From a03e816d9d49c7f23be39f3cda19e02b37237832 Mon Sep 17 00:00:00 2001 From: Xiao Pan Date: Sun, 29 Dec 2024 10:12:50 +0000 Subject: Better ns0 network namespace configs Enable nft. Use different nft config for ns0. Host open emails port. ns0 open wireguard and qbt ports. ns0 configure wireguard. host not configure wiregurad, so also no need ip forwarding sysctl kernel parameters. ns0 use /etc/netns/ns0/nftables.conf that will bind mount to ns0. Host and ns0 both run dnsmasq for dns cache. ns0 dnsmasq I disable dbus because it will conficts with host dnsmasq dbus. Dnsmasq use dbus for config cahnge? I disable systemd-resolved and switch to dnsmasq because systemd-resolved use dbus for dns query? which is maybe easy for dns leak, e.g., when systemd-resolved is only running on host, ns0 with different /etc/resolv.conf still get dns from host open public ip when run resolvectl query, although drill does not leak. sye add enabled systemd units --- etc/sysctl.d/99-sysctl.conf | 7 ------- 1 file changed, 7 deletions(-) delete mode 100644 etc/sysctl.d/99-sysctl.conf (limited to 'etc/sysctl.d/99-sysctl.conf') diff --git a/etc/sysctl.d/99-sysctl.conf b/etc/sysctl.d/99-sysctl.conf deleted file mode 100644 index b9677c02..00000000 --- a/etc/sysctl.d/99-sysctl.conf +++ /dev/null @@ -1,7 +0,0 @@ -# at least `net.ipv4.ip_forward = 1` is needed for wireguard masquerade? to work. Without will result into can't ping ips, can't curl websites, browser can't visit websites -# ka seems has this as default, maybe arch linux cloud-init image has this as default? -# https://forums.rockylinux.org/t/wireguard-masquerade-wont-work/7752 -# https://wiki.archlinux.org/title/Nftables#NAT_with_port_forwarding -# https://github.com/teddysun/across/blob/acef6b00a6ad062c0e99286ea136d1a246def644/wireguard.sh#L514-L522 -net.ipv4.ip_forward = 1 -net.ipv6.conf.all.forwarding = 1 -- cgit v1.2.3-70-g09d2