Better ns0 network namespace configs

Enable nft. Use different nft config for ns0. Host open emails port. ns0
open wireguard and qbt ports. ns0 configure wireguard. host not
configure wiregurad, so also no need ip forwarding sysctl kernel
parameters. ns0 use /etc/netns/ns0/nftables.conf that will bind mount to
ns0.

Host and ns0 both run dnsmasq for dns cache. ns0 dnsmasq I disable dbus
because it will conficts with host dnsmasq dbus. Dnsmasq use dbus for
config cahnge?

I disable systemd-resolved and switch to dnsmasq because
systemd-resolved use dbus for dns query? which is maybe easy for dns
leak, e.g., when systemd-resolved is only running on host, ns0 with
different /etc/resolv.conf still get dns from host open public ip when
run resolvectl query, although drill does not leak.

sye add enabled systemd units

1 files changed, 71 insertions, 0 deletions

diff --git a/etc/netns/ns0/nftables.conf b/etc/netns/ns0/nftables.conf
new file mode 100644
index 00000000..b0c1237c
--- /dev/null
+++ b/etc/netns/ns0/nftables.conf
@@ -0,0 +1,71 @@
+#!/usr/bin/nft -f
+
+# IPv4/IPv6 Simple & Safe firewall ruleset.
+# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/.
+
+# references, some codes from:
+# https://wiki.archlinux.org/title/Nftables
+# https://www.procustodibus.com/blog/2021/11/wireguard-nftables
+# https://wiki.gentoo.org/wiki/Nftables/Examples#Basic_NAT
+
+# needed for reload config using `sudo systemctl restart nftables` or `sudo nft -f /etc/nftables.conf`
+flush ruleset
+
+define pub_iface = "ipvl0"
+define wg_iface = "wg0"
+table inet my_table {
+
+	chain my_input {
+		type filter hook input priority filter
+		policy drop
+
+		ct state invalid drop comment "early drop of invalid connections"
+		ct state {established, related} accept comment "allow tracked connections"
+		iifname lo accept comment "allow from loopback"
+		iifname $wg_iface accept comment "allow from wireguard"
+		ip protocol icmp accept
+		meta l4proto ipv6-icmp accept
+
+		#tcp dport ssh accept
+		#tcp dport qbt-nox accept
+		tcp dport qbt accept
+		udp dport qbt accept
+		#tcp dport iperf3 accept
+		udp dport wireguard accept
+		udp dport swgp accept
+
+		pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
+		counter comment "count any other traffic"
+	}
+
+	chain my_forward {
+		type filter hook forward priority filter
+		policy drop
+		# Drop everything forwarded to us. We do not forward. That is routers job.
+
+		# needed for wireguard?
+		#iifname $wg_iface oifname $pub_iface accept
+		#iifname $pub_iface oifname $wg_iface accept
+		iifname $wg_iface accept
+		oifname $wg_iface accept
+	}
+
+	chain my_output {
+		type filter hook output priority filter
+		policy accept
+		# Accept every outbound connection
+	}
+}
+
+# needed to wireguard NAT masquerade VPN traffic
+# Need inet to masquerade both ipv4 and ipv6? If use ip it will only masquerade ipv4? If use ip6 it will only masquerade ipv6?
+# https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families
+table inet nat {
+	# newer kernel no need for `chain prerouting { type nat hook prerouting priority -100; policy accept; }`, more see https://www.procustodibus.com/blog/2021/11/wireguard-nftables/
+	# for all packets to $pub_iface, after routing, replace source address with primary IP of $pub_iface interface
+	chain postrouting {
+		type nat hook postrouting priority 100
+		policy accept
+		oifname $pub_iface masquerade
+	}
+}