forked from DGNum/infrastructure
feat(ISP): firewall to separate users
This commit is contained in:
parent
595407c13b
commit
6ff99bfec4
1 changed files with 6 additions and 44 deletions
|
@ -39,7 +39,6 @@ let
|
|||
mkUserVlan =
|
||||
{
|
||||
vlan,
|
||||
netIP,
|
||||
servIP,
|
||||
interfaceName,
|
||||
...
|
||||
|
@ -48,38 +47,13 @@ let
|
|||
name = interfaceName;
|
||||
value = {
|
||||
Id = vlan;
|
||||
address = with uplink; [ "${servIP}/27" ];
|
||||
extraNetwork = {
|
||||
networkConfig = {
|
||||
LinkLocalAddressing = "no";
|
||||
DHCPServer = "yes";
|
||||
};
|
||||
linkConfig.Promiscuous = true;
|
||||
addresses = [
|
||||
{
|
||||
addressConfig = {
|
||||
Address = "${servIP}/27";
|
||||
AddPrefixRoute = false;
|
||||
};
|
||||
}
|
||||
];
|
||||
routes = [
|
||||
{
|
||||
routeConfig = {
|
||||
Destination = "${netIP}/27";
|
||||
Table = "user";
|
||||
};
|
||||
}
|
||||
];
|
||||
routingPolicyRules = [
|
||||
{
|
||||
routingPolicyRuleConfig = {
|
||||
From = "${netIP}/27";
|
||||
To = "10.0.0.0/27";
|
||||
IncomingInterface = interfaceName;
|
||||
Table = "user";
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
@ -140,7 +114,6 @@ in
|
|||
{
|
||||
systemd = {
|
||||
network = {
|
||||
config.routeTables."user" = 1000;
|
||||
networks = {
|
||||
"10-lo" = {
|
||||
name = "lo";
|
||||
|
@ -149,22 +122,6 @@ in
|
|||
"127.0.0.1/8"
|
||||
"10.0.0.1/27"
|
||||
];
|
||||
routes = [
|
||||
{
|
||||
routeConfig = {
|
||||
Destination = "10.0.0.0/27";
|
||||
Table = "user";
|
||||
};
|
||||
}
|
||||
];
|
||||
routingPolicyRules = [
|
||||
{
|
||||
routingPolicyRuleConfig = {
|
||||
IncomingInterface = "lo";
|
||||
Table = "user";
|
||||
};
|
||||
}
|
||||
];
|
||||
};
|
||||
"10-enp67s0f0np0" = {
|
||||
name = "enp67s0f0np0";
|
||||
|
@ -246,6 +203,11 @@ in
|
|||
firewall = {
|
||||
allowedUDPPorts = [ 67 ];
|
||||
checkReversePath = false;
|
||||
filterForward = true;
|
||||
extraForwardRules = ''
|
||||
ip saddr 10.0.0.0/16 ip daddr 10.0.0.0/27 accept
|
||||
ip saddr 10.0.0.0/16 ip daddr != 10.0.0.0/16 accept
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
|
|
Loading…
Reference in a new issue