam-nftables-rules.conf b/mugam-nftables-rules.conf
new file mode 100644
index 0000000..261a98b
--- /dev/null
+++ b/mugam-nftables-rules.conf
@@ -0,0 +1,39 @@
+table inet firewall {
+  chain input {
+    # Drop all traffic by default.
+    type filter hook input priority filter; policy drop;
+    # Allow traffic from established connections, drop invalid.
+    ct state vmap { established: accept, related: accept, invalid: drop }
+    # Allow ping.
+    icmp type echo-request accept
+    # Allow loopback traffic.
+    iifname lo accept
+    # Allow
+    # - ssh, http and https (for mugam itself)
+    # - mumble for ragulkanth (5033)
+    # - ssh for ragulkanth (10101)
+    tcp dport {ssh, http, https, 5033, 10101} accept
+    # Allow dns and wireguard.
+    udp dport {domain, 51820} accept
+  }
+}
+
+table ip nat {
+  chain prerouting {
+    type nat hook prerouting priority dstnat;
+    # Forward ports to various services.
+    # E-mail
+    iifname eth0 tcp dport smtp dnat to $hrrol:8025
+    iifname eth0 tcp dport pop3s dnat to $hrrol:8995
+    iifname eth0 tcp dport smtps dnat to $hrrol:8465
+    iifname eth0 tcp dport submission dnat to $hrrol:8587
+    # XMPP
+    iifname eth0 tcp dport {xmpp-client, xmpp-server} dnat to $hrrol
+  }
+  chain postrouting {
+    type nat hook postrouting priority srcnat;
+    # For all packets to and from the VPN and the WAN, replace source
+    # address with public IP of WAN interface.
+    oifname {eth0, wg0} masquerade
+  }
+}
\ No newline at end of file