vpn: allow docker to use the network
This commit is contained in:
Leonardo Eugênio
parent
7d698c6f0d
commit
58cdca84e5
100
system/vpn.nix
100
system/vpn.nix
|
|
@ -2,30 +2,88 @@
|
||||||
networking.firewall.enable = false;
|
networking.firewall.enable = false;
|
||||||
|
|
||||||
services.mullvad-vpn.enable = true;
|
services.mullvad-vpn.enable = true;
|
||||||
|
|
||||||
networking.nftables = {
|
networking.nftables = {
|
||||||
enable = true;
|
enable = true;
|
||||||
ruleset = ''
|
ruleset =
|
||||||
table inet allowSSH {
|
let
|
||||||
chain allowIncoming {
|
allowIncomming = port: ''
|
||||||
type filter hook input priority -100; policy accept;
|
table inet allow${toString port} {
|
||||||
tcp dport 9022 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
|
chain allowIncoming {
|
||||||
|
type filter hook input priority -100; policy accept;
|
||||||
|
tcp dport ${toString port} ct mark set 0x00000f41 meta mark set 0x6d6f6c65
|
||||||
|
}
|
||||||
|
chain allowOutgoing {
|
||||||
|
type route hook output priority -100; policy accept;
|
||||||
|
tcp sport ${toString port} ct mark set 0x00000f41 meta mark set 0x6d6f6c65
|
||||||
|
}
|
||||||
}
|
}
|
||||||
chain allowOutgoing {
|
'';
|
||||||
type route hook output priority -100; policy accept;
|
in
|
||||||
tcp sport 9022 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
|
''
|
||||||
}
|
${allowIncomming 9022}
|
||||||
}
|
${allowIncomming 5000}
|
||||||
|
|
||||||
table inet allowNixServe {
|
######################################
|
||||||
chain allowIncoming {
|
# _ _ #
|
||||||
type filter hook input priority -100; policy accept;
|
# __| | ___ ___| | _____ _ __ #
|
||||||
tcp dport 5000 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
|
# / _` |/ _ \ / __| |/ / _ \ '__| #
|
||||||
}
|
# | (_| | (_) | (__| < __/ | #
|
||||||
chain allowOutgoing {
|
# \__,_|\___/ \___|_|\_\___|_| #
|
||||||
type route hook output priority -100; policy accept;
|
# #
|
||||||
tcp sport 5000 ct mark set 0x00000f41 meta mark set 0x6d6f6c65
|
######################################
|
||||||
}
|
|
||||||
}
|
# This gets sent to the vpn so it's safe
|
||||||
'';
|
|
||||||
|
table ip nat {
|
||||||
|
chain DOCKER {
|
||||||
|
iifname "docker0" counter packets 0 bytes 0 return
|
||||||
|
}
|
||||||
|
|
||||||
|
chain POSTROUTING {
|
||||||
|
type nat hook postrouting priority srcnat; policy accept;
|
||||||
|
oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 bytes 0 masquerade
|
||||||
|
}
|
||||||
|
|
||||||
|
chain PREROUTING {
|
||||||
|
type nat hook prerouting priority dstnat; policy accept;
|
||||||
|
fib daddr type local counter packets 5 bytes 252 jump DOCKER
|
||||||
|
}
|
||||||
|
|
||||||
|
chain OUTPUT {
|
||||||
|
type nat hook output priority -100; policy accept;
|
||||||
|
ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER
|
||||||
|
}
|
||||||
|
}
|
||||||
|
table ip filter {
|
||||||
|
chain DOCKER {
|
||||||
|
}
|
||||||
|
|
||||||
|
chain DOCKER-ISOLATION-STAGE-1 {
|
||||||
|
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
|
||||||
|
counter packets 0 bytes 0 return
|
||||||
|
}
|
||||||
|
|
||||||
|
chain DOCKER-ISOLATION-STAGE-2 {
|
||||||
|
oifname "docker0" counter packets 0 bytes 0 drop
|
||||||
|
counter packets 0 bytes 0 return
|
||||||
|
}
|
||||||
|
|
||||||
|
chain FORWARD {
|
||||||
|
type filter hook forward priority filter; policy accept;
|
||||||
|
counter packets 0 bytes 0 jump DOCKER-USER
|
||||||
|
counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-1
|
||||||
|
oifname "docker0" ct state related,established counter packets 0 bytes 0 accept
|
||||||
|
oifname "docker0" counter packets 0 bytes 0 jump DOCKER
|
||||||
|
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
|
||||||
|
iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
|
||||||
|
}
|
||||||
|
|
||||||
|
chain DOCKER-USER {
|
||||||
|
counter packets 0 bytes 0 return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue