diff options
Diffstat (limited to 'etc')
| -rw-r--r-- | etc/mimic/ens18.conf | 42 | ||||
| l--------- | etc/mimic/ens19.conf | 1 | ||||
| l--------- | etc/mimic/ipv6net@ens18.conf | 1 | ||||
| -rw-r--r-- | etc/nftables.conf | 12 | ||||
| -rw-r--r-- | etc/services | 1 | ||||
| l--------- | etc/systemd/system/multi-user.target.wants/mimic@ens18.service | 1 | ||||
| l--------- | etc/systemd/system/multi-user.target.wants/mimic@ens19.service | 1 | ||||
| l--------- | etc/systemd/system/multi-user.target.wants/mimic@ipv6net.service | 1 | ||||
| -rw-r--r-- | etc/systemd/system/phantun_server.service | 14 |
9 files changed, 52 insertions, 22 deletions
diff --git a/etc/mimic/ens18.conf b/etc/mimic/ens18.conf new file mode 100644 index 00000000..3179d091 --- /dev/null +++ b/etc/mimic/ens18.conf @@ -0,0 +1,42 @@ +# This is an example configuration for Mimic. For each interface, you may +# create <interface>.conf in /etc/mimic and in the following format to +# pass arguments to Mimic's systemd service (mimic@<interface>.service). +# +# Each configuration should be in the format of `key=value`. There might be +# whitespaces between key, '=' and value, and should be kept in one line. Empty +# lines and ones that start with '#' are ignored. + +# Sets log verbosity. Log level equal to or higher (in number) than log +# verbosity will be discarded. Both number and string matching log levels are +# accepted. Number must be greater than or equal to 0. Defaults to info (2). +# +# Log levels: +# 0 - error (cannot be discarded) +# 1 - warn +# 2 - info +# 3 - debug +# 4 - trace +#log.verbosity = trace + +# Specify link layer type, can be 'eth' (Ethernet) or 'none' (no L2 header, +# like PPP or TUN). Defaults to 'eth'. +#link_type = eth + +# Force XDP attach mode, either 'skb' or 'native'. Defaults to 'native' if +# target interface supports it, or 'skb'. +#xdp_mode = skb + +# Use libxdp instead of libbpf to load XDP program. libxdp supports chaining +# multiple XDP programs on one interface. Mimic loads libxdp dynamically using +# dlopen. Defaults to false. +#use_libxdp = false + +# Whether to always use maximum window size in TCP packets. Defaults to false. +#max_window = false + +# Specifies which packets should be processed by Mimic. Can be set more +# than once to allow parallel rules (OR'ed). +# +# Filter format follows `(local|remote)=IP:port`. For IPv6, IP addresses +# need to be surrounded by square brackets. See below for examples. +filter = local=104.224.159.210:54635 diff --git a/etc/mimic/ens19.conf b/etc/mimic/ens19.conf new file mode 120000 index 00000000..32c22750 --- /dev/null +++ b/etc/mimic/ens19.conf @@ -0,0 +1 @@ +ens18.conf
\ No newline at end of file diff --git a/etc/mimic/ipv6net@ens18.conf b/etc/mimic/ipv6net@ens18.conf new file mode 120000 index 00000000..32c22750 --- /dev/null +++ b/etc/mimic/ipv6net@ens18.conf @@ -0,0 +1 @@ +ens18.conf
\ No newline at end of file diff --git a/etc/nftables.conf b/etc/nftables.conf index ec199ffb..ecac4baa 100644 --- a/etc/nftables.conf +++ b/etc/nftables.conf @@ -29,9 +29,11 @@ table inet my_table { tcp dport ssh accept tcp dport iperf3 accept udp dport wireguard accept + # mimic is both tcp and udp see perma link: + # https://github.com/hack3ric/mimic/blob/572a2ae5aeaa156afc2d6064a763e842962735bf/docs/getting-started.md#firewall + tcp dport swgp accept udp dport swgp accept tcp dport monerod-p2p accept - tcp dport phantun accept pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited counter comment "count any other traffic" @@ -47,9 +49,6 @@ table inet my_table { #iifname $pub_iface oifname $wg_iface accept iifname $wg_iface accept oifname $wg_iface accept - # needed for phantun? - iifname pt0 accept - oifname pt0 accept } chain my_output { @@ -67,15 +66,12 @@ table inet nat { # also vice versa, no need `chain postrouting` if has `chain prerouting` # more see https://www.procustodibus.com/blog/2021/11/wireguard-nftables/ chain prerouting { - type nat hook prerouting priority dstnat + type nat hook prerouting priority -100 policy accept # port forwarding from client # https://www.procustodibus.com/blog/2022/09/wireguard-port-forward-from-internet iifname $pub_iface tcp dport monerod-p2p dnat ip to 10.0.0.1:monerod-p2p iifname $pub_iface tcp dport monerod-p2p dnat ip6 to [fdc9:281f:04d7:9ee9::1]:monerod-p2p - # needed for phantun - iifname $pub_iface tcp dport phantun dnat ip to 10.0.2.2 - iifname $pub_iface tcp dport phantun dnat ip6 to fdc9:281f:04d7:9eeb::2 } # for all packets to $pub_iface, after routing, replace source address with primary IP of $pub_iface interface chain postrouting { diff --git a/etc/services b/etc/services index 1b762adf..d571596b 100644 --- a/etc/services +++ b/etc/services @@ -11523,6 +11523,7 @@ inspider 49150/tcp monerod-p2p 18080/tcp wireguard 49432/udp iperf3 53497/tcp +swgp 54635/tcp swgp 54635/udp # phantun server listen phantun 59083/tcp diff --git a/etc/systemd/system/multi-user.target.wants/mimic@ens18.service b/etc/systemd/system/multi-user.target.wants/mimic@ens18.service new file mode 120000 index 00000000..dce9a731 --- /dev/null +++ b/etc/systemd/system/multi-user.target.wants/mimic@ens18.service @@ -0,0 +1 @@ +/usr/lib/systemd/system/mimic@.service
\ No newline at end of file diff --git a/etc/systemd/system/multi-user.target.wants/mimic@ens19.service b/etc/systemd/system/multi-user.target.wants/mimic@ens19.service new file mode 120000 index 00000000..dce9a731 --- /dev/null +++ b/etc/systemd/system/multi-user.target.wants/mimic@ens19.service @@ -0,0 +1 @@ +/usr/lib/systemd/system/mimic@.service
\ No newline at end of file diff --git a/etc/systemd/system/multi-user.target.wants/mimic@ipv6net.service b/etc/systemd/system/multi-user.target.wants/mimic@ipv6net.service new file mode 120000 index 00000000..dce9a731 --- /dev/null +++ b/etc/systemd/system/multi-user.target.wants/mimic@ipv6net.service @@ -0,0 +1 @@ +/usr/lib/systemd/system/mimic@.service
\ No newline at end of file diff --git a/etc/systemd/system/phantun_server.service b/etc/systemd/system/phantun_server.service deleted file mode 100644 index 68a57480..00000000 --- a/etc/systemd/system/phantun_server.service +++ /dev/null @@ -1,14 +0,0 @@ -[Unit] -Description=phantun client -After=network.target - -[Service] -Type=simple -Environment=RUST_LOG=info -ExecStart=/usr/bin/phantun_server --local 59083 --remote [::1]:54635 --tun-local 10.0.2.1 --tun-peer 10.0.2.2 --tun-local6 fdc9:281f:04d7:9eeb::1 --tun-peer6 fdc9:281f:04d7:9eeb::2 --tun pt0 -#ExecStart=/usr/bin/env RUST_LOG=info /usr/bin/phantun_server --local 59083 --remote [::1]:54635 --tun-local 10.0.2.1 --tun-peer 10.0.2.2 --tun-local6 fdc9:281f:04d7:9eeb::1 --tun-peer6 fdc9:281f:04d7:9eeb::2 --tun pt0 -Restart=always - -[Install] -WantedBy=multi-user.target - |