From 58cdca84e59627527decab05f4695965a1c41cca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Leonardo=20Eug=C3=AAnio?= Date: Sat, 11 Mar 2023 18:44:22 -0300 Subject: [PATCH] vpn: allow docker to use the network --- system/vpn.nix | 100 ++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 79 insertions(+), 21 deletions(-) diff --git a/system/vpn.nix b/system/vpn.nix index daaa18a..2762693 100644 --- a/system/vpn.nix +++ b/system/vpn.nix @@ -2,30 +2,88 @@ networking.firewall.enable = false; services.mullvad-vpn.enable = true; + networking.nftables = { enable = true; - ruleset = '' - table inet allowSSH { - chain allowIncoming { - type filter hook input priority -100; policy accept; - tcp dport 9022 ct mark set 0x00000f41 meta mark set 0x6d6f6c65 + ruleset = + let + allowIncomming = port: '' + table inet allow${toString port} { + chain allowIncoming { + type filter hook input priority -100; policy accept; + tcp dport ${toString port} ct mark set 0x00000f41 meta mark set 0x6d6f6c65 + } + chain allowOutgoing { + type route hook output priority -100; policy accept; + tcp sport ${toString port} ct mark set 0x00000f41 meta mark set 0x6d6f6c65 + } } - chain allowOutgoing { - type route hook output priority -100; policy accept; - tcp sport 9022 ct mark set 0x00000f41 meta mark set 0x6d6f6c65 - } - } + ''; + in + '' + ${allowIncomming 9022} + ${allowIncomming 5000} - table inet allowNixServe { - chain allowIncoming { - type filter hook input priority -100; policy accept; - tcp dport 5000 ct mark set 0x00000f41 meta mark set 0x6d6f6c65 - } - chain allowOutgoing { - type route hook output priority -100; policy accept; - tcp sport 5000 ct mark set 0x00000f41 meta mark set 0x6d6f6c65 - } - } - ''; + ###################################### + # _ _ # + # __| | ___ ___| | _____ _ __ # + # / _` |/ _ \ / __| |/ / _ \ '__| # + # | (_| | (_) | (__| < __/ | # + # \__,_|\___/ \___|_|\_\___|_| # + # # + ###################################### + + # This gets sent to the vpn so it's safe + + table ip nat { + chain DOCKER { + iifname "docker0" counter packets 0 bytes 0 return + } + + chain POSTROUTING { + type nat hook postrouting priority srcnat; policy accept; + oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 bytes 0 masquerade + } + + chain PREROUTING { + type nat hook prerouting priority dstnat; policy accept; + fib daddr type local counter packets 5 bytes 252 jump DOCKER + } + + chain OUTPUT { + type nat hook output priority -100; policy accept; + ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER + } + } + table ip filter { + chain DOCKER { + } + + chain DOCKER-ISOLATION-STAGE-1 { + iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2 + counter packets 0 bytes 0 return + } + + chain DOCKER-ISOLATION-STAGE-2 { + oifname "docker0" counter packets 0 bytes 0 drop + counter packets 0 bytes 0 return + } + + chain FORWARD { + type filter hook forward priority filter; policy accept; + counter packets 0 bytes 0 jump DOCKER-USER + counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-1 + oifname "docker0" ct state related,established counter packets 0 bytes 0 accept + oifname "docker0" counter packets 0 bytes 0 jump DOCKER + iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept + iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept + } + + chain DOCKER-USER { + counter packets 0 bytes 0 return + } + } + + ''; }; }