iptables --> nftables migrate

2025-01-03 14:37:19 +01:00 · 2025-01-03 14:37:19 +01:00 · db19e625ce
commit db19e625ce
parent 66b8f6f52f
1 changed files with 54 additions and 66 deletions
--- a/systems/LoutreOS/network.nix
+++ b/systems/LoutreOS/network.nix
@ -57,6 +57,55 @@
      enp0s21u1.useDHCP = true;
    };

+    nftables = {
+      enable = true;
+      tables = {
+        "multi-wan-routing" = {
+          family = "inet";
+          content = ''
+            chain PREROUTING {
+              type filter hook prerouting priority mangle; policy accept;
+              # Restore the packet's CONNMARK to the MARK for existing incoming connections
+              counter meta mark set ct mark
+              # If packet MARK is set, then it means that there is already a connection mark
+              meta mark != 0x00000000 counter accept
+              # Else, we need to mark the packet.
+              # If the packet is incoming on bouygues then set MARK to 1, LTE MARK 2 and VPN MARK 3
+              iifname "bouygues" counter meta mark set 0x1
+              iifname "enp0s21u1" counter meta mark set 0x2
+              iifname "wg0" counter meta mark set 0x3
+              # Save new mark in CONNMARK
+              counter ct mark set mark
+            }
+
+            chain OUTPUT {
+              type route hook output priority mangle; policy accept;
+              # Restore CONNMARK to MARK for outgoing packets before final routing decision
+              counter meta mark set ct mark
+            }
+
+            chain POSTROUTING {
+              type filter hook postrouting priority mangle; policy accept;
+              # Save MARK to CONNMARK
+              counter ct mark set mark
+            }
+          '';
+        };
+
+        "redirect-external-to-local" = {
+          family = "ip";
+          content = ''
+            chain PREROUTING {
+              type nat hook prerouting priority dstnat; policy accept;
+              # Redirect local network request from server external IP to internal IP
+              # This allow access to server without internet access
+              ip saddr 10.30.0.0/16 ip daddr 176.180.172.105 counter dnat to 10.30.0.1
+            }
+          '';
+        }
+      };
+    };
+
    firewall = {
      enable = true;
      allowedTCPPorts = [ 80 443 ];
@ -76,72 +125,11 @@
        ];
      };

-      extraCommands = ''
-
-        ################
-        # MANGLE rules #
-        ################
-
-        # Clean and recreate target
-        ip46tables -w -t mangle -D PREROUTING -j loutreos-mangle-pre 2>/dev/null || true
-        ip46tables -w -t mangle -F loutreos-mangle-pre 2>/dev/null || true
-        ip46tables -w -t mangle -X loutreos-mangle-pre 2>/dev/null || true
-        ip46tables -w -t mangle -N loutreos-mangle-pre
-
-        # Restore the packet's CONNMARK to the MARK for existing incoming connections
-        ip46tables -w -t mangle -A loutreos-mangle-pre -j CONNMARK --restore-mark
-
-        # Restore CONNMARK to MARK for outgoing packets before final routing decision
-        ip46tables -w -t mangle -D OUTPUT -j CONNMARK --restore-mark 2>/dev/null || true
-        ip46tables -w -t mangle -A OUTPUT -j CONNMARK --restore-mark
-
-
-        # If packet MARK is set, then it means that there is already a connection mark
-        ip46tables -w -t mangle -A loutreos-mangle-pre -m mark ! --mark 0 -j ACCEPT
-
-        # Else, we need to mark the packet.
-        # If the packet is incoming on bouygues then set MARK to 1, LTE MARK 2 and VPN MARK 3
-        ip46tables -w -t mangle -A loutreos-mangle-pre -i bouygues -j MARK --set-mark 1
-        ip46tables -w -t mangle -A loutreos-mangle-pre -i enp0s21u1 -j MARK --set-mark 2
-        ip46tables -w -t mangle -A loutreos-mangle-pre -i wg0 -j MARK --set-mark 3
-
-        # Save new mark in CONNMARK
-        ip46tables -w -t mangle -A loutreos-mangle-pre -j CONNMARK --save-mark
-
-        # Jump to newly created target 
-        ip46tables -w -t mangle -I PREROUTING 1 -j loutreos-mangle-pre
-
-        # Save MARK to CONNMARK.
-        ip46tables -w -t mangle -D POSTROUTING -j CONNMARK --save-mark 2>/dev/null || true
-        ip46tables -w -t mangle -A POSTROUTING -j CONNMARK --save-mark
-
-        ######################
-        # IPv6 FORWARD rules #
-        ######################
-
-        # Forward all IPv6 traffic from local network and reject incoming traffic
-        ip6tables -w -D FORWARD -j loutreos-forward 2>/dev/null || true
-        ip6tables -w -F loutreos-forward 2>/dev/null || true
-        ip6tables -w -X loutreos-forward 2>/dev/null || true
-        ip6tables -w -N loutreos-forward
-        ip6tables -w -A loutreos-forward -m state --state RELATED,ESTABLISHED -j ACCEPT
-        ip6tables -w -A loutreos-forward -j ACCEPT -i eno2
-        ip6tables -w -A loutreos-forward -j nixos-fw-log-refuse
-        ip6tables -w -A FORWARD -j loutreos-forward
-
-        #############################################
-        # Enable server access when fiber link down #
-        #############################################
-
-        # Redirect local network request from server external IP to internal IP
-        iptables -t nat -D PREROUTING -s 10.30.0.0/16 -d 176.180.172.105 -j DNAT --to 10.30.0.1 2>/dev/null || true
-        iptables -t nat -A PREROUTING -s 10.30.0.0/16 -d 176.180.172.105 -j DNAT --to 10.30.0.1
-      '';
-
-      # remove refs to nixos-fw-log-refuse before restarting firewall
-      # prevents "ressource busy" errors
-      extraStopCommands = ''
-        ip6tables -D loutreos-forward -j nixos-fw-log-refuse 2>/dev/null || true
+      # Don't forward incoming IPv6 requests to local network
+      filterForward = true;
+      extraForwardRules = ''
+        # Forward all IPv6 traffic from local network
+        iifname "eno2" counter accept
      '';
    };
  };