From 1867975e6045c5f81b658ac90d26612825c7a484 Mon Sep 17 00:00:00 2001
From: Xiao Pan <gky44px1999@gmail.com>
Date: Mon, 18 Mar 2024 05:12:15 +0000
Subject: ca no qbt

---
 etc/nftables.conf | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'etc/nftables.conf')

diff --git a/etc/nftables.conf b/etc/nftables.conf
index ab16ed11..b0c2c669 100644
--- a/etc/nftables.conf
+++ b/etc/nftables.conf
@@ -29,8 +29,8 @@ table inet my_table {
 
 		tcp dport ssh accept
 		#tcp dport qbt-nox accept
-		tcp dport qbt accept
-		udp dport qbt accept
+		#tcp dport qbt accept
+		#udp dport qbt accept
 		#tcp dport iperf3 accept
 		udp dport wireguard accept
 
-- 
cgit v1.2.3-70-g09d2


From 62e23a287b8e5194130ad33570e6849a3fcb9892 Mon Sep 17 00:00:00 2001
From: Xiao Pan <gky44px1999@gmail.com>
Date: Wed, 20 Mar 2024 09:10:33 +0000
Subject: add future maybe enable ports to nft conf

---
 etc/nftables.conf | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'etc/nftables.conf')

diff --git a/etc/nftables.conf b/etc/nftables.conf
index b0c2c669..bd943c12 100644
--- a/etc/nftables.conf
+++ b/etc/nftables.conf
@@ -33,6 +33,12 @@ table inet my_table {
 		#udp dport qbt accept
 		#tcp dport iperf3 accept
 		udp dport wireguard accept
+		# email ports
+		#tcp dport smtp accept
+		#udp dport smtp accept
+		# other email ports? seems blocked by crunchbits
+		#tcp dport 465 accept
+		#tcp dport 587 accept
 
 		pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
 		counter comment "count any other traffic"
-- 
cgit v1.2.3-70-g09d2


From 416a0ca8403db1d0b841b958ad4bc5e93990af5e Mon Sep 17 00:00:00 2001
From: Xiao Pan <gky44px1999@gmail.com>
Date: Fri, 5 Apr 2024 12:02:22 +0000
Subject: Add email server configs

References:
https://github.com/LukeSmithxyz/emailwiz
https://landchad.net/
https://wiki.archlinux.org/title/Postfix
https://wiki.archlinux.org/title/Dovecot
https://wiki.archlinux.org/title/OpenDKIM
https://wiki.archlinux.org/title/OpenDMARC

Maybe useful:
https://doc.dovecot.org/settings/core/#dovecot-core-settings
https://workaround.org
https://kyun.host/docs/guides/email
`man postconf.5`

More necessary commands notes see arch_install.md
---
 etc/dovecot/conf.d/10-mail.conf   |  2 +-
 etc/dovecot/conf.d/10-master.conf | 12 ++++----
 etc/dovecot/conf.d/10-ssl.conf    |  8 +++---
 etc/nftables.conf                 | 16 +++++++----
 etc/opendkim/opendkim.conf        | 14 +++++-----
 etc/opendmarc/opendmarc.conf      |  3 +-
 etc/postfix/main.cf               | 59 +++++++++++++++++++++++++++++++++++++++
 etc/postfix/master.cf             | 37 +++++++++++++-----------
 8 files changed, 110 insertions(+), 41 deletions(-)

(limited to 'etc/nftables.conf')

diff --git a/etc/dovecot/conf.d/10-mail.conf b/etc/dovecot/conf.d/10-mail.conf
index de48f92d..49e70cb9 100644
--- a/etc/dovecot/conf.d/10-mail.conf
+++ b/etc/dovecot/conf.d/10-mail.conf
@@ -27,7 +27,7 @@
 #
 # <doc/wiki/MailLocation.txt>
 #
-#mail_location = 
+mail_location = maildir:~/Mail:INBOX=~/Mail/Inbox:LAYOUT=fs
 
 # If you need to set multiple mailbox locations or want to change default
 # namespace settings, you can do it by defining namespace sections.
diff --git a/etc/dovecot/conf.d/10-master.conf b/etc/dovecot/conf.d/10-master.conf
index 64fa0f2c..fb03c64c 100644
--- a/etc/dovecot/conf.d/10-master.conf
+++ b/etc/dovecot/conf.d/10-master.conf
@@ -100,16 +100,18 @@ service auth {
   # To give the caller full permissions to lookup all users, set the mode to
   # something else than 0666 and Dovecot lets the kernel enforce the
   # permissions (e.g. 0777 allows everyone full permissions).
-  unix_listener auth-userdb {
+  #unix_listener auth-userdb {
     #mode = 0666
     #user = 
     #group = 
-  }
+  #}
 
   # Postfix smtp-auth
-  #unix_listener /var/spool/postfix/private/auth {
-  #  mode = 0666
-  #}
+  unix_listener /var/spool/postfix/private/auth {
+    mode = 0666
+    user = postfix
+    group = postfix
+  }
 
   # Auth process is run as this user.
   #user = $default_internal_user
diff --git a/etc/dovecot/conf.d/10-ssl.conf b/etc/dovecot/conf.d/10-ssl.conf
index ad847664..b9c2263e 100644
--- a/etc/dovecot/conf.d/10-ssl.conf
+++ b/etc/dovecot/conf.d/10-ssl.conf
@@ -3,14 +3,14 @@
 ##
 
 # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
-#ssl = yes
+ssl = required
 
 # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
 # dropping root privileges, so keep the key file unreadable by anyone but
 # root. Included doc/mkcert.sh can be used to easily generate self-signed
 # certificate, just make sure to update the domains in dovecot-openssl.cnf
-ssl_cert = </etc/ssl/certs/dovecot.pem
-ssl_key = </etc/ssl/private/dovecot.pem
+ssl_cert = </etc/postfix/flylightning.pem
+ssl_key = </etc/postfix/flylightning.key
 
 # If key file is password protected, give the password here. Alternatively
 # give it when starting dovecot with -p parameter. Since this file is often
@@ -51,7 +51,7 @@ ssl_key = </etc/ssl/private/dovecot.pem
 # Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
 # Or migrate from old ssl-parameters.dat file with the command dovecot
 # gives on startup when ssl_dh is unset.
-#ssl_dh = </etc/dovecot/dh.pem
+ssl_dh = </etc/dovecot/dh.pem
 
 # Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
 # TLSv1, TLSv1.1, TLSv1.2 and TLSv1.3, depending on the OpenSSL version used.
diff --git a/etc/nftables.conf b/etc/nftables.conf
index bd943c12..c4ca7f45 100644
--- a/etc/nftables.conf
+++ b/etc/nftables.conf
@@ -33,12 +33,16 @@ table inet my_table {
 		#udp dport qbt accept
 		#tcp dport iperf3 accept
 		udp dport wireguard accept
-		# email ports
-		#tcp dport smtp accept
-		#udp dport smtp accept
-		# other email ports? seems blocked by crunchbits
-		#tcp dport 465 accept
-		#tcp dport 587 accept
+		# for acme.sh standalone mode builtin webserver to renew ssl cert
+		tcp dport http accept
+		# email related ports
+		tcp dport smtp accept
+		tcp dport pop3 accept
+		tcp dport imap accept
+		tcp dport submissions accept
+		tcp dport submission accept
+		tcp dport imaps accept
+		tcp dport pop3s accept
 
 		pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
 		counter comment "count any other traffic"
diff --git a/etc/opendkim/opendkim.conf b/etc/opendkim/opendkim.conf
index fa3559a3..373c7213 100644
--- a/etc/opendkim/opendkim.conf
+++ b/etc/opendkim/opendkim.conf
@@ -127,7 +127,7 @@
 ##  omitted, "simple" is used.  Valid values for each are "simple" and
 ##  "relaxed".
 
