nixos/colony: Replicate port forwards for internal routing

2023-12-11 15:05:42 +00:00 · 2023-12-11 15:05:42 +00:00 · 20a3873d25
commit 20a3873d25
parent d9d7a714cd
5 changed files with 59 additions and 39 deletions
--- a/lib/constants.nix
+++ b/lib/constants.nix
@ -114,6 +114,33 @@ rec {
      };
      home.v6 = "2a0e:97c0:4d0::/48";
    };
+
+    firewallForwards = aa: [
+      {
+        port = "http";
+        dst = aa.middleman.internal.ipv4.address;
+      }
+      {
+        port = "https";
+        dst = aa.middleman.internal.ipv4.address;
+      }
+      {
+        port = 8448;
+        dst = aa.middleman.internal.ipv4.address;
+      }
+
+      {
+        port = 2456;
+        dst = aa.valheim-oci.internal.ipv4.address;
+        proto = "udp";
+      }
+      {
+        port = 2457;
+        dst = aa.valheim-oci.internal.ipv4.address;
+        proto = "udp";
+      }
+    ];
+
    fstrimConfig = {
      enable = true;
      # backup happens at 05:00
--- a/lib/default.nix
+++ b/lib/default.nix
@ -1,6 +1,6 @@
 { lib }:
 let
-  inherit (builtins) length match elemAt filter;
+  inherit (builtins) length match elemAt filter replaceStrings;
  inherit (lib)
    genAttrs mapAttrsToList filterAttrsRecursive nameValuePair types
    mkOption mkOverride mkForce mkIf mergeEqualOption optional
@ -123,6 +123,12 @@ rec {
    home-manager = mkOpt' (enum [ "unstable" "stable" "mine" "mine-stable" ]) "unstable" "Branch of home-manager to use.";
  };

+  nft = rec {
+    ipEscape = replaceStrings ["." ":"] ["-" "-"];
+    natFilterChain = ip: "filter-fwd-${ipEscape ip}";
+    dnatChain = ip: "fwd-${ipEscape ip}";
+  };
+
  mkVLAN = name: vid: {
    "25-${name}" = {
      netdevConfig = {
--- a/nixos/boxes/colony/default.nix
+++ b/nixos/boxes/colony/default.nix
@ -1,7 +1,7 @@
 { lib, ... }:
 let
  inherit (lib.my) net;
-  inherit (lib.my.c.colony) domain prefixes;
+  inherit (lib.my.c.colony) domain prefixes firewallForwards;
 in
 {
  imports = [ ./vms ];
@ -351,6 +351,7 @@ in

          firewall = {
            trustedInterfaces = [ "vms" ];
+            nat.forwardPorts."${allAssignments.estuary.internal.ipv4.address}" = firewallForwards allAssignments;
            extraRules = ''
              define cust = { vm-mail, vm-darts }
              table inet filter {
--- a/nixos/boxes/colony/vms/estuary/default.nix
+++ b/nixos/boxes/colony/vms/estuary/default.nix
@ -2,7 +2,7 @@
 let
  inherit (builtins) elemAt;
  inherit (lib.my) net mkVLAN;
-  inherit (lib.my.c.colony) pubV4 domain prefixes;
+  inherit (lib.my.c.colony) pubV4 domain prefixes firewallForwards;
 in
 {
  nixos = {
@ -356,31 +356,7 @@ in
                nat = {
                  enable = true;
                  externalInterface = "wan";
-                  forwardPorts."${assignments.internal.ipv4.address}" = [
-                    {
-                      port = "http";
-                      dst = allAssignments.middleman.internal.ipv4.address;
-                    }
-                    {
-                      port = "https";
-                      dst = allAssignments.middleman.internal.ipv4.address;
-                    }
-                    {
-                      port = 8448;
-                      dst = allAssignments.middleman.internal.ipv4.address;
-                    }
-
-                    {
-                      port = 2456;
-                      dst = allAssignments.valheim-oci.internal.ipv4.address;
-                      proto = "udp";
-                    }
-                    {
-                      port = 2457;
-                      dst = allAssignments.valheim-oci.internal.ipv4.address;
-                      proto = "udp";
-                    }
-                  ];
+                  forwardPorts."${assignments.internal.ipv4.address}" = firewallForwards allAssignments;
                };
                extraRules =
                let
--- a/nixos/modules/firewall.nix
+++ b/nixos/modules/firewall.nix
@ -1,6 +1,6 @@
 { lib, options, config, ... }:
 let
-  inherit (builtins) typeOf replaceStrings attrNames;
+  inherit (builtins) typeOf attrNames;
  inherit (lib)
    optionalString concatStringsSep concatMapStringsSep mapAttrsToList optionalAttrs mkIf
    mkDefault mkMerge mkOverride;
@ -140,6 +140,9 @@ in
                chain postrouting {
                  type nat hook postrouting priority srcnat;
                }
+                chain input {
+                  type nat hook input priority srcnat;
+                }
              }

