diff options
author | Kjetil Orbekk <kj@orbekk.com> | 2021-08-05 07:49:54 -0400 |
---|---|---|
committer | Kjetil Orbekk <kj@orbekk.com> | 2021-08-05 07:49:54 -0400 |
commit | 5090ff74457746ffe7817f924d2dbfe5e07ba61d (patch) | |
tree | 5a2d3f29d5b33189e6854bfd589210d8dbb7b0ce /config/router.nix | |
parent | 869b70ed4d655c1c8df0798a1e5ecb3d4631a03f (diff) |
firewall
Diffstat (limited to 'config/router.nix')
-rw-r--r-- | config/router.nix | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/config/router.nix b/config/router.nix index 8e73d8b..5513176 100644 --- a/config/router.nix +++ b/config/router.nix @@ -69,6 +69,14 @@ in { @def $DEV_WAN = (${wan-dev} he0 mullvad nycmesh); @def $NET_LAN = (10.0.0.0/8 172.20.0.0/16); + # Forward dns queries to dnsmasq on LAN interfaces. + domain (ip ip6) table nat chain PREROUTING { + interface ($DEV_LAN $DEV_UNTRUSTED_LAN) daddr $NET_LAN proto (tcp udp) dport 53 DNAT to localhost:2053 + } + domain (ip ip6) table filter chain FORWARD { + interface ($DEV_LAN $DEV_UNTRUSTED_LAN) outerface lo proto (tcp udp) dport 2053 ACCEPT; + } + domain (ip ip6) table filter { chain INPUT { policy DROP; @@ -217,8 +225,11 @@ in { services.dnsmasq = { enable = true; servers = [ "1.1.1.1" "8.8.8.8" "8.8.4.4" ]; + resolveLocalQueries = false; extraConfig = '' port=2053 + no-resolv + dhcp-authoritative dhcp-range=vlan30,172.20.30.50,172.20.30.254,5m |