-# Canonicalization	simple/simple
+Canonicalization	relaxed/simple
 
 ##  ClockDrift n
 ##  	default 300
@@ -160,7 +160,7 @@
 ##  Specify for which domain(s) signing should be done.  No default; must
 ##  be specified for signing.
 
-Domain			example.com
+Domain flylightning.xyz
 
 ##  DomainKeysCompat { yes | no }
 ##  	default "no"
@@ -245,7 +245,7 @@ Domain			example.com
 ##  SigningTable and KeyTable are used.  No default; must be specified for 
 ##  signing if SigningTable/KeyTable are not in use.
 
-KeyFile			/var/db/dkim/example.private
+KeyFile /etc/opendkim/mail.private
 
 ##  KeyTable dataset
 ##  	default (none)
@@ -570,7 +570,7 @@ KeyFile			/var/db/dkim/example.private
 ##  The name of the selector to use when signing.  No default; must be
 ##  specified for signing.
 
-Selector		my-selector-name
+Selector mail
 
 ##  SenderHeaders 	dataset
 ##  	default (none)
@@ -658,7 +658,7 @@ Selector		my-selector-name
 ##  inet:port			to listen on all interfaces
 ##  local:/path/to/socket	to listen on a UNIX domain socket
 
-Socket			inet:port@localhost
+Socket local:/run/opendkim/opendkim.sock
 
 ##  SoftwareHeader { yes | no }
 ##  	default "no"
@@ -758,7 +758,7 @@ Syslog			Yes
 ##  The system has its own default which will be used (usually 022).
 ##  See the umask(2) man page for more information.
 
-# UMask			022
+UMask 002
 
 ##  Userid userid
 ##  	default (none)
@@ -766,4 +766,4 @@ Syslog			Yes
 ##  Change to user "userid" before starting normal operation?  May include
 ##  a group ID as well, separated from the userid by a colon.
 
-# UserID		userid
+UserID opendkim
diff --git a/etc/opendmarc/opendmarc.conf b/etc/opendmarc/opendmarc.conf
index 84ea1a83..f8d8120c 100644
--- a/etc/opendmarc/opendmarc.conf
+++ b/etc/opendmarc/opendmarc.conf
@@ -286,7 +286,8 @@ IgnoreAuthenticatedClients true
 ##  address is used, it must be enclosed in square brackets.
 #
 # Socket inet:8893@localhost
-Socket unix:/var/spool/opendmarc/opendmarc.sock
+#Socket unix:/var/spool/opendmarc/opendmarc.sock
+Socket unix:/run/opendmarc/opendmarc.sock
 
