Last active
November 15, 2025 23:53
-
-
Save ethanncyb/20cb741438fe0e2e734eecba230b032d to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| *filter | |
| # Strict defaults | |
| :INPUT DROP [0:0] | |
| :FORWARD DROP [0:0] | |
| :OUTPUT ACCEPT [0:0] | |
| # --- INPUT (traffic to the router itself) --- | |
| # Loopback | |
| -A INPUT -i lo -j ACCEPT | |
| # Allow established/related back in | |
| -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| # ICMP (ping) | |
| -A INPUT -p icmp -j ACCEPT | |
| # SSH mgmt from LAN only | |
| -A INPUT -i eth1 -p tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT | |
| # (Optional) DHCP client on WAN – uncomment if this router gets IP by DHCP | |
| # -A INPUT -i eth0 -p udp --dport 68 --sport 67 -j ACCEPT | |
| # --- FORWARD (through the router) --- | |
| # Always allow established/related | |
| -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| # Allow LAN -> anywhere | |
| -A FORWARD -i eth1 -s 192.168.1.0/24 -j ACCEPT | |
| # WAN -> internal: allow ONLY the services you listed | |
| # Metis (Flask, FTP) | |
| -A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.1.4 --dport 21 -j ACCEPT | |
| -A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.1.4 --dport 20 -j ACCEPT | |
| -A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.1.4 --dport 5000 -j ACCEPT | |
| # Hermes (WordPress) | |
| -A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.1.5 --dport 80 -j ACCEPT | |
| -A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.1.5 --dport 443 -j ACCEPT | |
| # Cortex (AD, DNS) | |
| -A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.1.35 --dport 53 -j ACCEPT | |
| -A FORWARD -i eth0 -o eth1 -p udp -d 192.168.1.35 --dport 53 -j ACCEPT | |
| -A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.1.35 --dport 389 -j ACCEPT | |
| -A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.1.35 --dport 445 -j ACCEPT | |
| # Hippocampus (HTTP, SMB) | |
| -A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.1.37 --dport 80 -j ACCEPT | |
| -A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.1.37 --dport 445 -j ACCEPT | |
| # Axon (WinRM) | |
| -A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.1.97 --dport 5985 -j ACCEPT | |
| -A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.1.97 --dport 5986 -j ACCEPT | |
| # Zeus (MariaDB, FTP) | |
| -A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.1.103 --dport 21 -j ACCEPT | |
| -A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.1.103 --dport 20 -j ACCEPT | |
| -A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.1.103 --dport 3306 -j ACCEPT | |
| # Cerebrum (HTTP) | |
| -A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.1.109 --dport 80 -j ACCEPT | |
| # Hera (FTP) | |
| -A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.1.111 --dport 21 -j ACCEPT | |
| -A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.1.111 --dport 20 -j ACCEPT | |
| # Mesencephalon (SMTP) | |
| -A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.1.113 --dport 25 -j ACCEPT | |
| # Athens (SSH) | |
| -A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.1.173 --dport 22 -j ACCEPT | |
| COMMIT | |
| *nat | |
| :PREROUTING ACCEPT [0:0] | |
| :POSTROUTING ACCEPT [0:0] | |
| :OUTPUT ACCEPT [0:0] | |
| # Keep your existing NETMAP/masquerade (from your current router config) | |
| # (These four RETURNs match what your screenshot showed) | |
| -A PREROUTING -d 192.168.1.2 -j RETURN | |
| -A PREROUTING -d 10.100.105.2 -j RETURN | |
| -A PREROUTING -s 192.168.1.2 -j RETURN | |
| -A PREROUTING -s 10.100.105.2 -j RETURN | |
| # Map 10.100.105.0/24 <-> 192.168.1.0/24 | |
| -A PREROUTING -d 10.100.105.0/24 -j NETMAP --to 192.168.1.0/24 | |
| -A POSTROUTING -s 192.168.1.0/24 -j NETMAP --to 10.100.105.0/24 | |
| # Internet NAT | |
| -A POSTROUTING -o eth0 -j MASQUERADE | |
| COMMIT |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment