diff options
| author | Kjetil Orbekk <kj@orbekk.com> | 2023-04-23 09:46:21 -0400 |
|---|---|---|
| committer | Kjetil Orbekk <kj@orbekk.com> | 2023-04-23 09:46:21 -0400 |
| commit | c9949fe7273ee6bb107a0389ca32b6b64087154d (patch) | |
| tree | 9106bc40a89582d6789634f3a180b1d42561978e /modules | |
| parent | 5abd9db56aa2b2759097d49c3cfed65351103bd2 (diff) | |
fix
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/router.nix | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/modules/router.nix b/modules/router.nix index 63eaa37..836f037 100644 --- a/modules/router.nix +++ b/modules/router.nix @@ -105,12 +105,12 @@ let script = '' ip -6 rule add fwmark ${toString heMark} table he || true ip -6 route replace default dev he0 table he - ip -6 route flush cache ip rule add fwmark ${toString mullvadMark} table mullvad || true ip -6 rule add fwmark ${toString mullvadMark} table mullvad || true ip route replace default dev mullvad table mullvad ip -6 route replace default dev mullvad table mullvad + ip -6 route flush cache ip route flush cache ''; }; @@ -208,6 +208,8 @@ let ip6 nexthdr ipv6-icmp limit rate 4/second counter accept comment "accept all ICMP types" ct state vmap { established : accept, related : accept, invalid : drop } + # Don't allow accidental vpn forwarding to wan. + iifname vpnlan-vport oifname wan-vport counter deny oifname he0 counter accept oifname wan-vport counter accept oifname mullvad counter accept |