 ##  SoftwareHeader { true | false }
 ##  	default "false"
diff --git a/etc/postfix/main.cf b/etc/postfix/main.cf
index 1d93a701..0c36d421 100644
--- a/etc/postfix/main.cf
+++ b/etc/postfix/main.cf
@@ -1,3 +1,62 @@
+# edit configs from:
+# https://wiki.archlinux.org/title/Postfix
+# GPL-3.0-only https://github.com/LukeSmithxyz/emailwiz
+# https://wiki.archlinux.org/title/OpenDMARC
+# https://wiki.archlinux.org/title/OpenDKIM
+# maybe useful things:
+# `man postconf.5`
+# print config: `postconf`
+# default config: `postconf -d`
+myhostname = mail.flylightning.xyz
+
+# fix "relay access denied" error when receiving emails
+# I choose to follow `man postconf.5` instruction to only add $mydomain
+# emailwiz way add a lot more to mydestination, see:
+# https://github.com/LukeSmithxyz/emailwiz/pull/275
+# https://github.com/LukeSmithxyz/emailwiz/issues/265
+mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
+
+smtp_tls_security_level = may
+smtpd_tls_security_level = may
+smtpd_use_tls = yes
+smtpd_tls_cert_file = /etc/postfix/flylightning.pem
+smtpd_tls_key_file = /etc/postfix/flylightning.key
+
+# Here we tell Postfix to look to Dovecot for authenticating users/passwords.
+# Dovecot will be putting an authentication socket in /var/spool/postfix/private/auth
+smtpd_sasl_auth_enable = yes
+smtpd_sasl_type = dovecot
+smtpd_sasl_path = private/auth
+
+# NOTE: the trailing slash here, or for any directory name in the home_mailbox
+# command, is necessary as it distinguishes a maildir (which is the actual
+# directory that we want) from a spoolfile (which is what old unix boomers want
+# and no one else).
+home_mailbox = Mail/Inbox/
+
+# https://wiki.archlinux.org/title/OpenDKIM
+non_smtpd_milters = unix:/run/opendkim/opendkim.sock, unix:/run/opendmarc/opendmarc.sock
+smtpd_milters = unix:/run/opendkim/opendkim.sock, unix:/run/opendmarc/opendmarc.sock
+
+# more emailwiz configs, maybe useful:
+
+# TLS required for authentication.
+#smtpd_tls_auth_only = yes
+
+# Exclude insecure and obsolete encryption protocols.
+#smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+#smtp_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+#smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+#smtp_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
+
+# helo, sender, relay and recipient restrictions
+#smtpd_sender_login_maps = pcre:/etc/postfix/login_maps.pcre
+#smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_sender_login_mismatch, reject_unknown_reverse_client_hostname, reject_unknown_sender_domain
+#smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, reject_unknown_recipient_domain
+#smtpd_relay_restrictions = permit_sasl_authenticated, reject_unauth_destination
+#smtpd_helo_required = yes
+#smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname
+
 # Global Postfix configuration file. This file lists only a subset
 # of all parameters. For the syntax, and for a complete parameter
 # list, see the postconf(5) manual page (command: "man 5 postconf").
diff --git a/etc/postfix/master.cf b/etc/postfix/master.cf
index fd282dd2..7ce6e816 100644
--- a/etc/postfix/master.cf
+++ b/etc/postfix/master.cf
@@ -1,3 +1,6 @@
+# I follow these guides:
+# https://wiki.archlinux.org/title/Postfix#Secure_SMTP_(receiving)
+
 #
 # Postfix master process configuration file.  For details on the format
 # of the file, see the master(5) manual page (command: "man 5 master" or
@@ -16,13 +19,13 @@ smtp      inet  n       -       n       -       -       smtpd
 #tlsproxy  unix  -       -       n       -       0       tlsproxy
 # Choose one: enable submission for loopback clients only, or for any client.
 #127.0.0.1:submission inet n -   n       -       -       smtpd
-#submission inet n       -       n       -       -       smtpd
-#  -o syslog_name=postfix/submission
-#  -o smtpd_tls_security_level=encrypt
-#  -o smtpd_sasl_auth_enable=yes
-#  -o smtpd_tls_auth_only=yes
+submission inet n       -       n       -       -       smtpd
+  -o syslog_name=postfix/submission
+  -o smtpd_tls_security_level=encrypt
+  -o smtpd_sasl_auth_enable=yes
+  -o smtpd_tls_auth_only=yes
 #  -o local_header_rewrite_clients=static:all
-#  -o smtpd_reject_unlisted_recipient=no
+  -o smtpd_reject_unlisted_recipient=no
 #     Instead of specifying complex smtpd_<xxx>_restrictions here,
 #     specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
 #     here, and specify mua_<xxx>_restrictions in main.cf (where
@@ -30,17 +33,17 @@ smtp      inet  n       -       n       -       -       smtpd
 #  -o smtpd_client_restrictions=
 #  -o smtpd_helo_restrictions=
 #  -o smtpd_sender_restrictions=
-#  -o smtpd_relay_restrictions=
-#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-#  -o milter_macro_daemon_name=ORIGINATING
+  -o smtpd_relay_restrictions=
+  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
+  -o milter_macro_daemon_name=ORIGINATING
 # Choose one: enable submissions for loopback clients only, or for any client.
 #127.0.0.1:submissions inet n  -       n       -       -       smtpd
-#submissions     inet  n       -       n       -       -       smtpd
-#  -o syslog_name=postfix/submissions
-#  -o smtpd_tls_wrappermode=yes
-#  -o smtpd_sasl_auth_enable=yes
+submissions     inet  n       -       n       -       -       smtpd
+  -o syslog_name=postfix/submissions
+  -o smtpd_tls_wrappermode=yes
+  -o smtpd_sasl_auth_enable=yes
 #  -o local_header_rewrite_clients=static:all
-#  -o smtpd_reject_unlisted_recipient=no
+  -o smtpd_reject_unlisted_recipient=no
 #     Instead of specifying complex smtpd_<xxx>_restrictions here,
 #     specify "smtpd_<xxx>_restrictions=$mua_<xxx>_restrictions"
 #     here, and specify mua_<xxx>_restrictions in main.cf (where
@@ -48,9 +51,9 @@ smtp      inet  n       -       n       -       -       smtpd
 #  -o smtpd_client_restrictions=
 #  -o smtpd_helo_restrictions=
 #  -o smtpd_sender_restrictions=
-#  -o smtpd_relay_restrictions=
-#  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
-#  -o milter_macro_daemon_name=ORIGINATING
+  -o smtpd_relay_restrictions=
+  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
+  -o milter_macro_daemon_name=ORIGINATING
 #628       inet  n       -       n       -       -       qmqpd
 pickup    unix  n       -       n       60      1       pickup
 cleanup   unix  n       -       n       -       0       cleanup
-- 
cgit v1.2.3-70-g09d2


