Drop nat reflection
We want to preserve the source ip address especially when using ip allow lists
This commit is contained in:
parent
d76a1c5d25
commit
a2f7356c53
|
@ -33,254 +33,213 @@ in
|
|||
{ # http
|
||||
destination = servHosts.public-access-proxy;
|
||||
proto = "tcp";
|
||||
reflect = true;
|
||||
sourcePort = 80;
|
||||
}
|
||||
{ # https
|
||||
destination = servHosts.public-access-proxy;
|
||||
proto = "tcp";
|
||||
reflect = true;
|
||||
sourcePort = 443;
|
||||
}
|
||||
{ # gemini
|
||||
destination = "${c3d2-web}:1965";
|
||||
proto = "tcp";
|
||||
reflect = true;
|
||||
sourcePort = 1965;
|
||||
}
|
||||
{
|
||||
destination = servHosts.knot;
|
||||
proto = "tcp";
|
||||
reflect = true;
|
||||
sourcePort = 53;
|
||||
}
|
||||
{
|
||||
destination = servHosts.knot;
|
||||
proto = "udp";
|
||||
reflect = true;
|
||||
sourcePort = 53;
|
||||
}
|
||||
{
|
||||
destination = dn42;
|
||||
proto = "udp";
|
||||
reflect = true;
|
||||
sourcePort = 2325;
|
||||
}
|
||||
{
|
||||
destination = dn42;
|
||||
proto = "udp";
|
||||
reflect = true;
|
||||
sourcePort = 2327;
|
||||
}
|
||||
{
|
||||
destination = dn42;
|
||||
proto = "udp";
|
||||
reflect = true;
|
||||
sourcePort = 2337;
|
||||
}
|
||||
{
|
||||
destination = dn42;
|
||||
proto = "udp";
|
||||
reflect = true;
|
||||
sourcePort = 2338;
|
||||
}
|
||||
{
|
||||
destination = dn42;
|
||||
proto = "udp";
|
||||
reflect = true;
|
||||
sourcePort = 2339;
|
||||
}
|
||||
{
|
||||
destination = dn42;
|
||||
proto = "udp";
|
||||
reflect = true;
|
||||
sourcePort = 2340;
|
||||
}
|
||||
{
|
||||
destination = dn42;
|
||||
proto = "udp";
|
||||
reflect = true;
|
||||
sourcePort = 2342;
|
||||
}
|
||||
{
|
||||
destination = dn42;
|
||||
proto = "udp";
|
||||
reflect = true;
|
||||
sourcePort = 2399;
|
||||
}
|
||||
{
|
||||
destination = dn42;
|
||||
proto = "udp";
|
||||
reflect = true;
|
||||
sourcePort = 24699;
|
||||
}
|
||||
{
|
||||
destination = dn42;
|
||||
proto = "udp";
|
||||
reflect = true;
|
||||
sourcePort = 64699;
|
||||
}
|
||||
# ?
|
||||
{
|
||||
destination = "172.22.99.175:22";
|
||||
proto = "tcp";
|
||||
reflect = true;
|
||||
sourcePort = 2224;
|
||||
}
|
||||
{
|
||||
destination = servHosts.gitea;
|
||||
proto = "tcp";
|
||||
reflect = true;
|
||||
sourcePort = 22;
|
||||
}
|
||||
{
|
||||
destination = servHosts.jabber;
|
||||
proto = "tcp";
|
||||
reflect = true;
|
||||
sourcePort = 5222;
|
||||
}
|
||||
{
|
||||
destination = servHosts.jabber;
|
||||
proto = "tcp";
|
||||
reflect = true;
|
||||
sourcePort = 5223;
|
||||
}
|
||||
{
|
||||
destination = servHosts.jabber;
|
||||
proto = "tcp";
|
||||
reflect = true;
|
||||
sourcePort = 5269;
|
||||
}
|
||||
{
|
||||
destination = servHosts.jabber;
|
||||
proto = "tcp";
|
||||
reflect = true;
|
||||
sourcePort = 3478;
|
||||
}
|
||||
{
|
||||
destination = servHosts.jabber;
|
||||
proto = "tcp";
|
||||
reflect = true;
|
||||
sourcePort = 3479;
|
||||
}
|
||||
{
|
||||
destination = servHosts.jabber;
|
||||
proto = "udp";
|
||||
reflect = true;
|
||||
sourcePort = 3478;
|
||||
}
|
||||
{
|
||||
destination = servHosts.jabber;
|
||||
proto = "udp";
|
||||
reflect = true;
|
||||
sourcePort = 3479;
|
||||
}
|
||||
{
|
||||
destination = mailtngbert;
|
||||
proto = "tcp";
|
||||
reflect = true;
|
||||
sourcePort = 25;
|
||||
}
|
||||
{
|
||||
destination = mailtngbert;
|
||||
proto = "tcp";
|
||||
reflect = true;
|
||||
