From db19e625ce6f09e99e603deaa97751d990809847 Mon Sep 17 00:00:00 2001 From: nyanloutre Date: Fri, 3 Jan 2025 14:37:19 +0100 Subject: [PATCH] iptables --> nftables migrate --- systems/LoutreOS/network.nix | 120 ++++++++++++++++------------------- 1 file changed, 54 insertions(+), 66 deletions(-) diff --git a/systems/LoutreOS/network.nix b/systems/LoutreOS/network.nix index d96b7c1..8226144 100644 --- a/systems/LoutreOS/network.nix +++ b/systems/LoutreOS/network.nix @@ -57,6 +57,55 @@ enp0s21u1.useDHCP = true; }; + nftables = { + enable = true; + tables = { + "multi-wan-routing" = { + family = "inet"; + content = '' + chain PREROUTING { + type filter hook prerouting priority mangle; policy accept; + # Restore the packet's CONNMARK to the MARK for existing incoming connections + counter meta mark set ct mark + # If packet MARK is set, then it means that there is already a connection mark + meta mark != 0x00000000 counter accept + # Else, we need to mark the packet. + # If the packet is incoming on bouygues then set MARK to 1, LTE MARK 2 and VPN MARK 3 + iifname "bouygues" counter meta mark set 0x1 + iifname "enp0s21u1" counter meta mark set 0x2 + iifname "wg0" counter meta mark set 0x3 + # Save new mark in CONNMARK + counter ct mark set mark + } + + chain OUTPUT { + type route hook output priority mangle; policy accept; + # Restore CONNMARK to MARK for outgoing packets before final routing decision + counter meta mark set ct mark + } + + chain POSTROUTING { + type filter hook postrouting priority mangle; policy accept; + # Save MARK to CONNMARK + counter ct mark set mark + } + ''; + }; + + "redirect-external-to-local" = { + family = "ip"; + content = '' + chain PREROUTING { + type nat hook prerouting priority dstnat; policy accept; + # Redirect local network request from server external IP to internal IP + # This allow access to server without internet access + ip saddr 10.30.0.0/16 ip daddr 176.180.172.105 counter dnat to 10.30.0.1 + } + ''; + } + }; + }; + firewall = { enable = true; allowedTCPPorts = [ 80 443 ]; @@ -76,72 +125,11 @@ ]; }; - extraCommands = '' - - ################ - # MANGLE rules # - ################ - - # Clean and recreate target - ip46tables -w -t mangle -D PREROUTING -j loutreos-mangle-pre 2>/dev/null || true - ip46tables -w -t mangle -F loutreos-mangle-pre 2>/dev/null || true - ip46tables -w -t mangle -X loutreos-mangle-pre 2>/dev/null || true - ip46tables -w -t mangle -N loutreos-mangle-pre - - # Restore the packet's CONNMARK to the MARK for existing incoming connections - ip46tables -w -t mangle -A loutreos-mangle-pre -j CONNMARK --restore-mark - - # Restore CONNMARK to MARK for outgoing packets before final routing decision - ip46tables -w -t mangle -D OUTPUT -j CONNMARK --restore-mark 2>/dev/null || true - ip46tables -w -t mangle -A OUTPUT -j CONNMARK --restore-mark - - - # If packet MARK is set, then it means that there is already a connection mark - ip46tables -w -t mangle -A loutreos-mangle-pre -m mark ! --mark 0 -j ACCEPT - - # Else, we need to mark the packet. - # If the packet is incoming on bouygues then set MARK to 1, LTE MARK 2 and VPN MARK 3 - ip46tables -w -t mangle -A loutreos-mangle-pre -i bouygues -j MARK --set-mark 1 - ip46tables -w -t mangle -A loutreos-mangle-pre -i enp0s21u1 -j MARK --set-mark 2 - ip46tables -w -t mangle -A loutreos-mangle-pre -i wg0 -j MARK --set-mark 3 - - # Save new mark in CONNMARK - ip46tables -w -t mangle -A loutreos-mangle-pre -j CONNMARK --save-mark - - # Jump to newly created target - ip46tables -w -t mangle -I PREROUTING 1 -j loutreos-mangle-pre - - # Save MARK to CONNMARK. - ip46tables -w -t mangle -D POSTROUTING -j CONNMARK --save-mark 2>/dev/null || true - ip46tables -w -t mangle -A POSTROUTING -j CONNMARK --save-mark - - ###################### - # IPv6 FORWARD rules # - ###################### - - # Forward all IPv6 traffic from local network and reject incoming traffic - ip6tables -w -D FORWARD -j loutreos-forward 2>/dev/null || true - ip6tables -w -F loutreos-forward 2>/dev/null || true - ip6tables -w -X loutreos-forward 2>/dev/null || true - ip6tables -w -N loutreos-forward - ip6tables -w -A loutreos-forward -m state --state RELATED,ESTABLISHED -j ACCEPT - ip6tables -w -A loutreos-forward -j ACCEPT -i eno2 - ip6tables -w -A loutreos-forward -j nixos-fw-log-refuse - ip6tables -w -A FORWARD -j loutreos-forward - - ############################################# - # Enable server access when fiber link down # - ############################################# - - # Redirect local network request from server external IP to internal IP - iptables -t nat -D PREROUTING -s 10.30.0.0/16 -d 176.180.172.105 -j DNAT --to 10.30.0.1 2>/dev/null || true - iptables -t nat -A PREROUTING -s 10.30.0.0/16 -d 176.180.172.105 -j DNAT --to 10.30.0.1 - ''; - - # remove refs to nixos-fw-log-refuse before restarting firewall - # prevents "ressource busy" errors - extraStopCommands = '' - ip6tables -D loutreos-forward -j nixos-fw-log-refuse 2>/dev/null || true + # Don't forward incoming IPv6 requests to local network + filterForward = true; + extraForwardRules = '' + # Forward all IPv6 traffic from local network + iifname "eno2" counter accept ''; }; };