From db19e625ce6f09e99e603deaa97751d990809847 Mon Sep 17 00:00:00 2001 From: nyanloutre Date: Fri, 3 Jan 2025 14:37:19 +0100 Subject: [PATCH 1/5] iptables --> nftables migrate --- systems/LoutreOS/network.nix | 120 ++++++++++++++++------------------- 1 file changed, 54 insertions(+), 66 deletions(-) diff --git a/systems/LoutreOS/network.nix b/systems/LoutreOS/network.nix index d96b7c1..8226144 100644 --- a/systems/LoutreOS/network.nix +++ b/systems/LoutreOS/network.nix @@ -57,6 +57,55 @@ enp0s21u1.useDHCP = true; }; + nftables = { + enable = true; + tables = { + "multi-wan-routing" = { + family = "inet"; + content = '' + chain PREROUTING { + type filter hook prerouting priority mangle; policy accept; + # Restore the packet's CONNMARK to the MARK for existing incoming connections + counter meta mark set ct mark + # If packet MARK is set, then it means that there is already a connection mark + meta mark != 0x00000000 counter accept + # Else, we need to mark the packet. + # If the packet is incoming on bouygues then set MARK to 1, LTE MARK 2 and VPN MARK 3 + iifname "bouygues" counter meta mark set 0x1 + iifname "enp0s21u1" counter meta mark set 0x2 + iifname "wg0" counter meta mark set 0x3 + # Save new mark in CONNMARK + counter ct mark set mark + } + + chain OUTPUT { + type route hook output priority mangle; policy accept; + # Restore CONNMARK to MARK for outgoing packets before final routing decision + counter meta mark set ct mark + } + + chain POSTROUTING { + type filter hook postrouting priority mangle; policy accept; + # Save MARK to CONNMARK + counter ct mark set mark + } + ''; + }; + + "redirect-external-to-local" = { + family = "ip"; + content = '' + chain PREROUTING { + type nat hook prerouting priority dstnat; policy accept; + # Redirect local network request from server external IP to internal IP + # This allow access to server without internet access + ip saddr 10.30.0.0/16 ip daddr 176.180.172.105 counter dnat to 10.30.0.1 + } + ''; + } + }; + }; + firewall = { enable = true; allowedTCPPorts = [ 80 443 ]; @@ -76,72 +125,11 @@ ]; }; - extraCommands = '' - - ################ - # MANGLE rules # - ################ - - # Clean and recreate target - ip46tables -w -t mangle -D PREROUTING -j loutreos-mangle-pre 2>/dev/null || true - ip46tables -w -t mangle -F loutreos-mangle-pre 2>/dev/null || true - ip46tables -w -t mangle -X loutreos-mangle-pre 2>/dev/null || true - ip46tables -w -t mangle -N loutreos-mangle-pre - - # Restore the packet's CONNMARK to the MARK for existing incoming connections - ip46tables -w -t mangle -A loutreos-mangle-pre -j CONNMARK --restore-mark - - # Restore CONNMARK to MARK for outgoing packets before final routing decision - ip46tables -w -t mangle -D OUTPUT -j CONNMARK --restore-mark 2>/dev/null || true - ip46tables -w -t mangle -A OUTPUT -j CONNMARK --restore-mark - - - # If packet MARK is set, then it means that there is already a connection mark - ip46tables -w -t mangle -A loutreos-mangle-pre -m mark ! --mark 0 -j ACCEPT - - # Else, we need to mark the packet. - # If the packet is incoming on bouygues then set MARK to 1, LTE MARK 2 and VPN MARK 3 - ip46tables -w -t mangle -A loutreos-mangle-pre -i bouygues -j MARK --set-mark 1 - ip46tables -w -t mangle -A loutreos-mangle-pre -i enp0s21u1 -j MARK --set-mark 2 - ip46tables -w -t mangle -A loutreos-mangle-pre -i wg0 -j MARK --set-mark 3 - - # Save new mark in CONNMARK - ip46tables -w -t mangle -A loutreos-mangle-pre -j CONNMARK --save-mark - - # Jump to newly created target - ip46tables -w -t mangle -I PREROUTING 1 -j loutreos-mangle-pre - - # Save MARK to CONNMARK. - ip46tables -w -t mangle -D POSTROUTING -j CONNMARK --save-mark 2>/dev/null || true - ip46tables -w -t mangle -A POSTROUTING -j CONNMARK --save-mark - - ###################### - # IPv6 FORWARD rules # - ###################### - - # Forward all IPv6 traffic from local network and reject incoming traffic - ip6tables -w -D FORWARD -j loutreos-forward 2>/dev/null || true - ip6tables -w -F loutreos-forward 2>/dev/null || true - ip6tables -w -X loutreos-forward 2>/dev/null || true - ip6tables -w -N loutreos-forward - ip6tables -w -A loutreos-forward -m state --state RELATED,ESTABLISHED -j ACCEPT - ip6tables -w -A loutreos-forward -j ACCEPT -i eno2 - ip6tables -w -A loutreos-forward -j nixos-fw-log-refuse - ip6tables -w -A FORWARD -j loutreos-forward - - ############################################# - # Enable server access when fiber link down # - ############################################# - - # Redirect local network request from server external IP to internal IP - iptables -t nat -D PREROUTING -s 10.30.0.0/16 -d 176.180.172.105 -j DNAT --to 10.30.0.1 2>/dev/null || true - iptables -t nat -A PREROUTING -s 10.30.0.0/16 -d 176.180.172.105 -j DNAT --to 10.30.0.1 - ''; - - # remove refs to nixos-fw-log-refuse before restarting firewall - # prevents "ressource busy" errors - extraStopCommands = '' - ip6tables -D loutreos-forward -j nixos-fw-log-refuse 2>/dev/null || true + # Don't forward incoming IPv6 requests to local network + filterForward = true; + extraForwardRules = '' + # Forward all IPv6 traffic from local network + iifname "eno2" counter accept ''; }; }; From 7f461268da7e1003236826f0319de17feaabf8d1 Mon Sep 17 00:00:00 2001 From: nyanloutre Date: Fri, 3 Jan 2025 14:56:07 +0100 Subject: [PATCH 2/5] Only forward IPv6 traffic --- systems/LoutreOS/network.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systems/LoutreOS/network.nix b/systems/LoutreOS/network.nix index 8226144..95c0c82 100644 --- a/systems/LoutreOS/network.nix +++ b/systems/LoutreOS/network.nix @@ -129,7 +129,7 @@ filterForward = true; extraForwardRules = '' # Forward all IPv6 traffic from local network - iifname "eno2" counter accept + meta nfproto ipv6 iifname "eno2" counter accept ''; }; }; From 4c353f949edb4f7d080be61b12c40d2c6fb5c171 Mon Sep 17 00:00:00 2001 From: nyanloutre Date: Mon, 6 Jan 2025 15:44:21 +0100 Subject: [PATCH 3/5] fix typo --- systems/LoutreOS/network.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systems/LoutreOS/network.nix b/systems/LoutreOS/network.nix index 95c0c82..8a38d56 100644 --- a/systems/LoutreOS/network.nix +++ b/systems/LoutreOS/network.nix @@ -102,7 +102,7 @@ ip saddr 10.30.0.0/16 ip daddr 176.180.172.105 counter dnat to 10.30.0.1 } ''; - } + }; }; }; From ea8e9a14bc74a41b714a07168a1b2d5903a45b24 Mon Sep 17 00:00:00 2001 From: nyanloutre Date: Tue, 7 Jan 2025 16:00:26 +0100 Subject: [PATCH 4/5] do not remove systemd and f2b rules on reload --- systems/LoutreOS/network.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/systems/LoutreOS/network.nix b/systems/LoutreOS/network.nix index 8a38d56..2363067 100644 --- a/systems/LoutreOS/network.nix +++ b/systems/LoutreOS/network.nix @@ -59,6 +59,7 @@ nftables = { enable = true; + flushRuleset = false; tables = { "multi-wan-routing" = { family = "inet"; From f10ac3078ea9cfc29f0c1e5bd56680d94a7feb81 Mon Sep 17 00:00:00 2001 From: nyanloutre Date: Tue, 7 Jan 2025 16:00:50 +0100 Subject: [PATCH 5/5] allow ipv4 forwarding needed by NAT --- systems/LoutreOS/network.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/systems/LoutreOS/network.nix b/systems/LoutreOS/network.nix index 2363067..a53f677 100644 --- a/systems/LoutreOS/network.nix +++ b/systems/LoutreOS/network.nix @@ -130,7 +130,7 @@ filterForward = true; extraForwardRules = '' # Forward all IPv6 traffic from local network - meta nfproto ipv6 iifname "eno2" counter accept + iifname "eno2" counter accept ''; }; };