diff --git a/drives.nix b/drives.nix index dc8dd28..0238274 100644 --- a/drives.nix +++ b/drives.nix @@ -6,7 +6,7 @@ # fsType = "nfs"; #}; "/mnt/nethergarde/leonhome" = { - device = "10.46.32.2:/mnt/Nethergarde/Home"; + device = "192.168.0.16:/mnt/Nethergarde/Home"; fsType = "nfs"; }; #"/mnt/nethergarde/bigdata" = { diff --git a/hardware-configuration.nix b/hardware-configuration.nix index a64bf68..47ea804 100644 --- a/hardware-configuration.nix +++ b/hardware-configuration.nix @@ -41,6 +41,9 @@ boot.kernel.sysctl = { "net.ipv4.conf.all.forwarding" = true; + "net.bridge.bridge-nf-call-iptables" = 0; + "net.bridge.bridge-nf-call-ip6tables" = 0; + "net.bridge.bridge-nf-call-arptables" = 0; }; swapDevices = diff --git a/incus.nix b/incus.nix index 1a75979..fc88307 100644 --- a/incus.nix +++ b/incus.nix @@ -3,33 +3,41 @@ { virtualisation.incus.enable = true; networking = { - nftables.enable = true; - firewall = { - trustedInterfaces = [ "incusbr1" "incusbr2" ]; - filterForward = true; + nftables = { + enable = true; + ruleset = '' + table inet crusader_isolation { + chain fwd_pre { + type filter hook forward priority -200; policy accept; - extraForwardRules = '' - # if crusader tries to go to varian or truenas, BLOCK - iifname "incusbr1" oifname "incusbr0" drop - iifname "incusbr1" oifname "incusbr2" ip daddr 192.168.0.0/16 drop + # Crusader-Netz darf NICHT ins LAN + iifname "incusbr1" ip daddr 192.168.0.0/16 drop + } + } ''; + } + firewall = { + trustedInterfaces = [ "incusbr2" ]; + filterForward = false; interfaces = { - incusbr0 = { - allowedTCPPorts = [ 53 67 ]; - allowedUDPPorts = [ 53 67 ]; - }; incusbr1 = { allowedTCPPorts = [ 53 ]; - allowedUDPPorts = [ 53 67 68 ]; + allowedUDPPorts = [ + 53 + 67 + 68 + 41641 # Tailscale / WireGuard + ]; }; - incusbr2 = { - allowedTCPPorts = [ 53 ]; - allowedUDPPorts = [ 53 67 68 ]; - }; - }; + }; + }; - + nat = { + enable = true; + externalInterface = "incusbr2"; + internalInterfaces = [ "incusbr1" ]; + internalIPs = [ "10.46.33.0/24" ]; }; }; diff --git a/networking.nix b/networking.nix index 3560a80..1ea3d3b 100644 --- a/networking.nix +++ b/networking.nix @@ -9,68 +9,11 @@ firewall = { enable = true; - allowedTCPPorts = [ 53 80 443 8123 1883 8883 9001 20 21 50000 50001 50002 50003 50004 50005 22 2222 2223 990 989 445 111 2049 32765 32768 20048 ]; - allowedUDPPorts = [ 53 67 68 111 2049 20048 32765 32768 ]; + allowedTCPPorts = [ 53 2222 ]; + allowedUDPPorts = [ 53 67 68 ]; }; - nftables.ruleset = '' - table ip filter { - chain forward { - type filter hook forward priority 0; policy drop; - # allow established/related replies - ct state established,related accept - - # allow new+established VM→Internet - iifname "incusbr0" oifname "incusbr2" ct state new,established accept - iifname "incusbr1" oifname "incusbr2" ct state new,established accept - - # allow vm to vm communication - iifname "tap*" oifname "tap*" accept - - # allow vm dns - ether saddr 10:66:6a:06:f9:5e udp dport 53 accept - - # allow vms on incusbr2 to go into lan - iifname "incusbr2" accept - - # allow natted replies - iifname "incusbr2" oifname "incusbr0" tcp dport 8123 ct state new,established accept - iifname "incusbr2" oifname "incusbr0" tcp dport 80 ct state new,established accept - iifname "incusbr2" oifname "incusbr0" tcp dport 443 ct state new,established accept - iifname "incusbr2" oifname "incusbr0" tcp dport 1883 ct state new,established accept - iifname "incusbr2" oifname "incusbr0" tcp dport 8883 ct state new,established accept - iifname "incusbr2" oifname "incusbr0" tcp dport 9001 ct state new,established accept - iifname "incusbr2" oifname "incusbr0" tcp dport 20 ct state new,established accept - iifname "incusbr2" oifname "incusbr0" tcp dport 21 ct state new,established accept - iifname "incusbr2" oifname "incusbr0" tcp dport 50000 ct state new,established accept - iifname "incusbr2" oifname "incusbr0" tcp dport 50001 ct state new,established accept - iifname "incusbr2" oifname "incusbr0" tcp dport 50002 ct state new,established accept - iifname "incusbr2" oifname "incusbr0" tcp dport 50003 ct state new,established accept - iifname "incusbr2" oifname "incusbr0" tcp dport 50004 ct state new,established accept - iifname "incusbr2" oifname "incusbr0" tcp dport 50005 ct state new,established accept - iifname "incusbr2" oifname "incusbr0" tcp dport 22 ct state new,established accept - iifname "incusbr2" oifname "incusbr0" tcp dport 2223 ct state new,established accept - iifname "incusbr2" oifname "incusbr0" tcp dport 990 ct state new,established accept - iifname "incusbr2" oifname "incusbr0" tcp dport 989 ct state new,established accept - iifname "incusbr2" oifname "incusbr0" tcp dport 445 ct state new,established accept - iifname "incusbr2" oifname "incusbr0" tcp dport 111 ct state new,established accept - iifname "incusbr2" oifname "incusbr0" udp dport 111 ct state new,established accept - iifname "incusbr2" oifname "incusbr0" tcp dport 2049 ct state new,established accept - iifname "incusbr2" oifname "incusbr0" udp dport 2049 ct state new,established accept - iifname "incusbr2" oifname "incusbr0" tcp dport 32765 ct state new,established accept - iifname "incusbr2" oifname "incusbr0" udp dport 32765 ct state new,established accept - iifname "incusbr2" oifname "incusbr0" tcp dport 32768 ct state new,established accept - iifname "incusbr2" oifname "incusbr0" udp dport 32768 ct state new,established accept - iifname "incusbr2" oifname "incusbr0" tcp dport 20048 ct state new,established accept - iifname "incusbr2" oifname "incusbr0" udp dport 20048 ct state new,established accept - } - } - ''; - bridges = { - incusbr0 = { - interfaces = []; - }; incusbr1 = { interfaces = []; }; @@ -80,11 +23,6 @@ }; interfaces = { - incusbr0 = { - ipv4.addresses = [ - { address = "10.46.32.1"; prefixLength = 24; } - ]; - }; incusbr1 = { ipv4.addresses = [ { address = "10.46.33.1"; prefixLength = 24; } @@ -102,166 +40,6 @@ address = "192.168.0.1"; interface = "incusbr2"; }; - - nat = { - enable = true; - internalInterfaces = [ "incusbr0" "incusbr1" ]; - externalInterface = "incusbr2"; - forwardPorts = [ - # Web-UI for home-assistant - { - sourcePort = 8123; - proto = "tcp"; - destination = "10.46.32.153:8123"; - } - # Web-UI for nas - { - sourcePort = 80; - proto = "tcp"; - destination = "10.46.32.2:80"; - } - { - sourcePort = 443; - proto = "tcp"; - destination = "10.46.32.2:443"; - } - # MQTT - { - sourcePort = 1883; - proto = "tcp"; - destination = "10.46.32.153:1883"; - } - { - sourcePort = 8883; - proto = "tcp"; - destination = "10.46.32.153:8883"; - } - { - sourcePort = 9001; - proto = "tcp"; - destination = "10.46.32.153:9001"; - } - # FTP - { - sourcePort = 20; - proto = "tcp"; - destination = "10.46.32.2:20"; - } - { - sourcePort = 21; - proto = "tcp"; - destination = "10.46.32.2:21"; - } - # FTP Passive Ports - { - sourcePort = 50000; - proto = "tcp"; - destination = "10.46.32.2:50000"; - } - { - sourcePort = 50001; - proto = "tcp"; - destination = "10.46.32.2:50001"; - } - { - sourcePort = 50002; - proto = "tcp"; - destination = "10.46.32.2:50002"; - } - { - sourcePort = 50003; - proto = "tcp"; - destination = "10.46.32.2:50003"; - } - { - sourcePort = 50004; - proto = "tcp"; - destination = "10.46.32.2:50004"; - } - { - sourcePort = 50005; - proto = "tcp"; - destination = "10.46.32.2:50005"; - } - { - sourcePort = 22; - proto = "tcp"; - destination = "10.46.32.2:22"; - } - { - sourcePort = 2223; - proto = "tcp"; - destination = "10.46.32.2:2223"; - } - { - sourcePort = 990; - proto = "tcp"; - destination = "10.46.32.2:990"; - } - { - sourcePort = 989; - proto = "tcp"; - destination = "10.46.32.2:989"; - } - # SMB - { - sourcePort = 445; - proto = "tcp"; - destination = "10.46.32.2:445"; - } - # NFS - { - sourcePort = 111; - proto = "tcp"; - destination = "10.46.32.2:111"; - } - { - sourcePort = 111; - proto = "udp"; - destination = "10.46.32.2:111"; - } - { - sourcePort = 2049; - proto = "tcp"; - destination = "10.46.32.2:2049"; - } - { - sourcePort = 2049; - proto = "udp"; - destination = "10.46.32.2:2049"; - } - { - sourcePort = 32765; - proto = "tcp"; - destination = "10.46.32.2:32765"; - } - { - sourcePort = 32765; - proto = "udp"; - destination = "10.46.32.2:32765"; - } - { - sourcePort = 32768; - proto = "tcp"; - destination = "10.46.32.2:32768"; - } - { - sourcePort = 32768; - proto = "udp"; - destination = "10.46.32.2:32768"; - } - { - sourcePort = 20048; - proto = "tcp"; - destination = "10.46.32.2:20048"; - } - { - sourcePort = 20048; - proto = "udp"; - destination = "10.46.32.2:20048"; - } - ]; - }; }; }