Compare commits
No commits in common. "f05567cbce6fc6bd25d7db761c01aeddd79424cc" and "e2200e951630fb22e81a073842310ed05ff4eba5" have entirely different histories.
f05567cbce
...
e2200e9516
@ -243,15 +243,11 @@
|
|||||||
networking.firewall.allowedUDPPorts = [ 53 ];
|
networking.firewall.allowedUDPPorts = [ 53 ];
|
||||||
networking.firewall.allowedTCPPorts = [ 53 ];
|
networking.firewall.allowedTCPPorts = [ 53 ];
|
||||||
|
|
||||||
clerie.firewall.enable = true;
|
networking.firewall.extraCommands = ''
|
||||||
clerie.firewall.extraForwardFilterCommands = ''
|
ip46tables -A FORWARD -i enp1s0.202 -o ppp-ntvdsl -j ACCEPT
|
||||||
ip46tables -A forward-filter -i enp1s0.202 -o ppp-ntvdsl -j ACCEPT
|
ip46tables -A FORWARD -i enp1s0.202 -j DROP
|
||||||
ip46tables -A forward-filter -i enp1s0.202 -j DROP
|
ip46tables -A FORWARD -i ppp-ntvdsl -o enp1s0.202 -j ACCEPT
|
||||||
ip46tables -A forward-filter -i ppp-ntvdsl -o enp1s0.202 -j ACCEPT
|
ip46tables -A FORWARD -o enp1s0.202 -j DROP
|
||||||
ip46tables -A forward-filter -o enp1s0.202 -j DROP
|
|
||||||
'';
|
|
||||||
clerie.firewall.extraForwardMangleCommands = ''
|
|
||||||
ip46tables -t mangle -A forward-mangle -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1452
|
|
||||||
'';
|
'';
|
||||||
|
|
||||||
services.pppd = {
|
services.pppd = {
|
||||||
|
@ -1,144 +0,0 @@
|
|||||||
{ config, lib, pkgs, ... }:
|
|
||||||
|
|
||||||
with lib;
|
|
||||||
|
|
||||||
let
|
|
||||||
|
|
||||||
ip46tables = ''
|
|
||||||
ip46tables() {
|
|
||||||
iptables -w "$@"
|
|
||||||
ip6tables -w "$@"
|
|
||||||
}
|
|
||||||
'';
|
|
||||||
|
|
||||||
cfg = config.clerie.firewall;
|
|
||||||
|
|
||||||
forwardFilterStartScript = pkgs.writeScriptBin "forward-filter-start" ''
|
|
||||||
#! ${pkgs.runtimeShell} -e
|
|
||||||
|
|
||||||
${ip46tables}
|
|
||||||
|
|
||||||
ip46tables -D FORWARD -j forward-filter 2> /dev/null || true
|
|
||||||
ip46tables -F forward-filter 2> /dev/null || true
|
|
||||||
ip46tables -X forward-filter 2> /dev/null || true
|
|
||||||
|
|
||||||
ip46tables -N forward-filter
|
|
||||||
|
|
||||||
${cfg.extraForwardFilterCommands}
|
|
||||||
|
|
||||||
ip46tables -A FORWARD -j forward-filter
|
|
||||||
'';
|
|
||||||
|
|
||||||
forwardFilterStopScript = pkgs.writeScriptBin "forward-filter-stop" ''
|
|
||||||
#! ${pkgs.runtimeShell} -e
|
|
||||||
|
|
||||||
${ip46tables}
|
|
||||||
|
|
||||||
ip46tables -D FORWARD -j forward-filter 2> /dev/null || true
|
|
||||||
ip46tables -F forward-filter 2> /dev/null || true
|
|
||||||
ip46tables -X forward-filter 2> /dev/null || true
|
|
||||||
'';
|
|
||||||
|
|
||||||
forwardMangleStartScript = pkgs.writeScriptBin "forward-mangle-start" ''
|
|
||||||
#! ${pkgs.runtimeShell} -e
|
|
||||||
|
|
||||||
${ip46tables}
|
|
||||||
|
|
||||||
ip46tables -t mangle -D FORWARD -j forward-mangle 2> /dev/null || true
|
|
||||||
ip46tables -t mangle -F forward-mangle 2> /dev/null || true
|
|
||||||
ip46tables -t mangle -X forward-mangle 2> /dev/null || true
|
|
||||||
|
|
||||||
ip46tables -t mangle -N forward-mangle
|
|
||||||
|
|
||||||
${cfg.extraForwardMangleCommands}
|
|
||||||
|
|
||||||
ip46tables -t mangle -A FORWARD -j forward-mangle
|
|
||||||
'';
|
|
||||||
|
|
||||||
forwardMangleStopScript = pkgs.writeScriptBin "forward-mangle-stop" ''
|
|
||||||
#! ${pkgs.runtimeShell} -e
|
|
||||||
|
|
||||||
${ip46tables}
|
|
||||||
|
|
||||||
ip46tables -t mangle -D FORWARD -j forward-mangle 2> /dev/null || true
|
|
||||||
ip46tables -t mangle -F forward-mangle 2> /dev/null || true
|
|
||||||
ip46tables -t mangle -X forward-mangle 2> /dev/null || true
|
|
||||||
'';
|
|
||||||
|
|
||||||
in
|
|
||||||
|
|
||||||
{
|
|
||||||
|
|
||||||
options = {
|
|
||||||
|
|
||||||
clerie.firewall = {
|
|
||||||
enable = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = false;
|
|
||||||
description =
|
|
||||||
''
|
|
||||||
Whether to enable the clerie firewall. It provides chains than can get cleanly set up and shut down.
