DGNum/infrastructure
13
6
Fork 3
Code Issues 20 Pull requests 9 Projects 1 Releases Packages Wiki Activity Actions 2

WIP: feat(ISP): firewall to separate users #125

Draft
lbailly wants to merge 1 commit from lbailly/infrastructure:firewall into main
pull from: lbailly/infrastructure:firewall
merge into: DGNum:main
Conversation 0 Commits 1 Files changed 1 +6 -44
1 changed files with 6 additions and 44 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

50
machines/vault01/networking.nix
View file

@ -39,7 +39,6 @@ let
mkUserVlan = mkUserVlan =
{ {
vlan, vlan,
netIP,
servIP, servIP,
interfaceName, interfaceName,
... ...
@ -48,38 +47,13 @@ let
name = interfaceName; name = interfaceName;
value = { value = {
Id = vlan; Id = vlan;
address = with uplink; [ "${servIP}/27" ];
extraNetwork = { extraNetwork = {
networkConfig = { networkConfig = {
LinkLocalAddressing = "no"; LinkLocalAddressing = "no";
DHCPServer = "yes"; DHCPServer = "yes";
}; };
linkConfig.Promiscuous = true; linkConfig.Promiscuous = true;
addresses = [
{
addressConfig = {
Address = "${servIP}/27";
AddPrefixRoute = false;
};
}
];
routes = [
{
routeConfig = {
Destination = "${netIP}/27";
Table = "user";
};
}
];
routingPolicyRules = [
{
routingPolicyRuleConfig = {
From = "${netIP}/27";
To = "10.0.0.0/27";
IncomingInterface = interfaceName;
Table = "user";
};
}
];
}; };
}; };
}; };
@ -140,7 +114,6 @@ in
{ {
systemd = { systemd = {
network = { network = {
config.routeTables."user" = 1000;
networks = { networks = {
"10-lo" = { "10-lo" = {
name = "lo"; name = "lo";
@ -149,22 +122,6 @@ in
"127.0.0.1/8" "127.0.0.1/8"
"10.0.0.1/27" "10.0.0.1/27"
]; ];
routes = [
{
routeConfig = {
Destination = "10.0.0.0/27";
Table = "user";
};
}
];
routingPolicyRules = [
{
routingPolicyRuleConfig = {
IncomingInterface = "lo";
Table = "user";
};
}
];
}; };
"10-enp67s0f0np0" = { "10-enp67s0f0np0" = {
name = "enp67s0f0np0"; name = "enp67s0f0np0";
@ -246,6 +203,11 @@ in
firewall = { firewall = {
allowedUDPPorts = [ 67 ]; allowedUDPPorts = [ 67 ];
checkReversePath = false; checkReversePath = false;
filterForward = true;
extraForwardRules = ''
ip saddr 10.0.0.0/16 ip daddr 10.0.0.0/27 accept
ip saddr 10.0.0.0/16 ip daddr != 10.0.0.0/16 accept
'';
}; };
}; };