sourcePort = 465;
|
||||
}
|
||||
{
|
||||
destination = mailtngbert;
|
||||
proto = "tcp";
|
||||
reflect = true;
|
||||
sourcePort = 587;
|
||||
}
|
||||
{
|
||||
destination = mailtngbert;
|
||||
proto = "tcp";
|
||||
reflect = true;
|
||||
sourcePort = 110;
|
||||
}
|
||||
{
|
||||
destination = mailtngbert;
|
||||
proto = "tcp";
|
||||
reflect = true;
|
||||
sourcePort = 143;
|
||||
}
|
||||
{
|
||||
destination = mailtngbert;
|
||||
proto = "tcp";
|
||||
reflect = true;
|
||||
sourcePort = 993;
|
||||
}
|
||||
{
|
||||
destination = mailtngbert;
|
||||
proto = "tcp";
|
||||
reflect = true;
|
||||
sourcePort = 995;
|
||||
}
|
||||
# poelzi
|
||||
{
|
||||
destination = "172.20.73.162:22";
|
||||
proto = "tcp";
|
||||
reflect = true;
|
||||
sourcePort = 2323;
|
||||
}
|
||||
# jan
|
||||
{
|
||||
destination = "172.20.75.3:51820";
|
||||
proto = "udp";
|
||||
reflect = true;
|
||||
sourcePort = 30057;
|
||||
}
|
||||
# zw-ev RDP
|
||||
{
|
||||
destination = "172.20.75.222:3389";
|
||||
proto = "tcp";
|
||||
reflect = true;
|
||||
sourcePort = 45000;
|
||||
}
|
||||
{
|
||||
destination = config.site.net.core.hosts4.vpn-gw;
|
||||
proto = "udp";
|
||||
reflect = true;
|
||||
sourcePort = config.site.vpn.wireguard.port;
|
||||
}
|
||||
{
|
||||
destination = servHosts.gnunet;
|
||||
proto = "tcp";
|
||||
reflect = true;
|
||||
sourcePort = 2086;
|
||||
}
|
||||
# dresden zone
|
||||
{
|
||||
destination = servHosts.dresden-zone;
|
||||
proto = "udp";
|
||||
reflect = true;
|
||||
sourcePort = 51844;
|
||||
}
|
||||
# data-hoarder
|
||||
{
|
||||
destination = servHosts.data-hoarder;
|
||||
proto = "udp";
|
||||
reflect = true;
|
||||
sourcePort = 51820;
|
||||
}
|
||||
{
|
||||
destination = "${servHosts.data-hoarder}:22";
|
||||
proto = "tcp";
|
||||
reflect = false;
|
||||
sourcePort = 2269;
|
||||
}
|
||||
# data-hoarder-staging
|
||||
{
|
||||
destination = "${servHosts.staging-data-hoarder}:51820";
|
||||
proto = "udp";
|
||||
reflect = true;
|
||||
sourcePort = 51821;
|
||||
}
|
||||
{
|
||||
destination = "${servHosts.ftp}:22";
|
||||
proto = "tcp";
|
||||
reflect = true;
|
||||
sourcePort = 1022;
|
||||
}
|
||||
# coloRadio
|
||||
|
|
|
@ -380,20 +380,6 @@ let
|
|||
destination = mkOption {
|
||||
type = types.str;
|
||||
};
|
||||
reflect = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = ''
|
||||
Enable NAT reflection
|
||||
|
||||
Any forwarded connection will have our static IPv4
|
||||
address as source so that forwarded services become
|
||||
available internally.
|
||||
|
||||
Unfortunately, this breaks identification by IPv4
|
||||
adress.
|
||||
'';
|
||||
};
|
||||
}; });
|
||||
default = [];
|
||||
};
|
||||
|
|
|
@ -138,17 +138,12 @@ in
|
|||
ip6tables -t nat -F POSTROUTING 2>/dev/null || true
|
||||
'';
|
||||
|
||||
forwardPorts = map ({ destination, sourcePort, reflect, ... }@forwardedPort:
|
||||
removeAttrs forwardedPort ["reflect"] // {
|
||||
forwardPorts = map ({ destination, sourcePort, ... }@forwardedPort:
|
||||
forwardedPort // {
|
||||
destination =
|
||||
if builtins.match ".*:.*" destination != null
|
||||
then destination
|
||||
else "${destination}:${toString sourcePort}";
|
||||
loopbackIPs =
|
||||
if reflect
|
||||
then [ config.site.net.core.hosts4.${hostName} ]
|
||||
else [];
|
||||
}
|
||||
) hostConf.forwardPorts;
|
||||
}) hostConf.forwardPorts;
|
||||
};
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue