vpn: allow docker to use the network

This commit is contained in:
Leonardo Eugênio 2023-03-11 18:44:22 -03:00
parent 7d698c6f0d
commit 58cdca84e5

View file

@ -2,30 +2,88 @@
networking.firewall.enable = false; networking.firewall.enable = false;
services.mullvad-vpn.enable = true; services.mullvad-vpn.enable = true;
networking.nftables = { networking.nftables = {
enable = true; enable = true;
ruleset = '' ruleset =
table inet allowSSH { let
chain allowIncoming { allowIncomming = port: ''
type filter hook input priority -100; policy accept; table inet allow${toString port} {
tcp dport 9022 ct mark set 0x00000f41 meta mark set 0x6d6f6c65 chain allowIncoming {
type filter hook input priority -100; policy accept;
tcp dport ${toString port} ct mark set 0x00000f41 meta mark set 0x6d6f6c65
}
chain allowOutgoing {
type route hook output priority -100; policy accept;
tcp sport ${toString port} ct mark set 0x00000f41 meta mark set 0x6d6f6c65
}
} }
chain allowOutgoing { '';
type route hook output priority -100; policy accept; in
tcp sport 9022 ct mark set 0x00000f41 meta mark set 0x6d6f6c65 ''
} ${allowIncomming 9022}
} ${allowIncomming 5000}
table inet allowNixServe { ######################################
chain allowIncoming { # _ _ #
type filter hook input priority -100; policy accept; # __| | ___ ___| | _____ _ __ #
tcp dport 5000 ct mark set 0x00000f41 meta mark set 0x6d6f6c65 # / _` |/ _ \ / __| |/ / _ \ '__| #
} # | (_| | (_) | (__| < __/ | #
chain allowOutgoing { # \__,_|\___/ \___|_|\_\___|_| #
type route hook output priority -100; policy accept; # #
tcp sport 5000 ct mark set 0x00000f41 meta mark set 0x6d6f6c65 ######################################
}
} # This gets sent to the vpn so it's safe
'';
table ip nat {
chain DOCKER {
iifname "docker0" counter packets 0 bytes 0 return
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 bytes 0 masquerade
}
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
fib daddr type local counter packets 5 bytes 252 jump DOCKER
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
ip daddr != 127.0.0.0/8 fib daddr type local counter packets 0 bytes 0 jump DOCKER
}
}
table ip filter {
chain DOCKER {
}
chain DOCKER-ISOLATION-STAGE-1 {
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
counter packets 0 bytes 0 return
}
chain DOCKER-ISOLATION-STAGE-2 {
oifname "docker0" counter packets 0 bytes 0 drop
counter packets 0 bytes 0 return
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
counter packets 0 bytes 0 jump DOCKER-USER
counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-1
oifname "docker0" ct state related,established counter packets 0 bytes 0 accept
oifname "docker0" counter packets 0 bytes 0 jump DOCKER
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
}
chain DOCKER-USER {
counter packets 0 bytes 0 return
}
}
'';
}; };
} }