nixos-module/container/upstream: do SNAT for forwarded ports
This commit is contained in:
parent
3be7beaf27
commit
fd4c8ad65b
|
@ -14,7 +14,7 @@ let
|
|||
)
|
||||
else null;
|
||||
|
||||
enabled = (firstUpstreamInterface != null);
|
||||
enabled = firstUpstreamInterface != null;
|
||||
in
|
||||
{
|
||||
systemd.network.networks = {
|
||||
|
@ -56,9 +56,9 @@ in
|
|||
enable = true;
|
||||
internalInterfaces = [ "core" ];
|
||||
externalInterface = firstUpstreamInterface;
|
||||
# Provide IPv6 upstream for everyone, using NAT66 when not from
|
||||
# our static prefixes
|
||||
extraCommands =
|
||||
# Provide IPv6 upstream for everyone, using NAT66 when not from
|
||||
# our static prefixes
|
||||
builtins.concatStringsSep "\n" (
|
||||
map (net: ''
|
||||
ip6tables -t nat -N ${net}_nat || \
|
||||
|
@ -76,6 +76,32 @@ in
|
|||
-o ${net} \
|
||||
-j ${net}_nat
|
||||
'') (builtins.attrNames upstreamInterfaces)
|
||||
) +
|
||||
# Do SNAT on connection attempts so that the actual return path
|
||||
# won't matter. Forwarded ports will work from internal networks
|
||||
# and on services that have Internet through another upstream routers.
|
||||
builtins.concatStringsSep "\n" (
|
||||
map ({ proto, destination, sourcePort, ... }:
|
||||
let
|
||||
ds = builtins.split ":" destination;
|
||||
ds' =
|
||||
if builtins.length ds == 3
|
||||
then {
|
||||
dest = lib.elemAt ds 0;
|
||||
port = lib.elemAt ds 2;
|
||||
}
|
||||
else if builtins.length ds == 1
|
||||
then {
|
||||
dest = lib.elemAt ds 0;
|
||||
port = toString sourcePort;
|
||||
}
|
||||
else throw "Too many colons in a forwardPorts destination";
|
||||
inherit (ds') dest port;
|
||||
in ''
|
||||
iptables -t nat -A nixos-nat-post \
|
||||
-p ${proto} --dest ${dest} --dport ${port} \
|
||||
-j SNAT --to-source ${config.site.net.core.hosts4.${hostName}}
|
||||
'') hostConf.forwardPorts
|
||||
);
|
||||
extraStopCommands =
|
||||
builtins.concatStringsSep "\n" (
|
||||
|
|
Loading…
Reference in New Issue