From 6ff99bfec437cf6d53ce590cb4499898bf9d94b5 Mon Sep 17 00:00:00 2001 From: catvayor Date: Mon, 9 Sep 2024 21:54:39 +0200 Subject: [PATCH] feat(ISP): firewall to separate users --- machines/vault01/networking.nix | 50 ++++----------------------------- 1 file changed, 6 insertions(+), 44 deletions(-) diff --git a/machines/vault01/networking.nix b/machines/vault01/networking.nix index ac913e6..d3126b4 100644 --- a/machines/vault01/networking.nix +++ b/machines/vault01/networking.nix @@ -39,7 +39,6 @@ let mkUserVlan = { vlan, - netIP, servIP, interfaceName, ... @@ -48,38 +47,13 @@ let name = interfaceName; value = { Id = vlan; + address = with uplink; [ "${servIP}/27" ]; extraNetwork = { networkConfig = { LinkLocalAddressing = "no"; DHCPServer = "yes"; }; linkConfig.Promiscuous = true; - addresses = [ - { - addressConfig = { - Address = "${servIP}/27"; - AddPrefixRoute = false; - }; - } - ]; - routes = [ - { - routeConfig = { - Destination = "${netIP}/27"; - Table = "user"; - }; - } - ]; - routingPolicyRules = [ - { - routingPolicyRuleConfig = { - From = "${netIP}/27"; - To = "10.0.0.0/27"; - IncomingInterface = interfaceName; - Table = "user"; - }; - } - ]; }; }; }; @@ -140,7 +114,6 @@ in { systemd = { network = { - config.routeTables."user" = 1000; networks = { "10-lo" = { name = "lo"; @@ -149,22 +122,6 @@ in "127.0.0.1/8" "10.0.0.1/27" ]; - routes = [ - { - routeConfig = { - Destination = "10.0.0.0/27"; - Table = "user"; - }; - } - ]; - routingPolicyRules = [ - { - routingPolicyRuleConfig = { - IncomingInterface = "lo"; - Table = "user"; - }; - } - ]; }; "10-enp67s0f0np0" = { name = "enp67s0f0np0"; @@ -246,6 +203,11 @@ in firewall = { allowedUDPPorts = [ 67 ]; checkReversePath = false; + filterForward = true; + extraForwardRules = '' + ip saddr 10.0.0.0/16 ip daddr 10.0.0.0/27 accept + ip saddr 10.0.0.0/16 ip daddr != 10.0.0.0/16 accept + ''; }; }; -- 2.47.0