From 1e20d2372ee99457c1efc609914015657b71f4ed Mon Sep 17 00:00:00 2001
From: Xiao Pan <gky44px1999@gmail.com>
Date: Tue, 9 Apr 2024 01:10:31 -0700
Subject: swith to new ca server; wireguard no need

---
 etc/nftables.conf                                  | 30 ++--------------------
 etc/services                                       |  1 -
 etc/sysctl.d/99-sysctl.conf                        |  7 -----
 .../multi-user.target.wants/wg-quick@wg0.service   |  1 -
 home/xyz/.config/myconf/pacman_Qqne                |  1 -
 5 files changed, 2 insertions(+), 38 deletions(-)
 delete mode 100644 etc/sysctl.d/99-sysctl.conf
 delete mode 120000 etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service

(limited to 'etc/nftables.conf')

diff --git a/etc/nftables.conf b/etc/nftables.conf
index c4ca7f45..22e38dfe 100644
--- a/etc/nftables.conf
+++ b/etc/nftables.conf
@@ -3,17 +3,11 @@
 # IPv4/IPv6 Simple & Safe firewall ruleset.
 # More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/.
 
-# references, some codes from:
-# https://wiki.archlinux.org/title/Nftables
-# https://www.procustodibus.com/blog/2021/11/wireguard-nftables
-# https://wiki.gentoo.org/wiki/Nftables/Examples#Basic_NAT
+# some codes from https://wiki.archlinux.org/title/Nftables
 
 # needed for reload config using `sudo systemctl restart nftables` or `sudo nft -f /etc/nftables.conf`
 flush ruleset
 
-define pub_iface = "eth0"
-define wg_iface = "wg0"
-
 table inet my_table {
 
 	chain my_input {
@@ -23,7 +17,6 @@ table inet my_table {
 		ct state invalid drop comment "early drop of invalid connections"
 		ct state {established, related} accept comment "allow tracked connections"
 		iifname lo accept comment "allow from loopback"
-		iifname $wg_iface accept comment "allow from wireguard"
 		ip protocol icmp accept
 		meta l4proto ipv6-icmp accept
 
