From c89e822a5d558b9f9bb9d1ac2a1dd76f3e64c595 Mon Sep 17 00:00:00 2001 From: Gregor Kleen Date: Sat, 8 Jan 2022 00:24:18 +0100 Subject: vidhar: dmz01 --- hosts/vidhar/network/default.nix | 18 ++++++++++++++++++ hosts/vidhar/network/dsl.nix | 27 ++++++++++++++++++++++----- hosts/vidhar/network/ruleset.nft | 14 +++++++------- 3 files changed, 47 insertions(+), 12 deletions(-) (limited to 'hosts/vidhar') diff --git a/hosts/vidhar/network/default.nix b/hosts/vidhar/network/default.nix index 62539239..81dac652 100644 --- a/hosts/vidhar/network/default.nix +++ b/hosts/vidhar/network/default.nix @@ -21,6 +21,11 @@ { address = "10.141.1.1"; prefixLength = 24; } ]; }; + interfaces."dmz01" = { + ipv4.addresses = [ + { address = "10.141.2.1"; prefixLength = 24; } + ]; + }; vlans = { mgmt = { @@ -31,6 +36,10 @@ id = 3; interface = "eno2"; }; + dmz01 = { + id = 4; + interface = "eno2"; + }; }; firewall.enable = false; @@ -58,6 +67,15 @@ subnet 10.141.1.0 netmask 255.255.255.0 { range 10.141.1.128 10.141.1.254; + option domain-name-servers 10.141.1.1; + option broadcast-address 10.141.1.255; + } + + subnet 10.141.2.0 netmask 255.255.255.0 { + range 10.141.2.128 10.141.2.254; + option domain-name-servers 10.141.2.1; + option broadcast-address 10.141.2.255; + option routers 10.141.2.1; } ''; machines = [ diff --git a/hosts/vidhar/network/dsl.nix b/hosts/vidhar/network/dsl.nix index 21554b58..0ad598e6 100644 --- a/hosts/vidhar/network/dsl.nix +++ b/hosts/vidhar/network/dsl.nix @@ -95,6 +95,13 @@ in { rdnss = [{ servers = ["::"]; }]; dnssl = [{ domain_names = ["yggdrasil"]; }]; } + { name = "dmz01"; + advertise = true; + verbose = true; + prefix = [{ prefix = "::/64"; }]; + route = [{ prefix = "::/0"; }]; + rdnss = [{ servers = ["::"]; }]; + } ]; debug = { @@ -108,10 +115,17 @@ in { proxies = { ${pppInterface} = { router = true; - rules.lan = { - method = "iface"; - interface = "lan"; - network = "::/0"; + rules = { + lan = { + method = "iface"; + interface = "lan"; + network = "::/0"; + }; + dmz01 = { + method = "iface"; + interface = "dmz01"; + network = "::/0"; + }; }; }; }; @@ -154,7 +168,9 @@ in { ''; postStop = '' - ${pkgs.iproute2}/bin/ip -6 a show dev lan scope global | ${pkgs.coreutils}/bin/grep inet6 | ${pkgs.gawk}/bin/awk '{ print $2; }' | ${pkgs.findutils}/bin/xargs -I '{}' -- ${pkgs.iproute2}/bin/ip addr del '{}' dev lan + for dev in lan dmz01; do + ${pkgs.iproute2}/bin/ip -6 a show dev "''${dev}" scope global | ${pkgs.coreutils}/bin/grep inet6 | ${pkgs.gawk}/bin/awk '{ print $2; }' | ${pkgs.findutils}/bin/xargs -I '{}' -- ${pkgs.iproute2}/bin/ip addr del '{}' dev "''${dev}" + done ''; serviceConfig = let @@ -177,6 +193,7 @@ in { iaid 1195061668 ipv6rs # enable routing solicitation for WAN adapter ia_pd 1 lan/0/64/0 # request a PD and assign it to the LAN + ia_pd 1 dmz01/1/64/0 # request a PD and assign it to dmz01 reboot 0 diff --git a/hosts/vidhar/network/ruleset.nft b/hosts/vidhar/network/ruleset.nft index 4d829355..f6a2175c 100644 --- a/hosts/vidhar/network/ruleset.nft +++ b/hosts/vidhar/network/ruleset.nft @@ -136,7 +136,7 @@ table inet filter { oifname {lan, dsl} meta l4proto $icmp_protos jump forward_icmp_accept iifname lan oifname dsl counter name fw-lan accept - iifname dsl oifname lan ct state {established, related} counter name fw-dsl accept + iifname dsl oifname { lan, dmz01 } ct state {established, related} counter name fw-dsl accept @@ -162,14 +162,14 @@ table inet filter { iifname != dsl meta l4proto $icmp_protos limit name lim_icmp_local counter name icmp-ratelimit-local-rx drop meta l4proto $icmp_protos counter name icmp-rx accept - tcp dport 22 counter name ssh-rx accept - udp dport 60001-61000 counter name mosh-rx accept + iifname { lan, mgmt, dsl } tcp dport 22 counter name ssh-rx accept + iifname { lan, mgmt, dsl } udp dport 60001-61000 counter name mosh-rx accept - iifname lan tcp dport 53 counter name dns-rx accept - iifname lan udp dport 53 counter name dns-rx accept + iifname { lan, mgmt, dmz01 } tcp dport 53 counter name dns-rx accept + iifname { lan, mgmt, dmz01 } udp dport 53 counter name dns-rx accept - meta protocol ip udp dport 51820 counter name wg-rx accept - meta protocol ip6 udp dport 51821 counter name wg-rx accept + iifname { lan, mgmt, dsl } meta protocol ip udp dport 51820 counter name wg-rx accept + iifname { lan, mgmt, dsl } meta protocol ip6 udp dport 51821 counter name wg-rx accept iifname "yggdrasil-wg-*" meta l4proto gre counter name yggdrasil-gre-rx accept iifname dsl meta protocol ip6 udp dport 546 udp sport 547 counter name ipv6-pd-rx accept -- cgit v1.2.3