From a03e816d9d49c7f23be39f3cda19e02b37237832 Mon Sep 17 00:00:00 2001
From: Xiao Pan <xyz@flylightning.xyz>
Date: Sun, 29 Dec 2024 10:12:50 +0000
Subject: Better ns0 network namespace configs

Enable nft. Use different nft config for ns0. Host open emails port. ns0
open wireguard and qbt ports. ns0 configure wireguard. host not
configure wiregurad, so also no need ip forwarding sysctl kernel
parameters. ns0 use /etc/netns/ns0/nftables.conf that will bind mount to
ns0.

Host and ns0 both run dnsmasq for dns cache. ns0 dnsmasq I disable dbus
because it will conficts with host dnsmasq dbus. Dnsmasq use dbus for
config cahnge?

I disable systemd-resolved and switch to dnsmasq because
systemd-resolved use dbus for dns query? which is maybe easy for dns
leak, e.g., when systemd-resolved is only running on host, ns0 with
different /etc/resolv.conf still get dns from host open public ip when
run resolvectl query, although drill does not leak.

sye add enabled systemd units
---
 etc/netns/ns0/nftables.conf            | 71 ++++++++++++++++++++++++++++++++++
 etc/nftables.conf                      | 24 ------------
 etc/resolv.conf                        |  4 +-
 etc/sysctl.d/99-sysctl.conf            |  7 ----
 etc/systemd/system/dnsmasq-ns0.service | 22 +++++++++++
 home/xyz/.config/myconf/sye            |  6 ++-
 6 files changed, 100 insertions(+), 34 deletions(-)
 create mode 100644 etc/netns/ns0/nftables.conf
 mode change 120000 => 100644 etc/resolv.conf
 delete mode 100644 etc/sysctl.d/99-sysctl.conf
 create mode 100644 etc/systemd/system/dnsmasq-ns0.service

diff --git a/etc/netns/ns0/nftables.conf b/etc/netns/ns0/nftables.conf
new file mode 100644
index 00000000..b0c1237c
--- /dev/null
+++ b/etc/netns/ns0/nftables.conf
@@ -0,0 +1,71 @@
+#!/usr/bin/nft -f
+
+# IPv4/IPv6 Simple & Safe firewall ruleset.
+# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/.
+
+# references, some codes from:
+# https://wiki.archlinux.org/title/Nftables
+# https://www.procustodibus.com/blog/2021/11/wireguard-nftables
+# https://wiki.gentoo.org/wiki/Nftables/Examples#Basic_NAT
+
+# needed for reload config using `sudo systemctl restart nftables` or `sudo nft -f /etc/nftables.conf`
+flush ruleset
+
+define pub_iface = "ipvl0"
+define wg_iface = "wg0"
+table inet my_table {
+
+	chain my_input {
+		type filter hook input priority filter
+		policy drop
+
+		ct state invalid drop comment "early drop of invalid connections"
+		ct state {established, related} accept comment "allow tracked connections"
+		iifname lo accept comment "allow from loopback"
+		iifname $wg_iface accept comment "allow from wireguard"
+		ip protocol icmp accept
+		meta l4proto ipv6-icmp accept
+
+		#tcp dport ssh accept
+		#tcp dport qbt-nox accept
+		tcp dport qbt accept
+		udp dport qbt accept
+		#tcp dport iperf3 accept
+		udp dport wireguard accept
+		udp dport swgp accept
+
+		pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
+		counter comment "count any other traffic"
+	}
+
+	chain my_forward {
+		type filter hook forward priority filter
+		policy drop
+		# Drop everything forwarded to us. We do not forward. That is routers job.
+
+		# needed for wireguard?
+		#iifname $wg_iface oifname $pub_iface accept
+		#iifname $pub_iface oifname $wg_iface accept
+		iifname $wg_iface accept
+		oifname $wg_iface accept
+	}
+
+	chain my_output {
+		type filter hook output priority filter
+		policy accept
+		# Accept every outbound connection
+	}
+}
+
+# needed to wireguard NAT masquerade VPN traffic
+# Need inet to masquerade both ipv4 and ipv6? If use ip it will only masquerade ipv4? If use ip6 it will only masquerade ipv6?
+# https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families
+table inet nat {
+	# newer kernel no need for `chain prerouting { type nat hook prerouting priority -100; policy accept; }`, more see https://www.procustodibus.com/blog/2021/11/wireguard-nftables/
+	# for all packets to $pub_iface, after routing, replace source address with primary IP of $pub_iface interface
+	chain postrouting {
+		type nat hook postrouting priority 100
+		policy accept
+		oifname $pub_iface masquerade
+	}
+}
diff --git a/etc/nftables.conf b/etc/nftables.conf
index da1f2f44..ebf4a082 100644
--- a/etc/nftables.conf
+++ b/etc/nftables.conf
@@ -11,8 +11,6 @@
 # needed for reload config using `sudo systemctl restart nftables` or `sudo nft -f /etc/nftables.conf`
 flush ruleset
 
-define pub_iface = "eth0"
-define wg_iface = "wg0"
 table inet my_table {
 
 	chain my_input {
@@ -22,7 +20,6 @@ table inet my_table {
 		ct state invalid drop comment "early drop of invalid connections"
 		ct state {established, related} accept comment "allow tracked connections"
 		iifname lo accept comment "allow from loopback"
-		iifname $wg_iface accept comment "allow from wireguard"
 		ip protocol icmp accept
 		meta l4proto ipv6-icmp accept
 