@@ -32,7 +25,7 @@ table inet my_table {
 		#tcp dport qbt accept
 		#udp dport qbt accept
 		#tcp dport iperf3 accept
-		udp dport wireguard accept
+		#udp dport wireguard accept
 		# for acme.sh standalone mode builtin webserver to renew ssl cert
 		tcp dport http accept
 		# email related ports
@@ -52,12 +45,6 @@ table inet my_table {
 		type filter hook forward priority filter
 		policy drop
 		# Drop everything forwarded to us. We do not forward. That is routers job.
-
-		# needed for wireguard?
-		#iifname $wg_iface oifname $pub_iface accept
-		#iifname $pub_iface oifname $wg_iface accept
-		iifname $wg_iface accept
-		oifname $wg_iface accept
 	}
 
 	chain my_output {
@@ -66,16 +53,3 @@ table inet my_table {
 		# Accept every outbound connection
 	}
 }
-
-# needed to wireguard NAT masquerade VPN traffic
-# Need inet to masquerade both ipv4 and ipv6? If use ip it will only masquerade ipv4? If use ip6 it will only masquerade ipv6?
-# https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families
-table inet nat {
-	# newer kernel no need for `chain prerouting { type nat hook prerouting priority -100; policy accept; }`, more see https://www.procustodibus.com/blog/2021/11/wireguard-nftables/
-	# for all packets to $pub_iface, after routing, replace source address with primary IP of $pub_iface interface
-	chain postrouting {
-		type nat hook postrouting priority 100
-		policy accept
-		oifname $pub_iface masquerade
-	}
-}
diff --git a/etc/services b/etc/services
index b1b9f5bc..500c6ac7 100644
--- a/etc/services
+++ b/etc/services
@@ -11507,7 +11507,6 @@ nusrp           49001/tcp
 nusdp-disc      49001/udp
 inspider        49150/tcp
 # my services
-wireguard       49432/udp
 # My ISP verizon block incomming to gateway port 22. So I need to use another port to ssh into my home server.
 # https://www.reddit.com/r/verizon/comments/to1q43/verizon_5g_home_internet_blocking_ssh_service_port/
 ssh-isp         49812/tcp
diff --git a/etc/sysctl.d/99-sysctl.conf b/etc/sysctl.d/99-sysctl.conf
deleted file mode 100644
index b9677c02..00000000
--- a/etc/sysctl.d/99-sysctl.conf
+++ /dev/null
@@ -1,7 +0,0 @@
-# at least `net.ipv4.ip_forward = 1` is needed for wireguard masquerade? to work. Without will result into can't ping ips, can't curl websites, browser can't visit websites
-# ka seems has this as default, maybe arch linux cloud-init image has this as default?
-# https://forums.rockylinux.org/t/wireguard-masquerade-wont-work/7752
-# https://wiki.archlinux.org/title/Nftables#NAT_with_port_forwarding
-# https://github.com/teddysun/across/blob/acef6b00a6ad062c0e99286ea136d1a246def644/wireguard.sh#L514-L522
-net.ipv4.ip_forward = 1
-net.ipv6.conf.all.forwarding = 1
diff --git a/etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service b/etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service
deleted file mode 120000
index 0a92cb9a..00000000
--- a/etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service
+++ /dev/null
@@ -1 +0,0 @@
-/usr/lib/systemd/system/wg-quick@.service
\ No newline at end of file
diff --git a/home/xyz/.config/myconf/pacman_Qqne b/home/xyz/.config/myconf/pacman_Qqne
index 912426c0..f60f41bc 100644
--- a/home/xyz/.config/myconf/pacman_Qqne
+++ b/home/xyz/.config/myconf/pacman_Qqne
@@ -49,7 +49,6 @@ tree
 unrar-free
 unzip
 vidir2-git
-wireguard-tools
 xdg-user-dirs
 xfsprogs
 zip
-- 
cgit v1.2.3-70-g09d2


From 9c956cfe1ee447fc0968d88516e7c859a601b25a Mon Sep 17 00:00:00 2001
From: Xiao Pan <gky44px1999@gmail.com>
Date: Fri, 28 Jun 2024 00:57:17 +0000
Subject: feat: wg and swgp config, mainly for aa

