diff options
| -rw-r--r-- | modules/router.nix | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/modules/router.nix b/modules/router.nix index 63eaa37..836f037 100644 --- a/modules/router.nix +++ b/modules/router.nix @@ -105,12 +105,12 @@ let script = '' ip -6 rule add fwmark ${toString heMark} table he || true ip -6 route replace default dev he0 table he - ip -6 route flush cache ip rule add fwmark ${toString mullvadMark} table mullvad || true ip -6 rule add fwmark ${toString mullvadMark} table mullvad || true ip route replace default dev mullvad table mullvad ip -6 route replace default dev mullvad table mullvad + ip -6 route flush cache ip route flush cache ''; }; @@ -208,6 +208,8 @@ let ip6 nexthdr ipv6-icmp limit rate 4/second counter accept comment "accept all ICMP types" ct state vmap { established : accept, related : accept, invalid : drop } + # Don't allow accidental vpn forwarding to wan. + iifname vpnlan-vport oifname wan-vport counter deny oifname he0 counter accept oifname wan-vport counter accept oifname mullvad counter accept |