vpn: allow traffic outside vpn

2023-03-30 13:28:05 -03:00 · 2023-03-30 13:28:05 -03:00 · 364980bf63
parent b085e22f80
commit 364980bf63
1 changed files with 61 additions and 68 deletions
--- a/system/vpn.nix
+++ b/system/vpn.nix
@ -5,85 +5,78 @@
  networking.nftables = {
    enable = true;
-    ruleset =
+    ruleset = ''
-      let
+      table inet allowAll {
-        allowIncomming = port: ''
+          chain allowIncoming {
-          table inet allow${toString port} {
+              type filter hook input priority -100; policy accept;
-              chain allowIncoming {
+              tcp dport 0-10999 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
                  type filter hook input priority -100; policy accept;
                  tcp dport ${toString port} ct mark set 0x00000f41 meta mark set 0x6d6f6c65
              }
              chain allowOutgoing {
                  type route hook output priority -100; policy accept;
                  tcp sport ${toString port} ct mark set 0x00000f41 meta mark set 0x6d6f6c65
              }
          }
-        '';
+          chain allowOutgoing {
-      in
+              type route hook output priority -100; policy accept;
-      ''
+              tcp sport 0-10999 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
-        ${allowIncomming 9022}
+          }
-        ${allowIncomming 5000}
+      }
-        ######################################
+      ######################################
-        #       _            _               #
+      #       _            _               #
-        #    __| | ___   ___| | _____ _ __   #
+      #    __| | ___   ___| | _____ _ __   #
-        #   / _` |/ _ \ / __| |/ / _ \ '__|  #
+      #   / _` |/ _ \ / __| |/ / _ \ '__|  #
-        #  | (_| | (_) | (__|   <  __/ |     #
+      #  | (_| | (_) | (__|   <  __/ |     #
-        #   \__,_|\___/ \___|_|\_\___|_|     #
+      #   \__,_|\___/ \___|_|\_\___|_|     #
-        #                                    #
+      #                                    #
-        ######################################
+      ######################################
-        # This gets sent to the vpn so it's safe
+      # This gets sent to the vpn so it's safe
-        table ip nat {
+      table ip nat {
-            chain DOCKER {
+          chain DOCKER {
-                iifname "docker0" counter packets 0 bytes 0 return
+              iifname "docker0" counter packets 0 bytes 0 return
-            }
+          }
-            chain POSTROUTING {
+          chain POSTROUTING {
-                type nat hook postrouting priority srcnat; policy accept;
+              type nat hook postrouting priority srcnat; policy accept;
-                oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 bytes 0 masquerade
+              oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 bytes 0 masquerade
-            }
+          }
-            chain PREROUTING {
+          chain PREROUTING {
-                type nat hook prerouting priority dstnat; policy accept;
+              type nat hook prerouting priority dstnat; policy accept;
-                fib daddr type local counter packets 5 bytes 252 jump DOCKER
+              fib daddr type local counter packets 5 bytes 252 jump DOCKER
-            }
+          }
-            chain OUTPUT {
+          chain OUTPUT {
-                type nat hook output priority -100; policy accept;
+              type nat hook output priority -100; policy accept;
-                ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER
+              ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER
-            }
+          }
-        }
+      }
-        table ip filter {
+      table ip filter {
-            chain DOCKER {
+          chain DOCKER {
-            }
+          }
-            chain DOCKER-ISOLATION-STAGE-1 {
+          chain DOCKER-ISOLATION-STAGE-1 {
-                iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
+              iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
-                counter packets 0 bytes 0 return
+              counter packets 0 bytes 0 return
-            }
+          }
-            chain DOCKER-ISOLATION-STAGE-2 {
+          chain DOCKER-ISOLATION-STAGE-2 {
-                oifname "docker0" counter packets 0 bytes 0 drop
+              oifname "docker0" counter packets 0 bytes 0 drop
-                counter packets 0 bytes 0 return
+              counter packets 0 bytes 0 return
-            }
+          }
-            chain FORWARD {
+          chain FORWARD {
-                type filter hook forward priority filter; policy accept;
+              type filter hook forward priority filter; policy accept;
-                counter packets 0 bytes 0 jump DOCKER-USER
+              counter packets 0 bytes 0 jump DOCKER-USER
-                counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-1
+              counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-1
-                oifname "docker0" ct state related,established counter packets 0 bytes 0 accept
+              oifname "docker0" ct state related,established counter packets 0 bytes 0 accept
-                oifname "docker0" counter packets 0 bytes 0 jump DOCKER
+              oifname "docker0" counter packets 0 bytes 0 jump DOCKER
-                iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
+              iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
-                iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
+              iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
-            }
+          }
-            chain DOCKER-USER {
+          chain DOCKER-USER {
-                counter packets 0 bytes 0 return
+              counter packets 0 bytes 0 return
-            }
+          }
-        }
+      }
-      '';
+    '';
  };
 }