Just need IPv6

This commit is contained in:
Daniel Flanagan 2021-07-11 00:34:29 -05:00
parent 4a36006457
commit 09b5a6d69c
4 changed files with 50 additions and 42 deletions

View file

@ -4,5 +4,7 @@ Name=eth0
[Network] [Network]
DHCP=yes DHCP=yes
Gateway=0.0.0.0/1 IPForward=ipv4
IPForward=yes
IPv6AcceptRA=yes
IPv6PrivacyExtensions=kernel

View file

@ -4,5 +4,9 @@ Name=lan0
[Network] [Network]
Address=10.0.0.1/24 Address=10.0.0.1/24
IPForward=yes
IPMasquerade=ipv4 IPMasquerade=ipv4
IPv6SendRA=yes
# [IPv6PrefixDelegation]
# RouterLifetimeSec=3600

View file

@ -1,7 +1,7 @@
#!/usr/bin/env fish #!/usr/bin/env fish
function rmlink function rmlink
rm -f $argv[1] rm -f $argv[2]
ezln $argv[1] $argv[2] ezln $argv[1] $argv[2]
end end

View file

@ -1,21 +1,25 @@
define WAN = eth0 define WAN = eth0
define LAN = lan0 define LAN = lan0
define ROUTER_TCP_PORTS = { 22 }
define ROUTER_UDP_PORTS = { 546, 53, 67 }
define ROUTER_INET_PORTS = { 546, 53, 67 }
define FACELESS_TCP_PORTS = { 443, 80, 2222, 2200 } define FACELESS_TCP_PORTS = { 443, 80, 2222, 2200 }
# define FACELESS_UDP_PORTS = 60000-60009 # define FACELESS_UDP_PORTS = { }
define DRAGON_TCP_PORTS = { 2221 } define DRAGON_TCP_PORTS = { 2221 }
# define DRAGON_UDP_PORTS = 60020-60029 # define DRAGON_UDP_PORTS = { }
table inet filter { table inet filter {
chain input { chain input {
type filter hook input priority filter; policy accept; type filter hook input priority filter; policy accept;
iifname "lo" accept iifname "lo" accept
icmpv6 type {echo-request,nd-neighbor-solicit,nd-neighbor-advert,nd-router-solicit,nd-router-advert,mld-listener-query} accept
ct state { established, related } accept ct state { established, related } accept
ct state invalid drop ct state invalid drop
ip protocol icmp accept ip protocol icmp accept
meta l4proto ipv6-icmp accept meta l4proto ipv6-icmp accept
tcp dport { 22 } accept tcp dport $ROUTER_TCP_PORTS accept
udp dport { 546, 53, 67 } accept udp dport $ROUTER_UDP_PORTS accept
drop drop
} }
@ -39,17 +43,15 @@ table ip nat {
chain prerouting { chain prerouting {
type nat hook prerouting priority -100; policy accept; type nat hook prerouting priority -100; policy accept;
# ip daddr 10.0.0.1 tcp dport ( 2221 ) dnat to 10.0.0.5:22 # ip daddr 10.0.0.1 tcp dport { 80, 443 } dnat to 10.0.0.10
# ip daddr 10.0.0.1 udp dport ( 60020 ) dnat to 10.0.0.5:60020
# ip daddr 10.0.0.1 udp dport ( 60021 ) dnat to 10.0.0.5:60021
# ip daddr 10.0.0.1 tcp dport ( 80 ) dnat to 10.0.0.10:80 iifname $WAN tcp dport $FACELESS_TCP_PORTS dnat to 10.0.0.10
# ip daddr 10.0.0.1 tcp dport ( 443 ) dnat to 10.0.0.10:443 # iifname $WAN udp dport $FACELESS_UDP_PORTS dnat to 10.0.0.10
# ip daddr 10.0.0.1 tcp dport ( 2222 ) dnat to 10.0.0.10:2222 iifname $WAN udp dport 60000-60009 dnat to 10.0.0.10
# ip daddr 10.0.0.1 tcp dport ( 2200 ) dnat to 10.0.0.10:22
iifname $WAN tcp dport { 443, 80 } dnat to 10.0.0.10 iifname $WAN tcp dport $DRAGON_TCP_PORTS dnat to 10.0.0.5
# iifname "lan0" tcp dport { 443, 80 } dnat to 10.0.0.10 # iifname $WAN udp dport $DRAGON_UDP_PORTS dnat to 10.0.0.5
iifname $WAN udp dport 60020-60029 dnat to 10.0.0.5
} }
} }
@ -85,28 +87,28 @@ table ip io.systemd.nat {
} }
# nat ipv6 for lan (probably unnecessary?) # nat ipv6 for lan (probably unnecessary?)
table ip6 io.systemd.nat { # table ip6 io.systemd.nat {
set masq_saddr { # set masq_saddr {
type ipv6_addr # type ipv6_addr
flags interval # flags interval
} # }
#
map map_port_ipport { # map map_port_ipport {
type inet_proto . inet_service : ipv6_addr . inet_service # type inet_proto . inet_service : ipv6_addr . inet_service
} # }
#
chain prerouting { # chain prerouting {
type nat hook prerouting priority dstnat + 1; policy accept; # type nat hook prerouting priority dstnat + 1; policy accept;
fib daddr type local dnat ip6 addr . port to meta l4proto . th dport map @map_port_ipport # fib daddr type local dnat ip6 addr . port to meta l4proto . th dport map @map_port_ipport
} # }
#
chain output { # chain output {
type nat hook output priority -99; policy accept; # type nat hook output priority -99; policy accept;
ip6 daddr != ::1 oif "lo" dnat ip6 addr . port to meta l4proto . th dport map @map_port_ipport # ip6 daddr != ::1 oif "lo" dnat ip6 addr . port to meta l4proto . th dport map @map_port_ipport
} # }
#
chain postrouting { # chain postrouting {
type nat hook postrouting priority srcnat + 1; policy accept; # type nat hook postrouting priority srcnat + 1; policy accept;
ip6 saddr @masq_saddr masquerade # ip6 saddr @masq_saddr masquerade
} # }
} # }