nyanloutre/nixos-config
1
1
Fork 1
Code Issues Pull Requests Releases Wiki Activity

Compare commits

base: nyanloutre:f10ac3078ea9cfc29f0c1e5bd56680d94a7feb81
Branches Tags
nyanloutre:master
..
compare: nyanloutre:66b8f6f52f457885c1074df49bd7d164520d6de3
Branches Tags
nyanloutre:master

No commits in common. "f10ac3078ea9cfc29f0c1e5bd56680d94a7feb81" and "66b8f6f52f457885c1074df49bd7d164520d6de3" have entirely different histories.
f10ac3078e ... 66b8f6f52f

1 changed files with 66 additions and 55 deletions
Show Stats Expand all files Collapse all files

121
systems/LoutreOS/network.nix
View File

@ -57,56 +57,6 @@
enp0s21u1.useDHCP = true; enp0s21u1.useDHCP = true;
}; };
nftables = {
enable = true;
flushRuleset = false;
tables = {
"multi-wan-routing" = {
family = "inet";
content = ''
chain PREROUTING {
type filter hook prerouting priority mangle; policy accept;
# Restore the packet's CONNMARK to the MARK for existing incoming connections
counter meta mark set ct mark
# If packet MARK is set, then it means that there is already a connection mark
meta mark != 0x00000000 counter accept
# Else, we need to mark the packet.
# If the packet is incoming on bouygues then set MARK to 1, LTE MARK 2 and VPN MARK 3
iifname "bouygues" counter meta mark set 0x1
iifname "enp0s21u1" counter meta mark set 0x2
iifname "wg0" counter meta mark set 0x3
# Save new mark in CONNMARK
counter ct mark set mark
}
chain OUTPUT {
type route hook output priority mangle; policy accept;
# Restore CONNMARK to MARK for outgoing packets before final routing decision
counter meta mark set ct mark
}
chain POSTROUTING {
type filter hook postrouting priority mangle; policy accept;
# Save MARK to CONNMARK
counter ct mark set mark
}
'';
};
"redirect-external-to-local" = {
family = "ip";
content = ''
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
# Redirect local network request from server external IP to internal IP
# This allow access to server without internet access
ip saddr 10.30.0.0/16 ip daddr 176.180.172.105 counter dnat to 10.30.0.1
}
'';
};
};
};
firewall = { firewall = {
enable = true; enable = true;
allowedTCPPorts = [ 80 443 ]; allowedTCPPorts = [ 80 443 ];
@ -126,11 +76,72 @@
]; ];
}; };
# Don't forward incoming IPv6 requests to local network extraCommands = ''
filterForward = true;
extraForwardRules = '' ################
# Forward all IPv6 traffic from local network # MANGLE rules #
iifname "eno2" counter accept ################
# Clean and recreate target
ip46tables -w -t mangle -D PREROUTING -j loutreos-mangle-pre 2>/dev/null || true
ip46tables -w -t mangle -F loutreos-mangle-pre 2>/dev/null || true
ip46tables -w -t mangle -X loutreos-mangle-pre 2>/dev/null || true
ip46tables -w -t mangle -N loutreos-mangle-pre
# Restore the packet's CONNMARK to the MARK for existing incoming connections
ip46tables -w -t mangle -A loutreos-mangle-pre -j CONNMARK --restore-mark
# Restore CONNMARK to MARK for outgoing packets before final routing decision
ip46tables -w -t mangle -D OUTPUT -j CONNMARK --restore-mark 2>/dev/null || true
ip46tables -w -t mangle -A OUTPUT -j CONNMARK --restore-mark
# If packet MARK is set, then it means that there is already a connection mark
ip46tables -w -t mangle -A loutreos-mangle-pre -m mark ! --mark 0 -j ACCEPT
# Else, we need to mark the packet.
# If the packet is incoming on bouygues then set MARK to 1, LTE MARK 2 and VPN MARK 3
ip46tables -w -t mangle -A loutreos-mangle-pre -i bouygues -j MARK --set-mark 1
ip46tables -w -t mangle -A loutreos-mangle-pre -i enp0s21u1 -j MARK --set-mark 2
ip46tables -w -t mangle -A loutreos-mangle-pre -i wg0 -j MARK --set-mark 3
# Save new mark in CONNMARK
ip46tables -w -t mangle -A loutreos-mangle-pre -j CONNMARK --save-mark
# Jump to newly created target
ip46tables -w -t mangle -I PREROUTING 1 -j loutreos-mangle-pre
# Save MARK to CONNMARK.
ip46tables -w -t mangle -D POSTROUTING -j CONNMARK --save-mark 2>/dev/null || true
ip46tables -w -t mangle -A POSTROUTING -j CONNMARK --save-mark
######################
# IPv6 FORWARD rules #
######################
# Forward all IPv6 traffic from local network and reject incoming traffic
ip6tables -w -D FORWARD -j loutreos-forward 2>/dev/null || true
ip6tables -w -F loutreos-forward 2>/dev/null || true
ip6tables -w -X loutreos-forward 2>/dev/null || true
ip6tables -w -N loutreos-forward
ip6tables -w -A loutreos-forward -m state --state RELATED,ESTABLISHED -j ACCEPT
ip6tables -w -A loutreos-forward -j ACCEPT -i eno2
ip6tables -w -A loutreos-forward -j nixos-fw-log-refuse
ip6tables -w -A FORWARD -j loutreos-forward
#############################################
# Enable server access when fiber link down #
#############################################
# Redirect local network request from server external IP to internal IP
iptables -t nat -D PREROUTING -s 10.30.0.0/16 -d 176.180.172.105 -j DNAT --to 10.30.0.1 2>/dev/null || true
iptables -t nat -A PREROUTING -s 10.30.0.0/16 -d 176.180.172.105 -j DNAT --to 10.30.0.1
'';
# remove refs to nixos-fw-log-refuse before restarting firewall
# prevents "ressource busy" errors
extraStopCommands = ''
ip6tables -D loutreos-forward -j nixos-fw-log-refuse 2>/dev/null || true
''; '';
}; };
}; };