firewall

author: Kjetil Orbekk <kj@orbekk.com> 2021-08-05 07:49:54 -0400
committer: Kjetil Orbekk <kj@orbekk.com> 2021-08-05 07:49:54 -0400
commit: 5090ff74457746ffe7817f924d2dbfe5e07ba61d (patch)
tree: 5a2d3f29d5b33189e6854bfd589210d8dbb7b0ce /config
parent: 869b70ed4d655c1c8df0798a1e5ecb3d4631a03f (diff)
1 files changed, 11 insertions, 0 deletions
diff --git a/config/router.nix b/config/router.nix
index 8e73d8b..5513176 100644
--- a/config/router.nix
+++ b/config/router.nix
@@ -69,6 +69,14 @@ in {
       @def $DEV_WAN = (${wan-dev} he0 mullvad nycmesh);
       @def $NET_LAN = (10.0.0.0/8 172.20.0.0/16);
 
+      # Forward dns queries to dnsmasq on LAN interfaces.
+      domain (ip ip6) table nat chain PREROUTING {
+        interface ($DEV_LAN $DEV_UNTRUSTED_LAN) daddr $NET_LAN proto (tcp udp) dport 53 DNAT to localhost:2053
+      }
+      domain (ip ip6) table filter chain FORWARD {
+        interface ($DEV_LAN $DEV_UNTRUSTED_LAN) outerface lo proto (tcp udp) dport 2053 ACCEPT;
+      }
+
       domain (ip ip6) table filter {
         chain INPUT {
           policy DROP;
@@ -217,8 +225,11 @@ in {
   services.dnsmasq = {
     enable = true;
     servers = [ "1.1.1.1" "8.8.8.8" "8.8.4.4" ];
+    resolveLocalQueries = false;
     extraConfig = ''
       port=2053
+      no-resolv
+
       dhcp-authoritative
 
       dhcp-range=vlan30,172.20.30.50,172.20.30.254,5m
author	Kjetil Orbekk <kj@orbekk.com>	2021-08-05 07:49:54 -0400
committer	Kjetil Orbekk <kj@orbekk.com>	2021-08-05 07:49:54 -0400
commit	5090ff74457746ffe7817f924d2dbfe5e07ba61d (patch)
tree	5a2d3f29d5b33189e6854bfd589210d8dbb7b0ce /config
parent	869b70ed4d655c1c8df0798a1e5ecb3d4631a03f (diff)