diff options
| -rw-r--r-- | machines/dragon.nix | 4 | ||||
| -rw-r--r-- | modules/router.nix | 33 |
2 files changed, 23 insertions, 14 deletions
diff --git a/machines/dragon.nix b/machines/dragon.nix index 0c438ad..6920363 100644 --- a/machines/dragon.nix +++ b/machines/dragon.nix @@ -2,7 +2,7 @@ let duid = "00:01:00:01:21:a2:4e:a8:d0:bf:9c:45:a6:ec"; in { imports = [ - ../config/router.nix + # ../config/router.nix # ../config/borg-backup.nix ../config/keycloak.nix ../config/dns.nix @@ -10,7 +10,7 @@ in { ../config/cgit.nix ]; - # orbekk.router.enable = true; + orbekk.router.enable = true; orbekk.monitoring-server.enable = true; orbekk.postfix.enable = true; orbekk.nextcloud.enable = true; diff --git a/modules/router.nix b/modules/router.nix index adada7b..4f7e212 100644 --- a/modules/router.nix +++ b/modules/router.nix @@ -62,7 +62,7 @@ let no-hosts dhcp-authoritative - enable-ra + enable-ra address=/localhost/::1 address=/localhost/127.0.0.1 @@ -85,6 +85,7 @@ let }; networking.firewall.enable = false; + systemd.services.nftables.after = ["kjlan-netdev.service"]; networking.nftables.enable = true; networking.nftables.ruleset = let @@ -92,12 +93,14 @@ let in '' table inet filter { chain input { - type filter hook input priority 0; - iif lo accept; + type filter hook input priority 0 + iif lo accept - ct state {established, related} accept; + ct state {established, related} counter accept + ip protocol icmp limit rate 4/second counter accept + meta l4proto {tcp, udp} th dport {bootps, bootpc, domain} counter accept - counter drop; + counter drop } chain output { @@ -106,18 +109,23 @@ let } chain forward { - type filter hook forward priority 0; policy drop; + type filter hook forward priority 0; policy drop - ct state vmap { established : accept, related : accept, invalid : drop }; + ct state vmap { established : accept, related : accept, invalid : drop } + iif lan-vport counter accept + iif dragon-vport counter accept - counter drop; + counter drop } } - table nat postrouting { - chain nat { - type nat hook postrouting priority 100; - ip saddr 172.16.0.0/12 oif {"wan-vport"} masquerade; + table nat { + chain prerouting { + type nat hook prerouting priority -100; policy accept + } + chain postrouting { + type nat hook postrouting priority 100; policy accept + ip saddr 172.16.0.0/12 oif {"wan-vport"} masquerade } } ''; @@ -150,6 +158,7 @@ in { }; }; + orbekk.mullvad.enable = true; networking.wireguard.interfaces.mullvad.interfaceNamespace = "router"; systemd.services."container@router" = { |