@@ -31,8 +28,6 @@ table inet my_table {
 		tcp dport qbt accept
 		udp dport qbt accept
 		#tcp dport iperf3 accept
-		udp dport wireguard accept
-		udp dport swgp accept
 		# for acme.sh standalone mode builtin webserver to renew ssl cert
 		tcp dport http accept
 		# email related ports
@@ -52,12 +47,6 @@ table inet my_table {
 		type filter hook forward priority filter
 		policy drop
 		# Drop everything forwarded to us. We do not forward. That is routers job.
-
-		# needed for wireguard?
-		#iifname $wg_iface oifname $pub_iface accept
-		#iifname $pub_iface oifname $wg_iface accept
-		iifname $wg_iface accept
-		oifname $wg_iface accept
 	}
 
 	chain my_output {
@@ -66,16 +55,3 @@ table inet my_table {
 		# Accept every outbound connection
 	}
 }
-
-# needed to wireguard NAT masquerade VPN traffic
-# Need inet to masquerade both ipv4 and ipv6? If use ip it will only masquerade ipv4? If use ip6 it will only masquerade ipv6?
-# https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families
-table inet nat {
-	# newer kernel no need for `chain prerouting { type nat hook prerouting priority -100; policy accept; }`, more see https://www.procustodibus.com/blog/2021/11/wireguard-nftables/
-	# for all packets to $pub_iface, after routing, replace source address with primary IP of $pub_iface interface
-	chain postrouting {
-		type nat hook postrouting priority 100
-		policy accept
-		oifname $pub_iface masquerade
-	}
-}
diff --git a/etc/resolv.conf b/etc/resolv.conf
deleted file mode 120000
index 36396629..00000000
--- a/etc/resolv.conf
+++ /dev/null
@@ -1 +0,0 @@
-/run/systemd/resolve/stub-resolv.conf
\ No newline at end of file
diff --git a/etc/resolv.conf b/etc/resolv.conf
new file mode 100644
index 00000000..647b840f
--- /dev/null
+++ b/etc/resolv.conf
@@ -0,0 +1,3 @@
+nameserver ::1
+nameserver 127.0.0.1
+options trust-ad
diff --git a/etc/sysctl.d/99-sysctl.conf b/etc/sysctl.d/99-sysctl.conf
deleted file mode 100644
index b9677c02..00000000
--- a/etc/sysctl.d/99-sysctl.conf
+++ /dev/null
@@ -1,7 +0,0 @@
-# at least `net.ipv4.ip_forward = 1` is needed for wireguard masquerade? to work. Without will result into can't ping ips, can't curl websites, browser can't visit websites
-# ka seems has this as default, maybe arch linux cloud-init image has this as default?
-# https://forums.rockylinux.org/t/wireguard-masquerade-wont-work/7752
-# https://wiki.archlinux.org/title/Nftables#NAT_with_port_forwarding
-# https://github.com/teddysun/across/blob/acef6b00a6ad062c0e99286ea136d1a246def644/wireguard.sh#L514-L522
-net.ipv4.ip_forward = 1
-net.ipv6.conf.all.forwarding = 1
diff --git a/etc/systemd/system/dnsmasq-ns0.service b/etc/systemd/system/dnsmasq-ns0.service
new file mode 100644
index 00000000..0f8477cc
--- /dev/null
+++ b/etc/systemd/system/dnsmasq-ns0.service
@@ -0,0 +1,22 @@
+# modified from /usr/lib/systemd/system/dnsmasq.service
+
+[Unit]
+Description=dnsmasq - A lightweight DHCP and caching DNS server
+Documentation=man:dnsmasq(8)
+After=network.target
+Before=network-online.target nss-lookup.target
+Wants=nss-lookup.target
+After=ns0.service
+
+[Service]
+Type=Simple
+ExecStartPre=/usr/bin/dnsmasq --test
+ExecStart=/usr/bin/dnsmasq -k --user=dnsmasq --pid-file
+ExecReload=/bin/kill -HUP $MAINPID
+Restart=on-failure
+PrivateDevices=true
+ProtectSystem=full
+NetworkNamespacePath=/run/netns/ns0
+
+[Install]
+WantedBy=multi-user.target
diff --git a/home/xyz/.config/myconf/sye b/home/xyz/.config/myconf/sye
index 07c19548..d7692c8f 100644
--- a/home/xyz/.config/myconf/sye
+++ b/home/xyz/.config/myconf/sye
@@ -1,8 +1,11 @@
 UNIT FILE                            STATE   PRESET
+dnsmasq-ns0.service                  enabled disabled
+dnsmasq.service                      enabled disabled
 dovecot.service                      enabled disabled
 getty@.service                       enabled enabled
 jackett.service                      enabled disabled
 nftables.service                     enabled disabled
+ns0.service                          enabled disabled
 opendkim.service                     enabled disabled
 opendmarc.service                    enabled disabled
 postfix.service                      enabled disabled
@@ -11,7 +14,6 @@ swgp-go.service                      enabled disabled
 systemd-network-generator.service    enabled enabled
 systemd-networkd-wait-online.service enabled enabled
 systemd-networkd.service             enabled enabled
-systemd-resolved.service             enabled enabled
 systemd-time-wait-sync.service       enabled disabled
 systemd-timesyncd.service            enabled enabled
 systemd-networkd.socket              enabled disabled
@@ -21,4 +23,4 @@ acme.sh.timer                        enabled disabled
 paccache.timer                       enabled disabled
 pacman-filesdb-refresh.timer         enabled disabled
 
-21 unit files listed.
+23 unit files listed.
-- 
cgit v1.2.3-70-g09d2