Compare commits
3 Commits
b48e7b1c33
...
1e66a99352
| Author | SHA1 | Date | |
|---|---|---|---|
| 1e66a99352 | |||
| 0fe863844f | |||
| d44fdcfe6a |
@@ -281,6 +281,25 @@ rec {
|
||||
};
|
||||
};
|
||||
|
||||
as211024 = rec {
|
||||
trusted = {
|
||||
v4 = [
|
||||
colony.prefixes.all.v4
|
||||
home.prefixes.all.v4
|
||||
tailscale.prefix.v4
|
||||
];
|
||||
v6 = [
|
||||
colony.prefixes.all.v6
|
||||
home.prefixes.all.v6
|
||||
tailscale.prefix.v6
|
||||
];
|
||||
};
|
||||
nftTrust = ''
|
||||
iifname as211024 ip saddr { ${concatStringsSep ", " trusted.v4} } accept
|
||||
iifname as211024 ip6 saddr { ${concatStringsSep ", " trusted.v6} } accept
|
||||
'';
|
||||
};
|
||||
|
||||
kelder = {
|
||||
groups = {
|
||||
storage = 2000;
|
||||
|
||||
@@ -150,8 +150,14 @@ in
|
||||
};
|
||||
|
||||
firewall = {
|
||||
trustedInterfaces = [ "as211024" "tailscale0" ];
|
||||
trustedInterfaces = [ "tailscale0" ];
|
||||
extraRules = ''
|
||||
table inet filter {
|
||||
chain forward {
|
||||
${lib.my.as211024.nftTrust}
|
||||
oifname as211024 accept
|
||||
}
|
||||
}
|
||||
table inet nat {
|
||||
chain postrouting {
|
||||
iifname tailscale0 oifname veth0 snat ip to ${assignments.vultr.ipv4.address}
|
||||
|
||||
@@ -27,7 +27,9 @@ in
|
||||
define HOMENET6 = ${homenet6};
|
||||
|
||||
define OWNIP6 = ${assignments.base.ipv6.address};
|
||||
define OWNNETSET6 = [ ${intnet6}, ${amsnet6}, ${homenet6} ];
|
||||
# we have issues with sending ICMPv6 too big back on the wrong interface right now...
|
||||
define OWNNETSET6 = [ ${intnet6}, ${amsnet6} ];
|
||||
define CCNETSET6 = [ ];
|
||||
#define TRANSSET6 = [ ::1/128 ];
|
||||
|
||||
define DUB1IP6 = ${lib.my.c.home.vips.as211024.v6};
|
||||
@@ -42,7 +44,7 @@ in
|
||||
if net ~ OWNNETSET4 || net ~ OWNNETSET6 then accept; else reject;
|
||||
}
|
||||
filter bgp_export_cc {
|
||||
if net ~ OWNNETSET4 || net ~ OWNNETSET6 || net ~ CCNETSET4 then accept; else reject;
|
||||
if net ~ OWNNETSET4 || net ~ OWNNETSET6 || net ~ CCNETSET4 || net ~ CCNETSET6 then accept; else reject;
|
||||
}
|
||||
|
||||
router id from "wan";
|
||||
@@ -188,10 +190,12 @@ in
|
||||
protocol bgp upstream6_coloclue_eun2 from upstream_bgp6 {
|
||||
description "ColoClue euNetworks 2 (IPv6)";
|
||||
neighbor 2a02:898:0:20::e2 as 8283;
|
||||
ipv6 { export filter bgp_export_cc; };
|
||||
}
|
||||
protocol bgp upstream6_coloclue_eun3 from upstream_bgp6 {
|
||||
description "ColoClue euNetworks 3 (IPv6)";
|
||||
neighbor 2a02:898:0:20::e1 as 8283;
|
||||
ipv6 { export filter bgp_export_cc; };
|
||||
}
|
||||
|
||||
protocol bgp upstream6_ifog from upstream_bgp6 {
|
||||
|
||||
@@ -366,7 +366,6 @@ in
|
||||
};
|
||||
};
|
||||
firewall = {
|
||||
trustedInterfaces = [ "as211024" ];
|
||||
udp.allowed = [ 5353 lib.my.c.kelder.vpn.port ];
|
||||
tcp.allowed = [ 5353 "bgp" ];
|
||||
nat = {
|
||||
@@ -416,7 +415,8 @@ in
|
||||
}
|
||||
|
||||
chain forward {
|
||||
iifname { wan, $ixps } oifname base jump filter-routing
|
||||
${lib.my.c.as211024.nftTrust}
|
||||
iifname { wan, as211024, $ixps } oifname base jump filter-routing
|
||||
oifname $ixps jump ixp
|
||||
iifname base oifname { base, wan, $ixps } accept
|
||||
oifname { as211024, kelder } accept
|
||||
|
||||
@@ -311,14 +311,18 @@ in
|
||||
};
|
||||
};
|
||||
firewall = {
|
||||
trustedInterfaces = [ "lan-hi" "lan-lo" "as211024" ];
|
||||
trustedInterfaces = [ "lan-hi" "lan-lo" ];
|
||||
udp.allowed = [ 5353 ];
|
||||
tcp.allowed = [ 5353 ];
|
||||
nat = {
|
||||
enable = true;
|
||||
externalInterface = "wan";
|
||||
};
|
||||
extraRules = ''
|
||||
extraRules =
|
||||
let
|
||||
aa = allAssignments;
|
||||
in
|
||||
''
|
||||
table inet filter {
|
||||
chain input {
|
||||
iifname base meta l4proto { udp, tcp } th dport domain accept
|
||||
@@ -326,8 +330,16 @@ in
|
||||
}
|
||||
|
||||
chain routing-tcp {
|
||||
# Safe enough to allow all SSH
|
||||
tcp dport ssh accept
|
||||
ip daddr {
|
||||
${aa.castle.hi.ipv4.address},
|
||||
${aa.cellar.hi.ipv4.address},
|
||||
${aa.palace.hi.ipv4.address}
|
||||
} tcp dport ssh accept
|
||||
ip6 daddr {
|
||||
${aa.castle.hi.ipv6.address},
|
||||
${aa.cellar.hi.ipv6.address},
|
||||
${aa.palace.hi.ipv6.address}
|
||||
} tcp dport ssh accept
|
||||
|
||||
return
|
||||
}
|
||||
@@ -346,8 +358,10 @@ in
|
||||
}
|
||||
|
||||
chain forward {
|
||||
${lib.my.c.as211024.nftTrust}
|
||||
iifname lan-untrusted jump filter-untrusted
|
||||
iifname { wan, lan-untrusted } oifname { lan-hi, lan-lo } jump filter-routing
|
||||
iifname { wan, as211024, lan-untrusted } oifname { lan-hi, lan-lo } jump filter-routing
|
||||
oifname as211024 accept
|
||||
}
|
||||
chain output { }
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user