diff options
| author | Kjetil Orbekk <kj@orbekk.com> | 2023-02-26 17:19:56 -0500 |
|---|---|---|
| committer | Kjetil Orbekk <kj@orbekk.com> | 2023-02-26 17:19:56 -0500 |
| commit | d7e7271306957131ed42f2ede04038d745468fd3 (patch) | |
| tree | d4dfc5dca1b51053bf0e2f15f925c0482ef89d1c | |
| parent | 71514f067bfb999b5b5712d2b5f6a3184c3505c0 (diff) | |
router config
| -rw-r--r-- | modules/router.nix | 46 | ||||
| -rwxr-xr-x | tools/update-dns.sh | 4 |
2 files changed, 43 insertions, 7 deletions
diff --git a/modules/router.nix b/modules/router.nix index d49d433..95d5d75 100644 --- a/modules/router.nix +++ b/modules/router.nix @@ -7,6 +7,9 @@ let mullvadMark = 2; heMark = 1; + mullvadPort = config.orbekk.mullvad.listenPort; + vpnPort = config.orbekk.vpn.listenPort; + router-netns-up = pkgs.writeScript "router-netns-up" '' #!${pkgs.bash}/bin/bash ip netns add router @@ -33,10 +36,11 @@ let environment.systemPackages = with pkgs; [ tcpdump ]; virtualisation.vswitch.enable = true; - virtualisation.vswitch.resetOnStart = true; + virtualisation.vswitch.resetOnStart = false; networking.vswitches.kjlan = { interfaces.wan-vport = { vlan = 10; type = "internal"; }; interfaces.lan-vport = { vlan = 100; type = "internal"; }; + interfaces.vpnlan-vport = { vlan = 30; type = "internal"; }; interfaces.servers-vport = { vlan = 20; type = "internal"; }; interfaces.admin-vport = { vlan = 255; type = "internal"; }; interfaces.dragon-vport = { vlan = 20; }; @@ -54,6 +58,7 @@ let }; networking.interfaces.lan-vport = { ipv4.addresses = [{address = "172.20.100.1"; prefixLength = 24;}]; + ipv6.addresses = [{address = "2001:470:8e2e:100::1"; prefixLength = 64;}]; }; networking.interfaces.servers-vport = { ipv4.addresses = [{address = "172.20.20.1"; prefixLength = 24;}]; @@ -114,7 +119,7 @@ let dhcp-range=tag:servers-vport,172.20.20.10,172.20.20.254,5m dhcp-option=tag:servers-vport,option:router,172.20.20.1 dhcp-option=tag:servers-vport,option:dns-server,172.20.20.1 - dhcp-range=tag:servers-vport,::2,::1000,constructor:servers-vport,2h + dhcp-range=tag:servers-vport,::2,::1000,constructor:servers-vport dhcp-host=id:dragon,tag:servers-vport,172.20.20.2 dhcp-host=id:00:01:00:01:21:a2:4e:a8:d0:bf:9c:45:a6:ec,tag:servers-vport,[::d] # dhcp-host=id:dragon,::d @@ -122,6 +127,7 @@ let dhcp-range=tag:lan-vport,172.20.100.10,172.20.100.254,5m dhcp-option=tag:lan-vport,option:router,172.20.100.1 dhcp-option=tag:lan-vport,option:dns-server,172.20.100.1 + dhcp-range=tag:lan-vport,::2,::1000,constructor:lan-vport,ra-only ''; }; @@ -139,12 +145,19 @@ let networking.firewall.enable = false; systemd.services.nftables.before = mkForce ["network.target"]; systemd.services.nftables.after = ["kjlan-netdev.service"]; - systemd.services.nftables.wantedBy = ["network.target"]; + systemd.services.nftables.wantedBy = mkForce ["network.target"]; networking.nftables.enable = true; networking.nftables.ruleset = let ports-to-csv = ports: concatStringsSep "," (map toString ports); in '' + define SERVER_WAN_PORTS = { + ssh, domain, http, https, + ${toString mullvadPort}, ${toString vpnPort} + } + define SERVER_LAN_PORTS = { + tftp, 139, 445, 137, 138 + } table inet filter { chain input { type filter hook input priority 0 @@ -171,9 +184,15 @@ let chain forward { type filter hook forward priority 0; policy drop + ip protocol icmp limit rate 4/second counter accept comment "icmp v4" + ip6 nexthdr ipv6-icmp limit rate 4/second counter accept comment "accept all ICMP types" + ct state vmap { established : accept, related : accept, invalid : drop } + oif he0 counter accept + oif wan-vport counter accept - iif lan-vport counter accept + oif servers-vport meta l4proto {tcp, udp} th dport $SERVER_WAN_PORTS counter accept + iif lan-vport oif servers-vport meta l4proto {tcp, udp} th dport $SERVER_LAN_PORTS counter accept iif servers-vport counter accept counter drop @@ -183,7 +202,7 @@ let table inet mangle { chain prerouting { type filter hook prerouting priority -150 - ip6 saddr 2001:470:8e2e::/48 ip6 daddr != 2001:470:8e2e::/48 ip6 daddr != fe80::/64 meta nftrace set 1 + # ip6 saddr 2001:470:8e2e::/48 ip6 daddr != 2001:470:8e2e::/48 ip6 daddr != fe80::/64 meta nftrace set 1 ip6 saddr 2001:470:8e2e::/48 ip6 daddr != 2001:470:8e2e::/48 ip6 daddr != fe80::/64 meta mark set ${toString heMark} } } @@ -235,6 +254,7 @@ in { requires = ["router-netns.service"]; wantedBy = ["network.target"]; }; + systemd.services.dhcpcd.partOf = ["container@router.service"]; containers.router = { autoStart = true; @@ -250,5 +270,21 @@ in { }; # FIXME: Workaround for ddclient.conf not being available to ddclient. systemd.services.ddclient.serviceConfig.DynamicUser = lib.mkForce false; + + systemd.timers.update-dynamic-dns = { + wantedBy = ["multi-user.target"]; + timerConfig = { + Persistent = true; + OnBootSec = "5m"; + OnUnitActiveSec = "5m"; + }; + }; + systemd.services.update-dynamic-dns = { + description = "Update dynamic dns records"; + after = ["container@router.target"]; + path = with pkgs; [ bash dnsutils nettools gawk iproute curl ]; + startLimitIntervalSec = 5; + script = toString ../tools/update-dns.sh; + }; }; } diff --git a/tools/update-dns.sh b/tools/update-dns.sh index a08ac26..f4f08e6 100755 --- a/tools/update-dns.sh +++ b/tools/update-dns.sh @@ -1,5 +1,5 @@ keyfile=/opt/secret/bind/dynamic.orbekk.com/update/named.conf.key -INTERFACE=bond0.10 +INTERFACE=wan-vport update() { local type="$1" @@ -18,7 +18,7 @@ update() { } | nsupdate -v -k "$keyfile" } -ip_4="$(ip -br -4 addr list dev ${INTERFACE} | awk -F' *|/' '{print $3}')" +ip_4="$(ip netns exec router ip -br -4 addr list dev ${INTERFACE} | awk -F' *|/' '{print $3}')" if [[ -n "$ip_4" ]]; then update A $(hostname).dynamic.orbekk.com $ip_4 fi |