You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
64 lines
2.0 KiB
64 lines
2.0 KiB
/** Custom ferm2 configuration on gaia
|
|
*
|
|
* This set of configuration options is required to make the wireguard
|
|
* uplink to osmos.pbb.dev work. It does so by tagging all packets
|
|
* coming in over a particular interface (public-ip) with a mark, and
|
|
* then sorts replies to these connections into a special firewall
|
|
* table to send them out over this link again as well.
|
|
*
|
|
* This module assumes that wireguard is enabled and configured
|
|
*/
|
|
|
|
{ config, ... }:
|
|
|
|
{
|
|
# Main firewall configuration
|
|
services.ferm2 = {
|
|
enable = true;
|
|
extraConfig = ''
|
|
table mangle {
|
|
chain PREROUTING {
|
|
# Mark all connections coming in from public-ip with mark 1312
|
|
interface public-ip CONNMARK set-mark 1312;
|
|
}
|
|
|
|
chain OUTPUT {
|
|
# Mark all packets that are responses to incoming public-ip
|
|
# connetions with mark 1312 (we can filter this in the fw later)
|
|
CONNMARK restore-mark;
|
|
}
|
|
}
|
|
'';
|
|
};
|
|
|
|
# Additional ip commands to configure the firewall
|
|
#
|
|
# FIXME: create a firewall module that wraps around this
|
|
networking.localCommands = ''
|
|
set -x
|
|
ip -6 rule flush
|
|
ip -4 rule flush
|
|
ip -6 rule add lookup main prio 32000
|
|
ip -4 rule add lookup main prio 32000
|
|
|
|
# Take packets with fwmark and sort it into 1312 table
|
|
ip -6 rule add from all fwmark 1312 lookup 1312 pref 9000
|
|
ip -4 rule add from all fwmark 1312 lookup 1312 pref 9000
|
|
'';
|
|
|
|
networking.wireguard.interfaces."public-ip" = {
|
|
ips = [ "2a0f:4ac0::18" "195.39.247.18" ];
|
|
privateKeyFile = "/var/lib/wireguard/keys/milan.private";
|
|
allowedIPsAsRoutes = true;
|
|
table = "1312";
|
|
postSetup = "ip link set dev public-ip mtu 1500";
|
|
peers = [
|
|
{ publicKey = "kih/GnR4Bov/DM/7Rd21wK+PFQRUNH6sywVuNKkUAkk=";
|
|
allowedIPs = [ "0.0.0.0/0" "::/0" ];
|
|
# TODO: Currently telecom ipv6 handling is broken
|
|
# endpoint = "2a01:581:1:9::1:51820";
|
|
endpoint = "62.176.250.82:51820";
|
|
persistentKeepalive = 25; }
|
|
];
|
|
};
|
|
}
|
|
|