blob: 60afb3aa1168e664f6440fd068e16d61237460aa (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
|
{ config, lib, pkgs, ... }:
let
wan-dev = "enp0s25";
lan-dev = "wlp4s0";
in
{
networking.networkmanager.enable = lib.mkForce false;
networking.firewall = {
enable = lib.mkForce false;
allowedTCPPorts = lib.mkForce [ ];
allowedUDPPorts = lib.mkForce [ ];
allowPing = true;
logRefusedConnections = false;
checkReversePath = false;
trustedInterfaces = [ "${lan-dev}" ];
};
services.ferm = {
enable = true;
config = ''
@def $DEV_LAN = ${lan-dev};
@def $DEV_WAN = ${wan-dev};
@def $NET_LAN = 10.64.30.0/24;
domain ip6 table filter chain INPUT {
proto ipv6-icmp ACCEPT;
}
domain (ip ip6) table filter {
chain INPUT {
policy DROP;
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
interface lo ACCEPT;
proto icmp icmp-type echo-request ACCEPT;
interface $DEV_LAN {
proto (tcp udp) dport (ssh domain bootps) ACCEPT;
}
}
chain OUTPUT policy ACCEPT;
chain FORWARD {
policy DROP;
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
interface $DEV_LAN ACCEPT;
}
}
domain ip table nat {
chain POSTROUTING {
saddr $NET_LAN outerface $DEV_WAN MASQUERADE;
}
}
'';
};
services = {
openssh.enable = lib.mkDefault true;
openssh.passwordAuthentication = false;
};
boot.kernel.sysctl = {
"net.ipv4.conf.all.forwarding" = true;
"net.ipv4.conf.default.forwarding" = true;
"net.ipv6.conf.all.forwarding" = true;
"net.ipv6.conf.default.forwarding" = true;
};
services.hostapd = {
enable = true;
# driver = "iwlwifi";
ssid = "2c";
wpaPassphrase = "mintchip";
interface = "${lan-dev}";
hwMode = "g";
channel = 11;
extraConfig = ''
country_code=US
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
'';
};
networking.dhcpcd = {
extraConfig = ''
debug
noipv6rs
interface ${wan-dev}
ipv6rs
ia_na 1
ia_pd 2 ${lan-dev}/0
'';
};
services.dnsmasq = {
enable = true;
servers = [ "8.8.8.8" "8.8.4.4" ];
extraConfig = ''
dhcp-range=10.64.30.100,10.64.30.255,255.255.255.0,24h
dhcp-option=option:router,10.64.30.1
dhcp-option=option:dns-server,10.64.30.1
dhcp-option=option:netmask,255.255.255.0
dhcp-range=::,constructor:${lan-dev},slaac
'';
};
networking.nat = {
enable = true;
externalInterface = "${wan-dev}";
internalInterfaces = [ "${lan-dev}" ];
# internalIPs = [ "10.0.0.0/24" ];
};
networking.interfaces.${wan-dev} = {
macAddress = "3c:97:0e:19:7e:5c";
useDHCP = true;
};
networking.interfaces."${lan-dev}" = {
ipv4.addresses = [ {
address = "10.64.30.1";
prefixLength = 24;
} ];
};
}
|
