diff options
| -rw-r--r-- | etc/netns/ns0/nftables.conf | 71 | ||||
| -rw-r--r-- | etc/nftables.conf | 24 | ||||
| -rw-r--r--[l---------] | etc/resolv.conf | 4 | ||||
| -rw-r--r-- | etc/sysctl.d/99-sysctl.conf | 7 | ||||
| -rw-r--r-- | etc/systemd/system/dnsmasq-ns0.service | 22 | ||||
| -rw-r--r-- | home/xyz/.config/myconf/sye | 6 |
6 files changed, 100 insertions, 34 deletions
diff --git a/etc/netns/ns0/nftables.conf b/etc/netns/ns0/nftables.conf new file mode 100644 index 00000000..b0c1237c --- /dev/null +++ b/etc/netns/ns0/nftables.conf @@ -0,0 +1,71 @@ +#!/usr/bin/nft -f + +# IPv4/IPv6 Simple & Safe firewall ruleset. +# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/. + +# references, some codes from: +# https://wiki.archlinux.org/title/Nftables +# https://www.procustodibus.com/blog/2021/11/wireguard-nftables +# https://wiki.gentoo.org/wiki/Nftables/Examples#Basic_NAT + +# needed for reload config using `sudo systemctl restart nftables` or `sudo nft -f /etc/nftables.conf` +flush ruleset + +define pub_iface = "ipvl0" +define wg_iface = "wg0" +table inet my_table { + + chain my_input { + type filter hook input priority filter + policy drop + + ct state invalid drop comment "early drop of invalid connections" + ct state {established, related} accept comment "allow tracked connections" + iifname lo accept comment "allow from loopback" + iifname $wg_iface accept comment "allow from wireguard" + ip protocol icmp accept + meta l4proto ipv6-icmp accept + + #tcp dport ssh accept + #tcp dport qbt-nox accept + tcp dport qbt accept + udp dport qbt accept + #tcp dport iperf3 accept + udp dport wireguard accept + udp dport swgp accept + + pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited + counter comment "count any other traffic" + } + + chain my_forward { + type filter hook forward priority filter + policy drop + # Drop everything forwarded to us. We do not forward. That is routers job. + + # needed for wireguard? + #iifname $wg_iface oifname $pub_iface accept + #iifname $pub_iface oifname $wg_iface accept + iifname $wg_iface accept + oifname $wg_iface accept + } + + chain my_output { + type filter hook output priority filter + policy accept + # Accept every outbound connection + } +} + +# needed to wireguard NAT masquerade VPN traffic +# Need inet to masquerade both ipv4 and ipv6? If use ip it will only masquerade ipv4? If use ip6 it will only masquerade ipv6? +# https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families +table inet nat { + # newer kernel no need for `chain prerouting { type nat hook prerouting priority -100; policy accept; }`, more see https://www.procustodibus.com/blog/2021/11/wireguard-nftables/ + # for all packets to $pub_iface, after routing, replace source address with primary IP of $pub_iface interface + chain postrouting { + type nat hook postrouting priority 100 + policy accept + oifname $pub_iface masquerade + } +} diff --git a/etc/nftables.conf b/etc/nftables.conf index da1f2f44..ebf4a082 100644 --- a/etc/nftables.conf +++ b/etc/nftables.conf @@ -11,8 +11,6 @@ # needed for reload config using `sudo systemctl restart nftables` or `sudo nft -f /etc/nftables.conf` flush ruleset -define pub_iface = "eth0" -define wg_iface = "wg0" table inet my_table { chain my_input { @@ -22,7 +20,6 @@ table inet my_table { ct state invalid drop comment "early drop of invalid connections" ct state {established, related} accept comment "allow tracked connections" iifname lo accept comment "allow from loopback" - iifname $wg_iface accept comment "allow from wireguard" ip protocol icmp accept meta l4proto ipv6-icmp accept @@ -31,8 +28,6 @@ table inet my_table { tcp dport qbt accept udp dport qbt accept #tcp dport iperf3 accept - udp dport wireguard accept - udp dport swgp accept # for acme.sh standalone mode builtin webserver to renew ssl cert tcp dport http accept # email related ports @@ -52,12 +47,6 @@ table inet my_table { type filter hook forward priority