              ${cfg.extraRules}
@ -179,13 +182,22 @@ in

      my.firewall.extraRules =
        let
+          inherit (lib.my.nft) natFilterChain dnatChain;
          ipK = ip: "ip${optionalString (isIPv6 ip) "6"}";
-          ipEscaped = replaceStrings ["." ":"] ["-" "-"];

          makeFilter = f:
            "${ipK f.dst} daddr ${f.dst} ${f.proto} dport ${toString f.dstPort} accept";
          makeForward = f:
            "${f.proto} dport ${toString f.port} dnat ${ipK f.dst} to ${f.dst}:${toString f.dstPort}";
+
+          dnatJumps = ''
+            ${optionalString
+              iifForward
+              "iifname ${cfg.nat.externalInterface} jump iif-port-forward"}
+            ${optionalString
+              dipForward
+              (concatMapStringsSep "\n    " (ip: "${ipK ip} daddr ${ip} jump ${dnatChain ip}") (attrNames cfg.nat.forwardPorts))}
+          '';
        in
        ''
          table inet filter {
@ -198,7 +210,7 @@ in
            ${optionalString
              dipForward
              (concatStringsSep "\n" (mapAttrsToList (ip: fs: ''
-                chain filter-fwd-${ipEscaped ip} {
+                chain ${natFilterChain ip} {
                  ${concatMapStringsSep "\n    " makeFilter fs}
                  return
                }
@ -210,7 +222,7 @@ in
                "iifname ${cfg.nat.externalInterface} jump filter-iif-port-forwards"}
              ${optionalString
                dipForward
-                (concatMapStringsSep "\n    " (ip: "${ipK ip} daddr ${ip} jump filter-fwd-${ipEscaped ip}") (attrNames cfg.nat.forwardPorts))}
+                (concatMapStringsSep "\n    " (ip: "${ipK ip} daddr ${ip} jump ${natFilterChain ip}") (attrNames cfg.nat.forwardPorts))}
            }
          }

@ -224,19 +236,17 @@ in
            ${optionalString
              dipForward
              (concatStringsSep "\n" (mapAttrsToList (ip: fs: ''
-                chain fwd-${ipEscaped ip} {
+                chain ${dnatChain ip} {
                  ${concatMapStringsSep "\n    " makeForward fs}
                  return
                }
              '') cfg.nat.forwardPorts))}

            chain prerouting {
-              ${optionalString
-                iifForward
-                "iifname ${cfg.nat.externalInterface} jump iif-port-forward"}
-              ${optionalString
-                dipForward
-                (concatMapStringsSep "\n    " (ip: "${ipK ip} daddr ${ip} jump fwd-${ipEscaped ip}") (attrNames cfg.nat.forwardPorts))}
+              ${dnatJumps}
+            }
+            chain output {
+              ${dnatJumps}
            }
          }
        '';