winzlieb/network
winzlieb
/
network
forked from zentralwerk/network
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

upstream: disable NAT reflection for DNS port forwards

This commit is contained in:
Astro 2021-10-16 23:56:32 +02:00
parent 739d6fefaa
commit 2c3c0fa13c
3 changed files with 25 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nix/lib/config/legacy.nix
View File

@ -209,11 +209,13 @@ in
destination = config.site.net.serv.hosts4.bind; destination = config.site.net.serv.hosts4.bind;
proto = "tcp"; proto = "tcp";
sourcePort = 53; sourcePort = 53;
reflect = false;
} }
{ {
destination = config.site.net.serv.hosts4.bind; destination = config.site.net.serv.hosts4.bind;
proto = "udp"; proto = "udp";
sourcePort = 53; sourcePort = 53;
reflect = false;
} }
{ {
destination = config.site.net.c3d2.hosts4.dn42; destination = config.site.net.c3d2.hosts4.dn42;

14
nix/lib/config/options.nix
View File

@ -230,6 +230,20 @@ let
destination = mkOption { destination = mkOption {
type = types.str; type = types.str;
}; };
reflect = mkOption {
type = types.bool;
default = true;
description = ''
Enable NAT reflection
Any forwarded connection will have our static IPv4
address as source so that forwarded services become
available internally.
Unfortunately, this breaks identification by IPv4
adress.
'';
};
}; }); }; });
default = []; default = [];
}; };

15
nix/nixos-module/container/upstream.nix
View File

@ -81,17 +81,20 @@ in
ip6tables -t nat -X ${net}_nat 2>/dev/null || true ip6tables -t nat -X ${net}_nat 2>/dev/null || true
'') (builtins.attrNames upstreamInterfaces); '') (builtins.attrNames upstreamInterfaces);
forwardPorts = map ({ destination, sourcePort, ... }@forwardedPort: forwardPorts = map ({ destination, sourcePort, reflect, ... }@forwardedPort:
forwardedPort // { forwardedPort // {
destination = destination =
if builtins.match ".*:.*" destination != null if builtins.match ".*:.*" destination != null
then destination then destination
else "${destination}:${toString sourcePort}"; else "${destination}:${toString sourcePort}";
loopbackIPs = builtins.filter (ip: ip != null) ( loopbackIPs =
map (net: if reflect
upstreamInterfaces.${net}.upstream.staticIpv4Address then builtins.filter (ip: ip != null) (
) (builtins.attrNames upstreamInterfaces) map (net:
); upstreamInterfaces.${net}.upstream.staticIpv4Address
) (builtins.attrNames upstreamInterfaces)
)
else [];
} }
) hostConf.forwardPorts; ) hostConf.forwardPorts;
}; };