---
 etc/nftables.conf                                  | 25 +++++++++++++++++++++-
 etc/services                                       |  2 ++
 etc/sysctl.d/99-sysctl.conf                        |  7 ++++++
 etc/systemd/network/10-cloud-init-eth0.network     |  7 ++++++
 .../multi-user.target.wants/wg-quick@wg0.service   |  1 +
 home/xyz/.config/myconf/pacman_Qqme                |  3 ++-
 home/xyz/.config/myconf/pacman_Qqne                |  2 +-
 home/xyz/.config/myconf/sye                        |  3 ++-
 8 files changed, 46 insertions(+), 4 deletions(-)
 create mode 100644 etc/sysctl.d/99-sysctl.conf
 create mode 120000 etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service

(limited to 'etc/nftables.conf')

diff --git a/etc/nftables.conf b/etc/nftables.conf
index 22e38dfe..b824edee 100644
--- a/etc/nftables.conf
+++ b/etc/nftables.conf
@@ -8,6 +8,8 @@
 # needed for reload config using `sudo systemctl restart nftables` or `sudo nft -f /etc/nftables.conf`
 flush ruleset
 
+define pub_iface = "eth0"
+define wg_iface = "wg0"
 table inet my_table {
 
 	chain my_input {
@@ -17,6 +19,7 @@ table inet my_table {
 		ct state invalid drop comment "early drop of invalid connections"
 		ct state {established, related} accept comment "allow tracked connections"
 		iifname lo accept comment "allow from loopback"
+		iifname $wg_iface accept comment "allow from wireguard"
 		ip protocol icmp accept
 		meta l4proto ipv6-icmp accept
 
@@ -25,7 +28,8 @@ table inet my_table {
 		#tcp dport qbt accept
 		#udp dport qbt accept
 		#tcp dport iperf3 accept
-		#udp dport wireguard accept
+		udp dport wireguard accept
+		udp dport swgp accept
 		# for acme.sh standalone mode builtin webserver to renew ssl cert
 		tcp dport http accept
 		# email related ports
@@ -45,6 +49,12 @@ table inet my_table {
 		type filter hook forward priority filter
 		policy drop
 		# Drop everything forwarded to us. We do not forward. That is routers job.
+
+		# needed for wireguard?
+		#iifname $wg_iface oifname $pub_iface accept
+		#iifname $pub_iface oifname $wg_iface accept
+		iifname $wg_iface accept
+		oifname $wg_iface accept
 	}
 
 	chain my_output {
@@ -53,3 +63,16 @@ table inet my_table {
 		# Accept every outbound connection
 	}
 }
+
+# needed to wireguard NAT masquerade VPN traffic
+# Need inet to masquerade both ipv4 and ipv6? If use ip it will only masquerade ipv4? If use ip6 it will only masquerade ipv6?
+# https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families
+table inet nat {
+	# newer kernel no need for `chain prerouting { type nat hook prerouting priority -100; policy accept; }`, more see https://www.procustodibus.com/blog/2021/11/wireguard-nftables/
+	# for all packets to $pub_iface, after routing, replace source address with primary IP of $pub_iface interface
+	chain postrouting {
+		type nat hook postrouting priority 100
+		policy accept
+		oifname $pub_iface masquerade
+	}
+}
diff --git a/etc/services b/etc/services
index aa270681..91a89df2 100644
--- a/etc/services
+++ b/etc/services
@@ -11510,5 +11510,7 @@ inspider        49150/tcp
 # my services
 # My ISP verizon block incomming to gateway port 22. So I need to use another port to ssh into my home server.
 # https://www.reddit.com/r/verizon/comments/to1q43/verizon_5g_home_internet_blocking_ssh_service_port/
+wireguard       49432/udp
 ssh-isp         49812/tcp
 iperf3          53497/tcp
+swgp            54635/udp
diff --git a/etc/sysctl.d/99-sysctl.conf b/etc/sysctl.d/99-sysctl.conf
new file mode 100644
index 00000000..b9677c02
--- /dev/null
+++ b/etc/sysctl.d/99-sysctl.conf
@@ -0,0 +1,7 @@
+# at least `net.ipv4.ip_forward = 1` is needed for wireguard masquerade? to work. Without will result into can't ping ips, can't curl websites, browser can't visit websites
+# ka seems has this as default, maybe arch linux cloud-init image has this as default?
+# https://forums.rockylinux.org/t/wireguard-masquerade-wont-work/7752
+# https://wiki.archlinux.org/title/Nftables#NAT_with_port_forwarding
+# https://github.com/teddysun/across/blob/acef6b00a6ad062c0e99286ea136d1a246def644/wireguard.sh#L514-L522
+net.ipv4.ip_forward = 1
+net.ipv6.conf.all.forwarding = 1
diff --git a/etc/systemd/network/10-cloud-init-eth0.network b/etc/systemd/network/10-cloud-init-eth0.network
index 1bc579b9..7829f528 100644
--- a/etc/systemd/network/10-cloud-init-eth0.network
+++ b/etc/systemd/network/10-cloud-init-eth0.network
@@ -14,7 +14,14 @@ Address=38.175.201.185/22
 Address=2606:a8c0:3::75f/128
 
