simon/nixos-config
simon/nixos-config
1
1
Fork 0
Code Issues 8 Pull requests Actions Projects Activity

shinobu/router: Restrict wan

Browse source
This commit is contained in:
Simon Bruder 2023-09-08 13:13:01 +02:00
parent 94fcee359a
commit e7d740f03c
Signed by: simon
GPG key ID: 8D3C82F9F309F8EC
1 changed files with 30 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
machines/shinobu/services/router.nix
View file

@ -62,6 +62,7 @@ in
define VUEKO_V4 = 168.119.176.53 define VUEKO_V4 = 168.119.176.53
define VUEKO_V6 = 2a01:4f8:c012:2f4::1 define VUEKO_V6 = 2a01:4f8:c012:2f4::1
define VUEKO_PORT = 51820 define VUEKO_PORT = 51820
define WG_UPSTREAM_ENDPOINT = ${lib.elemAt (lib.splitString ":" (lib.elemAt config.systemd.network.netdevs.wg-upstream.wireguardPeers 0).wireguardPeerConfig.Endpoint) 0}
define PLASTIC_ROUTER_V4 = 192.168.0.1 define PLASTIC_ROUTER_V4 = 192.168.0.1
table inet filter { table inet filter {
@ -108,6 +109,35 @@ in
ip6 daddr $VUEKO_V6 udp dport $VUEKO_PORT mark set ${toString noVpnFwMark} counter ip6 daddr $VUEKO_V6 udp dport $VUEKO_PORT mark set ${toString noVpnFwMark} counter
} }
} }
# Only allow select connections from and to (physical) wan,
# overriding NixOS firewall in some cases.
table inet restrict-wan {
# Priorities must be higher than filter (0),
# which the NixOS firewall uses.
chain input {
type filter hook input priority -50; policy accept
# accept responses
iifname $PHYSICAL_WAN ct state established,related counter accept
# accept icmpv6
iifname $PHYSICAL_WAN icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
# drop everything else
iifname $PHYSICAL_WAN counter drop
}
chain output {
type filter hook output priority -50; policy accept
# accept connections to plastic router
oifname $PHYSICAL_WAN ip daddr $PLASTIC_ROUTER_V4 accept
# accept icmpv6
oifname $PHYSICAL_WAN icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
# accept connections to selected endpoints
oifname $PHYSICAL_WAN ip daddr $WG_UPSTREAM_ENDPOINT counter accept
oifname $PHYSICAL_WAN ip daddr $VUEKO_V4 counter accept
oifname $PHYSICAL_WAN ip6 daddr $VUEKO_V6 counter accept
# drop all other packets
oifname $PHYSICAL_WAN counter drop
} }
} }
''; '';