zentralwerk/network
zentralwerk
/
network
12
4
Fork 2
Code Issues 3 Pull Requests 1 Releases Wiki Activity

Drop nat reflection 

We want to preserve the source ip address especially when using ip allow
lists
This commit is contained in:
Sandro - 2024-04-11 21:52:26 +02:00
parent d76a1c5d25
commit a2f7356c53
Signed by: sandro
GPG Key ID: 3AF5A43A3EECC2E5
3 changed files with 3 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
config/net/upstream.nix
View File

@ -33,254 +33,213 @@ in
{ # http
destination = servHosts.public-access-proxy;
proto = "tcp";
reflect = true;
sourcePort = 80;
}
{ # https
destination = servHosts.public-access-proxy;
proto = "tcp";
reflect = true;
sourcePort = 443;
}
{ # gemini
destination = "${c3d2-web}:1965";
proto = "tcp";
reflect = true;
sourcePort = 1965;
}
{
destination = servHosts.knot;
proto = "tcp";
reflect = true;
sourcePort = 53;
}
{
destination = servHosts.knot;
proto = "udp";
reflect = true;
sourcePort = 53;
}
{
destination = dn42;
proto = "udp";
reflect = true;
sourcePort = 2325;
}
{
destination = dn42;
proto = "udp";
reflect = true;
sourcePort = 2327;
}
{
destination = dn42;
proto = "udp";
reflect = true;
sourcePort = 2337;
}
{
destination = dn42;
proto = "udp";
reflect = true;
sourcePort = 2338;
}
{
destination = dn42;
proto = "udp";
reflect = true;
sourcePort = 2339;
}
{
destination = dn42;
proto = "udp";
reflect = true;
sourcePort = 2340;
}
{
destination = dn42;
proto = "udp";
reflect = true;
sourcePort = 2342;
}
{
destination = dn42;
proto = "udp";
reflect = true;
sourcePort = 2399;
}
{
destination = dn42;
proto = "udp";
reflect = true;
sourcePort = 24699;
}
{
destination = dn42;
proto = "udp";
reflect = true;
sourcePort = 64699;
}
# ?
{
destination = "172.22.99.175:22";
proto = "tcp";
reflect = true;
sourcePort = 2224;
}
{
destination = servHosts.gitea;
proto = "tcp";
reflect = true;
sourcePort = 22;
}
{
destination = servHosts.jabber;
proto = "tcp";
reflect = true;
sourcePort = 5222;
}
{
destination = servHosts.jabber;
proto = "tcp";
reflect = true;
sourcePort = 5223;
}
{
destination = servHosts.jabber;
proto = "tcp";
reflect = true;
sourcePort = 5269;
}
{
destination = servHosts.jabber;
proto = "tcp";
reflect = true;
sourcePort = 3478;
}
{
destination = servHosts.jabber;
proto = "tcp";
reflect = true;
sourcePort = 3479;
}
{
destination = servHosts.jabber;
proto = "udp";
reflect = true;
sourcePort = 3478;
}
{
destination = servHosts.jabber;
proto = "udp";
reflect = true;
sourcePort = 3479;
}
{
destination = mailtngbert;
proto = "tcp";
reflect = true;
sourcePort = 25;
}
{
destination = mailtngbert;
proto = "tcp";
reflect = true;
sourcePort = 465;
}
{
destination = mailtngbert;
proto = "tcp";
reflect = true;
sourcePort = 587;
}
{
destination = mailtngbert;
proto = "tcp";
reflect = true;
sourcePort = 110;
}
{
destination = mailtngbert;
proto = "tcp";
reflect = true;
sourcePort = 143;
}
{
destination = mailtngbert;
proto = "tcp";
reflect = true;
sourcePort = 993;
}
{
destination = mailtngbert;
proto = "tcp";
reflect = true;
sourcePort = 995;
}
# poelzi
{
destination = "172.20.73.162:22";
proto = "tcp";
reflect = true;
sourcePort = 2323;
}
# jan
{
destination = "172.20.75.3:51820";
proto = "udp";
reflect = true;
sourcePort = 30057;
}
# zw-ev RDP
{
destination = "172.20.75.222:3389";
proto = "tcp";
reflect = true;
sourcePort = 45000;
}
{
destination = config.site.net.core.hosts4.vpn-gw;
proto = "udp";
reflect = true;
sourcePort = config.site.vpn.wireguard.port;
}
{
destination = servHosts.gnunet;
proto = "tcp";
reflect = true;
sourcePort = 2086;
}
# dresden zone
{
destination = servHosts.dresden-zone;
proto = "udp";
reflect = true;
sourcePort = 51844;
}
# data-hoarder
{
destination = servHosts.data-hoarder;
proto = "udp";
reflect = true;
sourcePort = 51820;
}
{
destination = "${servHosts.data-hoarder}:22";
proto = "tcp";
reflect = false;
sourcePort = 2269;
}
# data-hoarder-staging
{
destination = "${servHosts.staging-data-hoarder}:51820";
proto = "udp";
reflect = true;
sourcePort = 51821;
}
{
destination = "${servHosts.ftp}:22";
proto = "tcp";
reflect = true;
sourcePort = 1022;
}
# coloRadio

14
nix/lib/config/options.nix
View File

@ -380,20 +380,6 @@ let
destination = mkOption {
type = types.str;
};
reflect = mkOption {
type = types.bool;
default = true;
description = ''
Enable NAT reflection
Any forwarded connection will have our static IPv4
address as source so that forwarded services become
available internally.
Unfortunately, this breaks identification by IPv4
adress.
'';
};
}; });
default = [];
};

11
nix/nixos-module/container/upstream.nix
View File

@ -138,17 +138,12 @@ in
ip6tables -t nat -F POSTROUTING 2>/dev/null || true
'';
forwardPorts = map ({ destination, sourcePort, reflect, ... }@forwardedPort:
removeAttrs forwardedPort ["reflect"] // {
forwardPorts = map ({ destination, sourcePort, ... }@forwardedPort:
forwardedPort // {
destination =
if builtins.match ".*:.*" destination != null
then destination
else "${destination}:${toString sourcePort}";
loopbackIPs =
if reflect
then [ config.site.net.core.hosts4.${hostName} ]
else [];
}
) hostConf.forwardPorts;
}) hostConf.forwardPorts;
};
}