blob: 18c0c6ec6633d9c35d856fef509d014b6ba21334 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
|
{ config, lib, pkgs, ... }:
let
wan-dev = "enp37s0";
lan-dev = "wlp39s0";
in
{
networking.networkmanager.enable = lib.mkForce false;
networking.firewall = {
enable = lib.mkForce false;
allowedTCPPorts = lib.mkForce [ ];
allowedUDPPorts = lib.mkForce [ ];
allowPing = true;
logRefusedConnections = false;
checkReversePath = false;
trustedInterfaces = [ "${lan-dev}" ];
};
services.ferm = {
enable = true;
config = ''
@def $DEV_LAN = ${lan-dev};
@def $DEV_WAN = ${wan-dev};
@def $NET_LAN = 10.64.30.0/24;
domain ip6 table filter chain INPUT {
proto ipv6-icmp ACCEPT;
proto udp dport (dhcpv6-client dhcpv6-server) ACCEPT;
}
domain (ip ip6) table filter {
chain INPUT {
policy DROP;
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
interface lo ACCEPT;
proto icmp icmp-type echo-request ACCEPT;
interface $DEV_WAN {
# RTMP
# proto (tcp udp) dport 1935 ACCEPT;
# Factorio
proto udp dport 34197 ACCEPT;
}
interface $DEV_LAN @subchain "services" {
# 1935 for rtmp testing
proto (tcp udp) dport (ssh domain bootps 1935 4317 5353) ACCEPT;
# Chromecast
# proto udp dport 32768:61000 ACCEPT;
# proto udp dport (5353 1900) ACCEPT;
# proto tcp dport (8008 8009) ACCEPT;
# chain logdrop {
# LOG log-level warning log-prefix "dropped-lan ";
# DROP;
# }
# jump logdrop;
}
}
chain OUTPUT policy ACCEPT;
chain FORWARD {
policy DROP;
mod state state INVALID DROP;
mod state state (ESTABLISHED RELATED) ACCEPT;
interface $DEV_LAN ACCEPT;
}
}
domain ip6 table filter chain INPUT {
chain logdrop {
LOG log-level warning log-prefix "dropped-6 ";
DROP;
}
jump logdrop;
}
domain ip table nat {
chain POSTROUTING {
saddr $NET_LAN outerface $DEV_WAN MASQUERADE;
}
}
'';
};
services = {
openssh.enable = lib.mkDefault true;
openssh.passwordAuthentication = false;
};
boot.kernel.sysctl = {
"net.ipv4.conf.all.forwarding" = true;
"net.ipv4.conf.default.forwarding" = true;
"net.ipv6.conf.all.forwarding" = true;
"net.ipv6.conf.default.forwarding" = true;
};
services.hostapd = {
enable = true;
ssid = "2c";
wpaPassphrase = "mintchip";
interface = "${lan-dev}";
hwMode = "g";
channel = 11;
extraConfig = ''
country_code=US
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
'';
};
networking.useDHCP = true;
networking.dhcpcd = {
enable = true;
denyInterfaces = [ lan-dev ];
extraConfig = ''
# debug
noipv6rs
interface ${wan-dev}
dhcp
ipv6rs
ia_na 1
ia_pd 1/::/56 ${lan-dev}/0/64
'';
wait = "background";
};
services.dnsmasq = {
enable = true;
servers = [ "8.8.8.8" "8.8.4.4" ];
extraConfig = ''
dhcp-authoritative
dhcp-range=10.64.30.100,10.64.30.255,255.255.255.0,24h
dhcp-option=option:router,10.64.30.1
dhcp-option=option:dns-server,10.64.30.1
dhcp-option=option:netmask,255.255.255.0
#dhcp-range=::,constructor:${lan-dev},slaac
'';
};
networking.nat = {
enable = true;
externalInterface = "${wan-dev}";
internalInterfaces = [ "${lan-dev}" ];
# internalIPs = [ "10.0.0.0/24" ];
};
networking.interfaces.${wan-dev} = {
macAddress = "3c:97:0e:19:7e:5c";
};
networking.interfaces."${lan-dev}" = {
ipv4.addresses = [ {
address = "10.64.30.1";
prefixLength = 24;
} ];
};
}
|
