diff options
-rw-r--r-- | krebs/3modules/iptables.nix | 8 | ||||
-rw-r--r-- | lass/1systems/green/config.nix | 2 | ||||
-rw-r--r-- | lass/1systems/neoprism/config.nix | 4 | ||||
-rw-r--r-- | lass/1systems/prism/config.nix | 20 | ||||
-rw-r--r-- | lass/2configs/AP.nix | 4 | ||||
-rw-r--r-- | lass/2configs/container-networking.nix | 4 | ||||
-rw-r--r-- | lass/2configs/default.nix | 40 | ||||
-rw-r--r-- | lass/2configs/gg23.nix | 4 | ||||
-rw-r--r-- | lass/2configs/hfos.nix | 24 | ||||
-rw-r--r-- | lass/2configs/libvirt.nix | 4 | ||||
-rw-r--r-- | lass/2configs/wiregrill.nix | 14 | ||||
-rw-r--r-- | lib/types.nix | 16 | ||||
-rw-r--r-- | tv/1systems/xu/config.nix | 1 | ||||
-rw-r--r-- | tv/2configs/autotether.nix | 19 | ||||
-rw-r--r-- | tv/2configs/retiolum.nix | 10 |
15 files changed, 110 insertions, 64 deletions
diff --git a/krebs/3modules/iptables.nix b/krebs/3modules/iptables.nix index 7007090c0..052dad9c6 100644 --- a/krebs/3modules/iptables.nix +++ b/krebs/3modules/iptables.nix @@ -43,10 +43,6 @@ let target = mkOption { type = str; }; - precedence = mkOption { - type = int; - default = 0; - }; v4 = mkOption { type = bool; default = true; @@ -145,13 +141,11 @@ let buildChain = tn: cn: let filteredRules = filter (r: r."${v}") ts."${tn}"."${cn}".rules; - sortedRules = sort (a: b: a.precedence > b.precedence) filteredRules; - in #TODO: double check should be unneccessary, refactor! if ts.${tn}.${cn}.rules or null != null then concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([] - ++ map (buildRule tn cn) sortedRules + ++ map (buildRule tn cn) filteredRules ) else "" diff --git a/lass/1systems/green/config.nix b/lass/1systems/green/config.nix index 4c98091f1..cd38c3585 100644 --- a/lass/1systems/green/config.nix +++ b/lass/1systems/green/config.nix @@ -57,7 +57,7 @@ with import <stockholm/lib>; ]; krebs.iptables.tables.nat.PREROUTING.rules = [ - { predicate = "-i eth0 -p tcp -m tcp --dport 22"; target = "ACCEPT"; precedence = 101; } + { predicate = "-i eth0 -p tcp -m tcp --dport 22"; target = "ACCEPT"; } ]; # workaround for ssh access from yubikey via android diff --git a/lass/1systems/neoprism/config.nix b/lass/1systems/neoprism/config.nix index e4f9d2560..89ad8cfdc 100644 --- a/lass/1systems/neoprism/config.nix +++ b/lass/1systems/neoprism/config.nix @@ -15,8 +15,8 @@ ]; }; # krebs.iptables.tables.filter.FORWARD.rules = [ - # { v6 = false; precedence = 1000; predicate = "--destination 95.216.1.130"; target = "ACCEPT"; } - # { v6 = false; precedence = 1000; predicate = "--source 95.216.1.130"; target = "ACCEPT"; } + # { v6 = false; predicate = "--destination 95.216.1.130"; target = "ACCEPT"; } + # { v6 = false; predicate = "--source 95.216.1.130"; target = "ACCEPT"; } # ]; } ]; diff --git a/lass/1systems/prism/config.nix b/lass/1systems/prism/config.nix index 594a21c02..c2a405759 100644 --- a/lass/1systems/prism/config.nix +++ b/lass/1systems/prism/config.nix @@ -33,9 +33,9 @@ with import <stockholm/lib>; "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6o6sdTu/CX1LW2Ff5bNDqGEAGwAsjf0iIe5DCdC7YikCct+7x4LTXxY+nDlPMeGcOF88X9/qFwdyh+9E4g0nUAZaeL14Uc14QDqDt/aiKjIXXTepxE/i4JD9YbTqStAnA/HYAExU15yqgUdj2dnHu7OZcGxk0ZR1OY18yclXq7Rq0Fd3pN3lPP1T4QHM9w66r83yJdFV9szvu5ral3/QuxQnCNohTkR6LoJ4Ny2RbMPTRtb+jPbTQYTWUWwV69mB8ot5nRTP4MRM9pu7vnoPF4I2S5DvSnx4C5zdKzsb7zmIvD4AmptZLrXj4UXUf00Xf7Js5W100Ne2yhYyhq+35 riot@lagrange" ]; }; - krebs.iptables.tables.filter.FORWARD.rules = [ - { v6 = false; precedence = 1000; predicate = "--destination 95.216.1.130"; target = "ACCEPT"; } - { v6 = false; precedence = 1000; predicate = "--source 95.216.1.130"; target = "ACCEPT"; } + krebs.iptables.tables.filter.FORWARD.rules = mkBefore [ + { v6 = false; predicate = "--destination 95.216.1.130"; target = "ACCEPT"; } + { v6 = false; predicate = "--source 95.216.1.130"; target = "ACCEPT"; } ]; } { @@ -227,13 +227,13 @@ with import <stockholm/lib>; imports = [ <stockholm/lass/2configs/wiregrill.nix> ]; - krebs.iptables.tables.nat.PREROUTING.rules = [ - { v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; } - { v4 = false; precedence = 1000; predicate = "-s 42:1::/32"; target = "ACCEPT"; } + krebs.iptables.tables.nat.PREROUTING.rules = mkOrder 999 [ + { v6 = false; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; } + { v4 = false; predicate = "-s 42:1::/32"; target = "ACCEPT"; } ]; - krebs.iptables.tables.filter.FORWARD.rules = [ - { precedence = 1000; predicate = "-i wiregrill -o retiolum"; target = "ACCEPT"; } - { precedence = 1000; predicate = "-i retiolum -o wiregrill"; target = "ACCEPT"; } + krebs.iptables.tables.filter.FORWARD.rules = mkBefore [ + { predicate = "-i wiregrill -o retiolum"; target = "ACCEPT"; } + { predicate = "-i retiolum -o wiregrill"; target = "ACCEPT"; } ]; krebs.iptables.tables.nat.POSTROUTING.rules = [ { v4 = false; predicate = "-s 42:1::/32 ! -d 42:1::/48"; target = "MASQUERADE"; } @@ -252,7 +252,7 @@ with import <stockholm/lib>; } { krebs.iptables.tables.filter.INPUT.rules = [ - { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";} + { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT"; } ]; } <stockholm/lass/2configs/murmur.nix> diff --git a/lass/2configs/AP.nix b/lass/2configs/AP.nix index dfffbfdf9..e38475381 100644 --- a/lass/2configs/AP.nix +++ b/lass/2configs/AP.nix @@ -68,8 +68,8 @@ in { { v6 = false; predicate = "-o br0"; target = "REJECT --reject-with icmp-port-unreachable"; } { v6 = false; predicate = "-i br0"; target = "REJECT --reject-with icmp-port-unreachable"; } ]; - krebs.iptables.tables.nat.PREROUTING.rules = [ - { v6 = false; predicate = "-s 10.99.0.0/24"; target = "ACCEPT"; precedence = 1000; } + krebs.iptables.tables.nat.PREROUTING.rules = mkBefore [ + { v6 = false; predicate = "-s 10.99.0.0/24"; target = "ACCEPT"; } ]; krebs.iptables.tables.nat.POSTROUTING.rules = [ #TODO find out what this is about? diff --git a/lass/2configs/container-networking.nix b/lass/2configs/container-networking.nix index f04e4342d..0cfe193d9 100644 --- a/lass/2configs/container-networking.nix +++ b/lass/2configs/container-networking.nix @@ -8,8 +8,8 @@ { v6 = false; predicate = "-o ve-+"; target = "REJECT --reject-with icmp-port-unreachable"; } { v6 = false; predicate = "-i ve-+"; target = "REJECT --reject-with icmp-port-unreachable"; } ]; - krebs.iptables.tables.nat.PREROUTING.rules = [ - { v6 = false; predicate = "-s 10.233.2.0/24"; target = "ACCEPT"; precedence = 1000; } + krebs.iptables.tables.nat.PREROUTING.rules = lib.mkBefore [ + { v6 = false; predicate = "-s 10.233.2.0/24"; target = "ACCEPT"; } ]; krebs.iptables.tables.nat.POSTROUTING.rules = [ { v6 = false; predicate = "-s 10.233.2.0/24 -d 224.0.0.0/24"; target = "RETURN"; } diff --git a/lass/2configs/default.nix b/lass/2configs/default.nix index e649c0dea..3d7188dc6 100644 --- a/lass/2configs/default.nix +++ b/lass/2configs/default.nix @@ -189,28 +189,34 @@ with import <stockholm/lib>; enable = true; tables = { nat.PREROUTING.rules = [ - { predicate = "-i retiolum -p tcp -m tcp --dport 22"; target = "ACCEPT"; precedence = 101; } - { predicate = "-i wiregrill -p tcp -m tcp --dport 22"; target = "ACCEPT"; precedence = 101; } - { predicate = "-p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; precedence = 100; } - { predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 99; } + { predicate = "-i retiolum -p tcp -m tcp --dport 22"; target = "ACCEPT"; } + { predicate = "-i wiregrill -p tcp -m tcp --dport 22"; target = "ACCEPT"; } + { predicate = "-p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; } + { predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; } ]; nat.OUTPUT.rules = [ - { predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 100; } + { predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; } ]; filter.INPUT.policy = "DROP"; filter.FORWARD.policy = "DROP"; - filter.INPUT.rules = [ - { predicate = "-i retiolum -p udp --dport 60000:61000"; target = "ACCEPT";} - { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; } - { predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; } - { predicate = "-p ipv6-icmp"; target = "ACCEPT"; v4 = false; precedence = 10000; } - { predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; } - { predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; } - { predicate = "-p tcp -i retiolum"; target = "REJECT --reject-with tcp-reset"; precedence = -10000; } - { predicate = "-p udp -i retiolum"; target = "REJECT --reject-with icmp-port-unreachable"; v6 = false; precedence = -10000; } - { predicate = "-i retiolum"; target = "REJECT --reject-with icmp-proto-unreachable"; v6 = false; precedence = -10000; } - { predicate = "-i retiolum -p udp -m udp --dport 53"; target = "ACCEPT"; } - { predicate = "-i retiolum -p tcp --dport 19999"; target = "ACCEPT"; } + filter.INPUT.rules = mkMerge [ + (mkBefore [ + { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } + { predicate = "-p icmp"; target = "ACCEPT"; } + { predicate = "-p ipv6-icmp"; target = "ACCEPT"; v4 = false; } + { predicate = "-i lo"; target = "ACCEPT"; } + { predicate = "-p tcp --dport 22"; target = "ACCEPT"; } + ]) + (mkOrder 1000 [ + { predicate = "-i retiolum -p udp --dport 60000:61000"; target = "ACCEPT"; } + { predicate = "-i retiolum -p udp -m udp --dport 53"; target = "ACCEPT"; } + { predicate = "-i retiolum -p tcp --dport 19999"; target = "ACCEPT"; } + ]) + (mkAfter [ + { predicate = "-p tcp -i retiolum"; target = "REJECT --reject-with tcp-reset"; } + { predicate = "-p udp -i retiolum"; target = "REJECT --reject-with icmp-port-unreachable"; v6 = false; } + { predicate = "-i retiolum"; target = "REJECT --reject-with icmp-proto-unreachable"; v6 = false; } + ]) ]; }; }; diff --git a/lass/2configs/gg23.nix b/lass/2configs/gg23.nix index 89ccae408..6bcbd7400 100644 --- a/lass/2configs/gg23.nix +++ b/lass/2configs/gg23.nix @@ -56,8 +56,8 @@ with import <stockholm/lib>; { v6 = false; predicate = "-o int0"; target = "REJECT --reject-with icmp-port-unreachable"; } { v6 = false; predicate = "-i int0"; target = "REJECT --reject-with icmp-port-unreachable"; } ]; - krebs.iptables.tables.nat.PREROUTING.rules = [ - { v6 = false; predicate = "-s 10.42.0.0/24"; target = "ACCEPT"; precedence = 1000; } + krebs.iptables.tables.nat.PREROUTING.rules = mkBefore [ + { v6 = false; predicate = "-s 10.42.0.0/24"; target = "ACCEPT"; } ]; krebs.iptables.tables.nat.POSTROUTING.rules = [ { v6 = false; predicate = "-s 10.42.0.0/24 ! -d 10.42.0.0/24"; target = "MASQUERADE"; } diff --git a/lass/2configs/hfos.nix b/lass/2configs/hfos.nix index f8dd2f0d2..9dafe086c 100644 --- a/lass/2configs/hfos.nix +++ b/lass/2configs/hfos.nix @@ -18,22 +18,22 @@ with import <stockholm/lib>; } ]; - krebs.iptables.tables.nat.PREROUTING.rules = [ - { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 22"; target = "DNAT --to-destination 192.168.122.208:22"; } - { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 25"; target = "DNAT --to-destination 192.168.122.208:25"; } - { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 80"; target = "DNAT --to-destination 192.168.122.208:1080"; } - { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 443"; target = "DNAT --to-destination 192.168.122.208:1443"; } + krebs.iptables.tables.nat.PREROUTING.rules = mkBefore [ + { v6 = false; predicate = "-d 213.239.205.246 -p tcp --dport 22"; target = "DNAT --to-destination 192.168.122.208:22"; } + { v6 = false; predicate = "-d 213.239.205.246 -p tcp --dport 25"; target = "DNAT --to-destination 192.168.122.208:25"; } + { v6 = false; predicate = "-d 213.239.205.246 -p tcp --dport 80"; target = "DNAT --to-destination 192.168.122.208:1080"; } + { v6 = false; predicate = "-d 213.239.205.246 -p tcp --dport 443"; target = "DNAT --to-destination 192.168.122.208:1443"; } ]; - krebs.iptables.tables.filter.FORWARD.rules = [ - { v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } - { v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 25 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } - { v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 1080 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } - { v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 1443 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } + krebs.iptables.tables.filter.FORWARD.rules = mkBefore [ + { v6 = false; predicate = "-d 192.168.122.208 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } + { v6 = false; predicate = "-d 192.168.122.208 -p tcp --dport 25 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } + { v6 = false; predicate = "-d 192.168.122.208 -p tcp --dport 1080 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } + { v6 = false; predicate = "-d 192.168.122.208 -p tcp --dport 1443 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } ]; - krebs.iptables.tables.nat.OUTPUT.rules = [ - { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 443"; target = "DNAT --to-destination 192.168.122.208:1443"; } + krebs.iptables.tables.nat.OUTPUT.rules = mkBefore [ + { v6 = false; predicate = "-d 213.239.205.246 -p tcp --dport 443"; target = "DNAT --to-destination 192.168.122.208:1443"; } ]; # TODO use bridge interfaces instead of this crap diff --git a/lass/2configs/libvirt.nix b/lass/2configs/libvirt.nix index d391e0d7b..6d07c7a77 100644 --- a/lass/2configs/libvirt.nix +++ b/lass/2configs/libvirt.nix @@ -20,8 +20,8 @@ krebs.iptables.tables.filter.OUTPUT.rules = [ { v6 = false; predicate = "-o virbr0 -p udp -m udp --dport 68"; target = "ACCEPT"; } ]; - krebs.iptables.tables.nat.PREROUTING.rules = [ - { v6 = false; predicate = "-s 192.168.122.0/24"; target = "ACCEPT"; precedence = 1000; } + krebs.iptables.tables.nat.PREROUTING.rules = lib.mkBefore [ + { v6 = false; predicate = "-s 192.168.122.0/24"; target = "ACCEPT"; } ]; krebs.iptables.tables.nat.POSTROUTING.rules = [ { v6 = false; predicate = "-s 192.168.122.0/24 -d 224.0.0.0/24"; target = "RETURN"; } diff --git a/lass/2configs/wiregrill.nix b/lass/2configs/wiregrill.nix index ba6358ab7..a27e99ee2 100644 --- a/lass/2configs/wiregrill.nix +++ b/lass/2configs/wiregrill.nix @@ -16,13 +16,13 @@ in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) { krebs.iptables.tables.filter.INPUT.rules = [ { predicate = "-p udp --dport ${toString self.wireguard.port}"; target = "ACCEPT"; } ]; - krebs.iptables.tables.filter.FORWARD.rules = mkIf isRouter [ - { precedence = 1000; predicate = "-i wiregrill -o wiregrill"; target = "ACCEPT"; } - { precedence = 1000; predicate = "-i wiregrill -o retiolum"; target = "ACCEPT"; } - { precedence = 1000; predicate = "-i retiolum -o wiregrill"; target = "ACCEPT"; } - { precedence = 1000; predicate = "-i wiregrill -o eth0"; target = "ACCEPT"; } - { precedence = 1000; predicate = "-o wiregrill -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } - ]; + krebs.iptables.tables.filter.FORWARD.rules = mkIf isRouter (mkBefore [ + { predicate = "-i wiregrill -o wiregrill"; target = "ACCEPT"; } + { predicate = "-i wiregrill -o retiolum"; target = "ACCEPT"; } + { predicate = "-i retiolum -o wiregrill"; target = "ACCEPT"; } + { predicate = "-i wiregrill -o eth0"; target = "ACCEPT"; } + { predicate = "-o wiregrill -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } + ]); systemd.network.networks.wiregrill = { matchConfig.Name = "wiregrill"; address = diff --git a/lib/types.nix b/lib/types.nix index 9f278c650..32b4541ae 100644 --- a/lib/types.nix +++ b/lib/types.nix @@ -146,6 +146,14 @@ rec { }.${config._module.args.name} or { default = "${ip4.config.addr}/32"; }); + prefixLength = mkOption ({ + type = uint; + } // { + retiolum.default = 16; + wiregrill.default = 16; + }.${config._module.args.name} or { + default = 32; + }); }; })); default = null; @@ -165,6 +173,14 @@ rec { }.${config._module.args.name} or { default = "${ip6.config.addr}/128"; }); + prefixLength = mkOption ({ + type = uint; + } // { + retiolum.default = 32; + wiregrill.default = 32; + }.${config._module.args.name} or { + default = 128; + }); }; })); default = null; diff --git a/tv/1systems/xu/config.nix b/tv/1systems/xu/config.nix index 6ca62ac0d..b83d01f02 100644 --- a/tv/1systems/xu/config.nix +++ b/tv/1systems/xu/config.nix @@ -4,6 +4,7 @@ with import ./lib; imports = [ <stockholm/tv> + ../../2configs/autotether.nix <stockholm/tv/2configs/hw/x220.nix> <stockholm/tv/2configs/exim-retiolum.nix> <stockholm/tv/2configs/gitconfig.nix> diff --git a/tv/2configs/autotether.nix b/tv/2configs/autotether.nix new file mode 100644 index 000000000..43b5575c8 --- /dev/null +++ b/tv/2configs/autotether.nix @@ -0,0 +1,19 @@ +{ config, pkgs, ... }: let + cfg.serial = "17e064850405"; +in { + systemd.services.usb_tether.serviceConfig = { + SyslogIdentifier = "usb_tether"; + ExecStartPre = "${pkgs.android-tools}/bin/adb -s ${cfg.serial} wait-for-device"; + ExecStart = "${pkgs.android-tools}/bin/adb -s ${cfg.serial} shell svc usb setFunctions rndis"; + }; + services.udev.extraRules = /* sh */ '' + ACTION=="add", SUBSYSTEM=="net", KERNEL=="usb*", NAME="android" + + ACTION=="add", SUBSYSTEM=="usb", ATTR{serial}=="${cfg.serial}", \ + TAG+="systemd", ENV{SYSTEMD_WANTS}="usb_tether.service" + ''; + systemd.network.networks.android = { + matchConfig.Name = "android"; + DHCP = "yes"; + }; +} diff --git a/tv/2configs/retiolum.nix b/tv/2configs/retiolum.nix index de77de381..1b176e0b9 100644 --- a/tv/2configs/retiolum.nix +++ b/tv/2configs/retiolum.nix @@ -11,6 +11,16 @@ with import ./lib; LocalDiscovery = yes ''; tincPackage = pkgs.tinc_pre; + tincUp = lib.mkIf config.systemd.network.enable ""; + }; + systemd.network.networks.retiolum = { + matchConfig.Name = "retiolum"; + address = let + inherit (config.krebs.build.host.nets.retiolum) ip4 ip6; + in [ + "${ip4.addr}/${toString ip4.prefixLength}" + "${ip6.addr}/${toString ip6.prefixLength}" + ]; }; tv.iptables.input-internet-accept-tcp = singleton "tinc"; tv.iptables.input-internet-accept-udp = singleton "tinc"; |