filter policy drop # Drop everything forwarded to us. We do not forward. That is routers job. - - # needed for wireguard? - #iifname $wg_iface oifname $pub_iface accept - #iifname $pub_iface oifname $wg_iface accept - iifname $wg_iface accept - oifname $wg_iface accept } chain my_output { @@ -66,16 +55,3 @@ table inet my_table { # Accept every outbound connection } } - -# needed to wireguard NAT masquerade VPN traffic -# Need inet to masquerade both ipv4 and ipv6? If use ip it will only masquerade ipv4? If use ip6 it will only masquerade ipv6? -# https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families -table inet nat { - # newer kernel no need for `chain prerouting { type nat hook prerouting priority -100; policy accept; }`, more see https://www.procustodibus.com/blog/2021/11/wireguard-nftables/ - # for all packets to $pub_iface, after routing, replace source address with primary IP of $pub_iface interface - chain postrouting { - type nat hook postrouting priority 100 - policy accept - oifname $pub_iface masquerade - } -} diff --git a/etc/resolv.conf b/etc/resolv.conf index 36396629..647b840f 120000..100644 --- a/etc/resolv.conf +++ b/etc/resolv.conf @@ -1 +1,3 @@ -/run/systemd/resolve/stub-resolv.conf
\ No newline at end of file +nameserver ::1 +nameserver 127.0.0.1 +options trust-ad diff --git a/etc/sysctl.d/99-sysctl.conf b/etc/sysctl.d/99-sysctl.conf deleted file mode 100644 index b9677c02..00000000 --- a/etc/sysctl.d/99-sysctl.conf +++ /dev/null @@ -1,7 +0,0 @@ -# at least `net.ipv4.ip_forward = 1` is needed for wireguard masquerade? to work. Without will result into can't ping ips, can't curl websites, browser can't visit websites -# ka seems has this as default, maybe arch linux cloud-init image has this as default? -# https://forums.rockylinux.org/t/wireguard-masquerade-wont-work/7752 -# https://wiki.archlinux.org/title/Nftables#NAT_with_port_forwarding -# https://github.com/teddysun/across/blob/acef6b00a6ad062c0e99286ea136d1a246def644/wireguard.sh#L514-L522 -net.ipv4.ip_forward = 1 -net.ipv6.conf.all.forwarding = 1 diff --git a/etc/systemd/system/dnsmasq-ns0.service b/etc/systemd/system/dnsmasq-ns0.service new file mode 100644 index 00000000..0f8477cc --- /dev/null +++ b/etc/systemd/system/dnsmasq-ns0.service @@ -0,0 +1,22 @@ +# modified from /usr/lib/systemd/system/dnsmasq.service + +[Unit] +Description=dnsmasq - A lightweight DHCP and caching DNS server +Documentation=man:dnsmasq(8) +After=network.target +Before=network-online.target nss-lookup.target +Wants=nss-lookup.target +After=ns0.service + +[Service] +Type=Simple +ExecStartPre=/usr/bin/dnsmasq --test +ExecStart=/usr/bin/dnsmasq -k --user=dnsmasq --pid-file +ExecReload=/bin/kill -HUP $MAINPID +Restart=on-failure +PrivateDevices=true +ProtectSystem=full +NetworkNamespacePath=/run/netns/ns0 + +[Install] +WantedBy=multi-user.target diff --git a/home/xyz/.config/myconf/sye b/home/xyz/.config/myconf/sye index 07c19548..d7692c8f 100644 --- a/home/xyz/.config/myconf/sye +++ b/home/xyz/.config/myconf/sye @@ -1,8 +1,11 @@ UNIT FILE STATE PRESET +dnsmasq-ns0.service enabled disabled +dnsmasq.service enabled disabled dovecot.service enabled disabled getty@.service enabled enabled jackett.service enabled disabled nftables.service enabled disabled +ns0.service enabled disabled opendkim.service enabled disabled opendmarc.service enabled disabled postfix.service enabled disabled @@ -11,7 +14,6 @@ swgp-go.service enabled disabled systemd-network-generator.service enabled enabled systemd-networkd-wait-online.service enabled enabled systemd-networkd.service enabled enabled -systemd-resolved.service enabled enabled systemd-time-wait-sync.service enabled disabled systemd-timesyncd.service enabled enabled systemd-networkd.socket enabled disabled @@ -21,4 +23,4 @@ acme.sh.timer enabled disabled paccache.timer enabled disabled pacman-filesdb-refresh.timer enabled disabled -21 unit files listed. +23 unit files listed. |