From 5090ff74457746ffe7817f924d2dbfe5e07ba61d Mon Sep 17 00:00:00 2001
From: Kjetil Orbekk <kj@orbekk.com>
Date: Thu, 5 Aug 2021 07:49:54 -0400
Subject: firewall

---
 config/router.nix | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'config')

diff --git a/config/router.nix b/config/router.nix
index 8e73d8b..5513176 100644
--- a/config/router.nix
+++ b/config/router.nix
@@ -69,6 +69,14 @@ in {
       @def $DEV_WAN = (${wan-dev} he0 mullvad nycmesh);
       @def $NET_LAN = (10.0.0.0/8 172.20.0.0/16);
 
+      # Forward dns queries to dnsmasq on LAN interfaces.
+      domain (ip ip6) table nat chain PREROUTING {
+        interface ($DEV_LAN $DEV_UNTRUSTED_LAN) daddr $NET_LAN proto (tcp udp) dport 53 DNAT to localhost:2053
+      }
+      domain (ip ip6) table filter chain FORWARD {
+        interface ($DEV_LAN $DEV_UNTRUSTED_LAN) outerface lo proto (tcp udp) dport 2053 ACCEPT;
+      }
+
       domain (ip ip6) table filter {
         chain INPUT {
           policy DROP;
@@ -217,8 +225,11 @@ in {
   services.dnsmasq = {
     enable = true;
     servers = [ "1.1.1.1" "8.8.8.8" "8.8.4.4" ];
+    resolveLocalQueries = false;
     extraConfig = ''
       port=2053
+      no-resolv
+
       dhcp-authoritative
 
       dhcp-range=vlan30,172.20.30.50,172.20.30.254,5m
-- 
cgit v1.2.3