Cloonar/nixos
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

try some fw stuff

Browse Source
This commit is contained in:
Dominik Polakovics Polakovics
2023-12-01 00:13:21 +01:00
parent 83ac3fea42
commit addb063cee
2 changed files with 25 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
hosts/fw.cloonar.com/modules/firewall.nix
View File

@@ -52,10 +52,14 @@
# Allow returning traffic from wg_cloonar and drop everthing else # Allow returning traffic from wg_cloonar and drop everthing else
iifname "wg_cloonar" ct state { established, related } counter accept iifname "wg_cloonar" ct state { established, related } counter accept
iifname "wg_cloonar" drop iifname "wg_cloonar" drop
iifname "wan" ct state { established, related } accept comment "Allow established traffic"
iifname "wan" icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP"
iifname "wan" counter drop comment "Drop all other unsolicited traffic from wan"
} }
chain forward { chain forward {
type filter hook forward priority filter; policy accept; type filter hook forward priority filter; policy drop;
# enable flow offloading for better throughput # enable flow offloading for better throughput
# ip protocol { tcp, udp } flow offload @f # ip protocol { tcp, udp } flow offload @f
@@ -87,7 +91,7 @@
"multimedia", "multimedia",
"smart", "smart",
"wg_cloonar", "wg_cloonar",
} ct state established,related counter accept comment "Allow established back to LANs" } ct state { established, related } counter accept comment "Allow established back to LANs"
} }
} }

26
hosts/fw.cloonar.com/modules/networking.nix
View File

@@ -2,33 +2,29 @@
boot.kernel.sysctl = { boot.kernel.sysctl = {
# if you use ipv4, this is all you need # if you use ipv4, this is all you need
"net.ipv4.conf.all.forwarding" = true; "net.ipv4.conf.all.forwarding" = true;
# If you want to use it for ipv6 # If you want to use it for ipv6
"net.ipv6.conf.all.forwarding" = true; "net.ipv6.conf.all.forwarding" = false;
# source: https://github.com/mdlayher/homelab/blob/master/nixos/routnerr-2/configuration.nix#L52
# By default, not automatically configure any IPv6 addresses.
"net.ipv6.conf.all.accept_ra" = 0;
"net.ipv6.conf.all.autoconf" = 0;
"net.ipv6.conf.all.use_tempaddr" = 0;
# On WAN, allow IPv6 autoconfiguration and tempory address use.
# "net.ipv6.conf.${name}.accept_ra" = 2;
# "net.ipv6.conf.${name}.autoconf" = 1;
}; };
systemd.network.links."10-wan" = { systemd.network = {
wait-online.anyInterface = true;
inks = {
"10-wan" = {
matchConfig.PermanentMACAddress = "a8:b8:e0:00:43:c1"; matchConfig.PermanentMACAddress = "a8:b8:e0:00:43:c1";
linkConfig.Name = "wan"; linkConfig.Name = "wan";
linkConfig.RequiredForOnline = "routable";
}; };
systemd.network.links."20-lan" = { "20-lan" = {
matchConfig.PermanentMACAddress = "a8:b8:e0:00:43:c2"; matchConfig.PermanentMACAddress = "a8:b8:e0:00:43:c2";
linkConfig.Name = "lan"; linkConfig.Name = "lan";
}; };
systemd.network.links."30-server" = { "30-server" = {
matchConfig.PermanentMACAddress = "a8:b8:e0:00:43:c3"; matchConfig.PermanentMACAddress = "a8:b8:e0:00:43:c3";
linkConfig.Name = "server"; linkConfig.Name = "server";
}; };
};
};
networking = { networking = {
useDHCP = false; useDHCP = false;