WIP: feat(ISP): firewall to separate users #125

Draft
lbailly wants to merge 1 commit from lbailly/infrastructure:firewall into main

View file

@ -39,7 +39,6 @@ let
mkUserVlan =
{
vlan,
netIP,
servIP,
interfaceName,
...
@ -48,38 +47,13 @@ let
name = interfaceName;
value = {
Id = vlan;
address = with uplink; [ "${servIP}/27" ];
extraNetwork = {
networkConfig = {
LinkLocalAddressing = "no";
DHCPServer = "yes";
};
linkConfig.Promiscuous = true;
addresses = [
{
addressConfig = {
Address = "${servIP}/27";
AddPrefixRoute = false;
};
}
];
routes = [
{
routeConfig = {
Destination = "${netIP}/27";
Table = "user";
};
}
];
routingPolicyRules = [
{
routingPolicyRuleConfig = {
From = "${netIP}/27";
To = "10.0.0.0/27";
IncomingInterface = interfaceName;
Table = "user";
};
}
];
};
};
};
@ -140,7 +114,6 @@ in
{
systemd = {
network = {
config.routeTables."user" = 1000;
networks = {
"10-lo" = {
name = "lo";
@ -149,22 +122,6 @@ in
"127.0.0.1/8"
"10.0.0.1/27"
];
routes = [
{
routeConfig = {
Destination = "10.0.0.0/27";
Table = "user";
};
}
];
routingPolicyRules = [
{
routingPolicyRuleConfig = {
IncomingInterface = "lo";
Table = "user";
};
}
];
};
"10-enp67s0f0np0" = {
name = "enp67s0f0np0";
@ -246,6 +203,11 @@ in
firewall = {
allowedUDPPorts = [ 67 ];
checkReversePath = false;
filterForward = true;
extraForwardRules = ''
ip saddr 10.0.0.0/16 ip daddr 10.0.0.0/27 accept
ip saddr 10.0.0.0/16 ip daddr != 10.0.0.0/16 accept
'';
};
};