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
extraForwardFilterCommands = mkOption {
|
|
||||||
type = types.lines;
|
|
||||||
default = "";
|
|
||||||
};
|
|
||||||
|
|
||||||
extraForwardMangleCommands = mkOption {
|
|
||||||
type = types.lines;
|
|
||||||
default = "";
|
|
||||||
};
|
|
||||||
|
|
||||||
};
|
|
||||||
|
|
||||||
};
|
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
|
||||||
|
|
||||||
environment.systemPackages = [ pkgs.iptables ];
|
|
||||||
|
|
||||||
systemd.services.forward-filter = {
|
|
||||||
description = "Forward Filter";
|
|
||||||
wantedBy = [ "sysinit.target" ];
|
|
||||||
wants = [ "network-pre.target" ];
|
|
||||||
before = [ "network-pre.target" ];
|
|
||||||
after = [ "systemd-modules-load.service" ];
|
|
||||||
|
|
||||||
path = [ pkgs.iptables ];
|
|
||||||
|
|
||||||
unitConfig.ConditionCapability = "CAP_NET_ADMIN";
|
|
||||||
unitConfig.DefaultDependencies = false;
|
|
||||||
|
|
||||||
serviceConfig = {
|
|
||||||
Type = "oneshot";
|
|
||||||
RemainAfterExit = true;
|
|
||||||
ExecStart = "@${forwardFilterStartScript}/bin/forward-filter-start forward-filter-start";
|
|
||||||
ExecStop = "@${forwardFilterStopScript}/bin/forward-filter-stop forward-filter-stop";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services.forward-mangle = {
|
|
||||||
description = "Forward Mangle";
|
|
||||||
wantedBy = [ "sysinit.target" ];
|
|
||||||
wants = [ "network-pre.target" ];
|
|
||||||
before = [ "network-pre.target" ];
|
|
||||||
after = [ "systemd-modules-load.service" ];
|
|
||||||
|
|
||||||
path = [ pkgs.iptables ];
|
|
||||||
|
|
||||||
unitConfig.ConditionCapability = "CAP_NET_ADMIN";
|
|
||||||
unitConfig.DefaultDependencies = false;
|
|
||||||
|
|
||||||
serviceConfig = {
|
|
||||||
Type = "oneshot";
|
|
||||||
RemainAfterExit = true;
|
|
||||||
ExecStart = "@${forwardMangleStartScript}/bin/forward-mangle-start forward-mangle-start";
|
|
||||||
ExecStop = "@${forwardMangleStopScript}/bin/forward-mangle-stop forward-mangle-stop";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
};
|
|
||||||
|
|
||||||
}
|
|
@ -5,7 +5,6 @@
|
|||||||
./policyrouting
|
./policyrouting
|
||||||
./akne
|
./akne
|
||||||
./anycast_healthchecker
|
./anycast_healthchecker
|
||||||
./clerie-firewall
|
|
||||||
./gre-tunnel
|
./gre-tunnel
|
||||||
./minecraft-server
|
./minecraft-server
|
||||||
./monitoring
|
./monitoring
|
||||||
|
Loading…
Reference in New Issue
Block a user