 [Address]
+# another ipv6 address for aa wireguard+swgp into
+# not sure if it is corret, but it works
+Address=2606:a8c0:3:773::b/64
+
+[Address]
+# the last address seems is the default?
 # ...:1/64 also works, but I use ...:a/64 because crunchbits panel reverse DNS support this address
+# 2024-06-27, ...:1/64 seems doe not work any more, not sure why
 Address=2606:a8c0:3:773::a/64
 # use the following will not need GatewayOnLink=yes in [Route] section, but I'm not sure if it is correct, I'm not sure if those ips could be accessed without gateway, more see https://superuser.com/q/1562380
 #Address=2606:a8c0:3:773::a/48
diff --git a/etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service b/etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service
new file mode 120000
index 00000000..0a92cb9a
--- /dev/null
+++ b/etc/systemd/system/multi-user.target.wants/wg-quick@wg0.service
@@ -0,0 +1 @@
+/usr/lib/systemd/system/wg-quick@.service
\ No newline at end of file
diff --git a/home/xyz/.config/myconf/pacman_Qqme b/home/xyz/.config/myconf/pacman_Qqme
index 1ae6f3b5..1ae88691 100644
--- a/home/xyz/.config/myconf/pacman_Qqme
+++ b/home/xyz/.config/myconf/pacman_Qqme
@@ -5,8 +5,9 @@ bash-complete-alias
 dashbinsh
 grub-hook
 htop-vim
-librespeed-cli
+librespeed-cli-bin
 neovim-plug
 paru-bin
 pipdeptree
+swgp-go
 task-spooler
diff --git a/home/xyz/.config/myconf/pacman_Qqne b/home/xyz/.config/myconf/pacman_Qqne
index 21020ae5..c1e1c8bd 100644
--- a/home/xyz/.config/myconf/pacman_Qqne
+++ b/home/xyz/.config/myconf/pacman_Qqne
@@ -54,7 +54,7 @@ unrar-free
 unzip
 vidir2-git
 wget
+wireguard-tools
 xdg-user-dirs
-xfsprogs
 zip
 zoxide
diff --git a/home/xyz/.config/myconf/sye b/home/xyz/.config/myconf/sye
index 8d845498..a47a970f 100644
--- a/home/xyz/.config/myconf/sye
+++ b/home/xyz/.config/myconf/sye
@@ -6,6 +6,7 @@ opendkim.service                     enabled disabled
 opendmarc.service                    enabled disabled
 postfix.service                      enabled disabled
 sshd.service                         enabled disabled
+swgp-go.service                      enabled disabled
 systemd-network-generator.service    enabled enabled
 systemd-networkd-wait-online.service enabled enabled
 systemd-networkd.service             enabled enabled
@@ -19,4 +20,4 @@ acme.sh.timer                        enabled disabled
 paccache.timer                       enabled disabled
 pacman-filesdb-refresh.timer         enabled disabled
 
-19 unit files listed.
+20 unit files listed.
-- 
cgit v1.2.3-70-g09d2