From 4a36006457360cf9a3c050c7cf6057ab20bae8c2 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Sat, 10 Jul 2021 23:48:10 -0500 Subject: [PATCH] Fix internal routing to main server --- dnsmasq.conf | 11 +++++++++-- firewall-edit.sh | 8 +++++--- nftables.conf | 41 ++++++++++++++++++++++++++++++++++++----- 3 files changed, 50 insertions(+), 10 deletions(-) diff --git a/dnsmasq.conf b/dnsmasq.conf index 315786e..7e922d4 100644 --- a/dnsmasq.conf +++ b/dnsmasq.conf @@ -78,7 +78,14 @@ server=8.8.4.4 # Add domains which you want to force to an IP address here. # The example below send any host in double-click.net to a local # web-server. -#address=/double-click.net/127.0.0.1 +address=/git.lyte.dev/10.0.0.10 +address=/h.lyte.dev/10.0.0.10 +address=/a.lyte.dev/10.0.0.10 +address=/.h.lyte.dev/10.0.0.10 +address=/#.h.lyte.dev/10.0.0.10 +address=/bw.lyte.dev/10.0.0.10 +address=/files.lyte.dev/10.0.0.10 +address=/grafana.lyte.dev/10.0.0.10 # --address (and --server) work with IPv6 addresses too. #address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83 @@ -225,7 +232,7 @@ dhcp-range=10.0.0.5,10.0.0.250,255.255.255.0,10m # do not matter, it's permissible to give name, address and MAC in any # order. dhcp-host=f0:2f:74:c9:9b:61,dragon,10.0.0.5,12h -# dhcp-host=????,faceless,10.0.0.10,12h +dhcp-host=00:50:b6:24:27:0b,faceless,10.0.0.10,12h # Always allocate the host with Ethernet address 11:22:33:44:55:66 # The IP address 192.168.0.60 diff --git a/firewall-edit.sh b/firewall-edit.sh index a13a2af..3109ca9 100755 --- a/firewall-edit.sh +++ b/firewall-edit.sh @@ -3,6 +3,7 @@ # TODO: diff with existing before just overwriting what's here in git? my_config="$(dirname "$(realpath "$0")")/nftables.conf" +t="/tmp/nftables.conf" # we don't care about existing rules - just use ours, thanks # sudo nft -s list ruleset >> "$f" @@ -12,9 +13,10 @@ cat "$my_config" echo "Do you want to load this config? [y/N]" read -r l [[ $l == "y" ]] && { - printf "flush ruleset\n\n" > "/tmp/nftables.txt" - cat "$my_config" >> "/tmp/nftables.conf" - sudo nft -f "/tmp/nftables.conf" + printf "flush ruleset\n\n" > "$t" + cat "$my_config" >> "$t" + sudo nft -f "$t" sudo cp "$my_config" "/etc/nftables.conf" + rm "$t" echo "Done loading!" } diff --git a/nftables.conf b/nftables.conf index 54a96d6..3723291 100644 --- a/nftables.conf +++ b/nftables.conf @@ -1,15 +1,22 @@ +define WAN = eth0 +define LAN = lan0 + +define FACELESS_TCP_PORTS = { 443, 80, 2222, 2200 } +# define FACELESS_UDP_PORTS = 60000-60009 +define DRAGON_TCP_PORTS = { 2221 } +# define DRAGON_UDP_PORTS = 60020-60029 + table inet filter { chain input { type filter hook input priority filter; policy accept; - udp dport 546 accept - udp dport 53 accept + iifname "lo" accept ct state { established, related } accept ct state invalid drop - iifname "lo" accept ip protocol icmp accept meta l4proto ipv6-icmp accept - tcp dport 22 accept - accept + tcp dport { 22 } accept + udp dport { 546, 53, 67 } accept + drop } chain forward { @@ -19,9 +26,33 @@ table inet filter { chain output { type filter hook output priority filter; policy accept; + accept } } +table ip nat { + chain postrouting { + type nat hook postrouting priority 100; policy accept; + oifname $LAN masquerade + } + + chain prerouting { + type nat hook prerouting priority -100; policy accept; + + # ip daddr 10.0.0.1 tcp dport ( 2221 ) dnat to 10.0.0.5:22 + # ip daddr 10.0.0.1 udp dport ( 60020 ) dnat to 10.0.0.5:60020 + # ip daddr 10.0.0.1 udp dport ( 60021 ) dnat to 10.0.0.5:60021 + + # ip daddr 10.0.0.1 tcp dport ( 80 ) dnat to 10.0.0.10:80 + # ip daddr 10.0.0.1 tcp dport ( 443 ) dnat to 10.0.0.10:443 + # ip daddr 10.0.0.1 tcp dport ( 2222 ) dnat to 10.0.0.10:2222 + # ip daddr 10.0.0.1 tcp dport ( 2200 ) dnat to 10.0.0.10:22 + + iifname $WAN tcp dport { 443, 80 } dnat to 10.0.0.10 + # iifname "lan0" tcp dport { 443, 80 } dnat to 10.0.0.10 + } +} + # the following two blocks were generated by restarting systemd-networkd and # dumping nftables