summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKjetil Orbekk <kj@orbekk.com>2023-02-26 17:19:56 -0500
committerKjetil Orbekk <kj@orbekk.com>2023-02-26 17:19:56 -0500
commitd7e7271306957131ed42f2ede04038d745468fd3 (patch)
treed4dfc5dca1b51053bf0e2f15f925c0482ef89d1c
parent71514f067bfb999b5b5712d2b5f6a3184c3505c0 (diff)
router config
-rw-r--r--modules/router.nix46
-rwxr-xr-xtools/update-dns.sh4
2 files changed, 43 insertions, 7 deletions
diff --git a/modules/router.nix b/modules/router.nix
index d49d433..95d5d75 100644
--- a/modules/router.nix
+++ b/modules/router.nix
@@ -7,6 +7,9 @@ let
mullvadMark = 2;
heMark = 1;
+ mullvadPort = config.orbekk.mullvad.listenPort;
+ vpnPort = config.orbekk.vpn.listenPort;
+
router-netns-up = pkgs.writeScript "router-netns-up" ''
#!${pkgs.bash}/bin/bash
ip netns add router
@@ -33,10 +36,11 @@ let
environment.systemPackages = with pkgs; [ tcpdump ];
virtualisation.vswitch.enable = true;
- virtualisation.vswitch.resetOnStart = true;
+ virtualisation.vswitch.resetOnStart = false;
networking.vswitches.kjlan = {
interfaces.wan-vport = { vlan = 10; type = "internal"; };
interfaces.lan-vport = { vlan = 100; type = "internal"; };
+ interfaces.vpnlan-vport = { vlan = 30; type = "internal"; };
interfaces.servers-vport = { vlan = 20; type = "internal"; };
interfaces.admin-vport = { vlan = 255; type = "internal"; };
interfaces.dragon-vport = { vlan = 20; };
@@ -54,6 +58,7 @@ let
};
networking.interfaces.lan-vport = {
ipv4.addresses = [{address = "172.20.100.1"; prefixLength = 24;}];
+ ipv6.addresses = [{address = "2001:470:8e2e:100::1"; prefixLength = 64;}];
};
networking.interfaces.servers-vport = {
ipv4.addresses = [{address = "172.20.20.1"; prefixLength = 24;}];
@@ -114,7 +119,7 @@ let
dhcp-range=tag:servers-vport,172.20.20.10,172.20.20.254,5m
dhcp-option=tag:servers-vport,option:router,172.20.20.1
dhcp-option=tag:servers-vport,option:dns-server,172.20.20.1
- dhcp-range=tag:servers-vport,::2,::1000,constructor:servers-vport,2h
+ dhcp-range=tag:servers-vport,::2,::1000,constructor:servers-vport
dhcp-host=id:dragon,tag:servers-vport,172.20.20.2
dhcp-host=id:00:01:00:01:21:a2:4e:a8:d0:bf:9c:45:a6:ec,tag:servers-vport,[::d]
# dhcp-host=id:dragon,::d
@@ -122,6 +127,7 @@ let
dhcp-range=tag:lan-vport,172.20.100.10,172.20.100.254,5m
dhcp-option=tag:lan-vport,option:router,172.20.100.1
dhcp-option=tag:lan-vport,option:dns-server,172.20.100.1
+ dhcp-range=tag:lan-vport,::2,::1000,constructor:lan-vport,ra-only
'';
};
@@ -139,12 +145,19 @@ let
networking.firewall.enable = false;
systemd.services.nftables.before = mkForce ["network.target"];
systemd.services.nftables.after = ["kjlan-netdev.service"];
- systemd.services.nftables.wantedBy = ["network.target"];
+ systemd.services.nftables.wantedBy = mkForce ["network.target"];
networking.nftables.enable = true;
networking.nftables.ruleset =
let
ports-to-csv = ports: concatStringsSep "," (map toString ports);
in ''
+ define SERVER_WAN_PORTS = {
+ ssh, domain, http, https,
+ ${toString mullvadPort}, ${toString vpnPort}
+ }
+ define SERVER_LAN_PORTS = {
+ tftp, 139, 445, 137, 138
+ }
table inet filter {
chain input {
type filter hook input priority 0
@@ -171,9 +184,15 @@ let
chain forward {
type filter hook forward priority 0; policy drop
+ ip protocol icmp limit rate 4/second counter accept comment "icmp v4"
+ ip6 nexthdr ipv6-icmp limit rate 4/second counter accept comment "accept all ICMP types"
+
ct state vmap { established : accept, related : accept, invalid : drop }
+ oif he0 counter accept
+ oif wan-vport counter accept
- iif lan-vport counter accept
+ oif servers-vport meta l4proto {tcp, udp} th dport $SERVER_WAN_PORTS counter accept
+ iif lan-vport oif servers-vport meta l4proto {tcp, udp} th dport $SERVER_LAN_PORTS counter accept
iif servers-vport counter accept
counter drop
@@ -183,7 +202,7 @@ let
table inet mangle {
chain prerouting {
type filter hook prerouting priority -150
- ip6 saddr 2001:470:8e2e::/48 ip6 daddr != 2001:470:8e2e::/48 ip6 daddr != fe80::/64 meta nftrace set 1
+ # ip6 saddr 2001:470:8e2e::/48 ip6 daddr != 2001:470:8e2e::/48 ip6 daddr != fe80::/64 meta nftrace set 1
ip6 saddr 2001:470:8e2e::/48 ip6 daddr != 2001:470:8e2e::/48 ip6 daddr != fe80::/64 meta mark set ${toString heMark}
}
}
@@ -235,6 +254,7 @@ in {
requires = ["router-netns.service"];
wantedBy = ["network.target"];
};
+ systemd.services.dhcpcd.partOf = ["container@router.service"];
containers.router = {
autoStart = true;
@@ -250,5 +270,21 @@ in {
};
# FIXME: Workaround for ddclient.conf not being available to ddclient.
systemd.services.ddclient.serviceConfig.DynamicUser = lib.mkForce false;
+
+ systemd.timers.update-dynamic-dns = {
+ wantedBy = ["multi-user.target"];
+ timerConfig = {
+ Persistent = true;
+ OnBootSec = "5m";
+ OnUnitActiveSec = "5m";
+ };
+ };
+ systemd.services.update-dynamic-dns = {
+ description = "Update dynamic dns records";
+ after = ["container@router.target"];
+ path = with pkgs; [ bash dnsutils nettools gawk iproute curl ];
+ startLimitIntervalSec = 5;
+ script = toString ../tools/update-dns.sh;
+ };
};
}
diff --git a/tools/update-dns.sh b/tools/update-dns.sh
index a08ac26..f4f08e6 100755
--- a/tools/update-dns.sh
+++ b/tools/update-dns.sh
@@ -1,5 +1,5 @@
keyfile=/opt/secret/bind/dynamic.orbekk.com/update/named.conf.key
-INTERFACE=bond0.10
+INTERFACE=wan-vport
update() {
local type="$1"
@@ -18,7 +18,7 @@ update() {
} | nsupdate -v -k "$keyfile"
}
-ip_4="$(ip -br -4 addr list dev ${INTERFACE} | awk -F' *|/' '{print $3}')"
+ip_4="$(ip netns exec router ip -br -4 addr list dev ${INTERFACE} | awk -F' *|/' '{print $3}')"
if [[ -n "$ip_4" ]]; then
update A $(hostname).dynamic.orbekk.com $ip_4
fi