1
0

Compare commits

...

2 Commits

3 changed files with 154 additions and 5 deletions

View File

@ -243,11 +243,15 @@
networking.firewall.allowedUDPPorts = [ 53 ]; networking.firewall.allowedUDPPorts = [ 53 ];
networking.firewall.allowedTCPPorts = [ 53 ]; networking.firewall.allowedTCPPorts = [ 53 ];
networking.firewall.extraCommands = '' clerie.firewall.enable = true;
ip46tables -A FORWARD -i enp1s0.202 -o ppp-ntvdsl -j ACCEPT clerie.firewall.extraForwardFilterCommands = ''
ip46tables -A FORWARD -i enp1s0.202 -j DROP ip46tables -A forward-filter -i enp1s0.202 -o ppp-ntvdsl -j ACCEPT
ip46tables -A FORWARD -i ppp-ntvdsl -o enp1s0.202 -j ACCEPT ip46tables -A forward-filter -i enp1s0.202 -j DROP
ip46tables -A FORWARD -o enp1s0.202 -j DROP ip46tables -A forward-filter -i ppp-ntvdsl -o enp1s0.202 -j ACCEPT
ip46tables -A forward-filter -o enp1s0.202 -j DROP
'';
clerie.firewall.extraForwardMangleCommands = ''
ip46tables -t mangle -A forward-mangle -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1452
''; '';
services.pppd = { services.pppd = {

View File

@ -0,0 +1,144 @@
{ config, lib, pkgs, ... }:
with lib;
let
ip46tables = ''
ip46tables() {
iptables -w "$@"
ip6tables -w "$@"
}
'';
cfg = config.clerie.firewall;
forwardFilterStartScript = pkgs.writeScriptBin "forward-filter-start" ''
#! ${pkgs.runtimeShell} -e
${ip46tables}
ip46tables -D FORWARD -j forward-filter 2> /dev/null || true
ip46tables -F forward-filter 2> /dev/null || true
ip46tables -X forward-filter 2> /dev/null || true
ip46tables -N forward-filter
${cfg.extraForwardFilterCommands}
ip46tables -A FORWARD -j forward-filter
'';
forwardFilterStopScript = pkgs.writeScriptBin "forward-filter-stop" ''
#! ${pkgs.runtimeShell} -e
${ip46tables}
ip46tables -D FORWARD -j forward-filter 2> /dev/null || true
ip46tables -F forward-filter 2> /dev/null || true
ip46tables -X forward-filter 2> /dev/null || true
'';
forwardMangleStartScript = pkgs.writeScriptBin "forward-mangle-start" ''
#! ${pkgs.runtimeShell} -e
${ip46tables}
ip46tables -t mangle -D FORWARD -j forward-mangle 2> /dev/null || true
ip46tables -t mangle -F forward-mangle 2> /dev/null || true
ip46tables -t mangle -X forward-mangle 2> /dev/null || true
ip46tables -t mangle -N forward-mangle
${cfg.extraForwardMangleCommands}
ip46tables -t mangle -A FORWARD -j forward-mangle
'';
forwardMangleStopScript = pkgs.writeScriptBin "forward-mangle-stop" ''
#! ${pkgs.runtimeShell} -e
${ip46tables}
ip46tables -t mangle -D FORWARD -j forward-mangle 2> /dev/null || true
ip46tables -t mangle -F forward-mangle 2> /dev/null || true
ip46tables -t mangle -X forward-mangle 2> /dev/null || true
'';
in
{
options = {
clerie.firewall = {
enable = mkOption {
type = types.bool;
default = false;
description =
''
Whether to enable the clerie firewall. It provides chains than can get cleanly set up and shut down.
'';
};
extraForwardFilterCommands = mkOption {
type = types.lines;
default = "";
};
extraForwardMangleCommands = mkOption {
type = types.lines;
default = "";
};
};
};
config = mkIf cfg.enable {
environment.systemPackages = [ pkgs.iptables ];
systemd.services.forward-filter = {
description = "Forward Filter";
wantedBy = [ "sysinit.target" ];
wants = [ "network-pre.target" ];
before = [ "network-pre.target" ];
after = [ "systemd-modules-load.service" ];
path = [ pkgs.iptables ];
unitConfig.ConditionCapability = "CAP_NET_ADMIN";
unitConfig.DefaultDependencies = false;
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "@${forwardFilterStartScript}/bin/forward-filter-start forward-filter-start";
ExecStop = "@${forwardFilterStopScript}/bin/forward-filter-stop forward-filter-stop";
};
};
systemd.services.forward-mangle = {
description = "Forward Mangle";
wantedBy = [ "sysinit.target" ];
wants = [ "network-pre.target" ];
before = [ "network-pre.target" ];
after = [ "systemd-modules-load.service" ];
path = [ pkgs.iptables ];
unitConfig.ConditionCapability = "CAP_NET_ADMIN";
unitConfig.DefaultDependencies = false;
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "@${forwardMangleStartScript}/bin/forward-mangle-start forward-mangle-start";
ExecStop = "@${forwardMangleStopScript}/bin/forward-mangle-stop forward-mangle-stop";
};
};
};
}

View File

@ -5,6 +5,7 @@
./policyrouting ./policyrouting
./akne ./akne
./anycast_healthchecker ./anycast_healthchecker
./clerie-firewall
./gre-tunnel ./gre-tunnel
./minecraft-server ./minecraft-server
./monitoring ./monitoring