cleanup network config
This commit is contained in:
RootHost-Stormwind
@@ -29,6 +29,8 @@
|
|||||||
|
|
||||||
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
|
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
|
||||||
|
|
||||||
|
boot.kernel.sysctl."net.ipv4.conf.all.forwarding" = true;
|
||||||
|
|
||||||
swapDevices =
|
swapDevices =
|
||||||
[ { device = "/dev/disk/by-uuid/7e34cdc3-bd48-435a-8ea2-e1fe43926262"; }
|
[ { device = "/dev/disk/by-uuid/7e34cdc3-bd48-435a-8ea2-e1fe43926262"; }
|
||||||
];
|
];
|
||||||
|
|||||||
@@ -5,42 +5,33 @@
|
|||||||
hostName = "Stormwind";
|
hostName = "Stormwind";
|
||||||
networkmanager.enable = false;
|
networkmanager.enable = false;
|
||||||
|
|
||||||
nftables = {
|
|
||||||
enable = true;
|
|
||||||
ruleset = ''
|
|
||||||
table ip nat {
|
|
||||||
chain PREROUTING {
|
|
||||||
type nat hook prerouting priority dstnat; policy accept;
|
|
||||||
iifname "enp4s0" tcp dport 8123 dnat to 10.46.32.153:8123
|
|
||||||
iifname "enp4s0" tcp dport 80 dnat to 10.46.32.2:80
|
|
||||||
iifname "enp4s0" tcp dport 443 dnat to 10.46.32.2:443
|
|
||||||
iifname "enp4s0" tcp dport 20 dnat to 10.46.32.2:20
|
|
||||||
iifname "enp4s0" tcp dport 21 dnat to 10.46.32.2:21
|
|
||||||
iifname "enp4s0" tcp dport 22 dnat to 10.46.32.2:22
|
|
||||||
iifname "enp4s0" tcp dport 2223 dnat to 10.46.32.2:2223
|
|
||||||
iifname "enp4s0" tcp dport 990 dnat to 10.46.32.2:990
|
|
||||||
iifname "enp4s0" tcp dport 989 dnat to 10.46.32.2:989
|
|
||||||
iifname "enp4s0" tcp dport 445 dnat to 10.46.32.2:445
|
|
||||||
iifname "enp4s0" tcp dport 111 dnat to 10.46.32.2:111
|
|
||||||
iifname "enp4s0" udp dport 111 dnat to 10.46.32.2:111
|
|
||||||
iifname "enp4s0" tcp dport 2049 dnat to 10.46.32.2:2049
|
|
||||||
iifname "enp4s0" udp dport 2049 dnat to 10.46.32.2:2049
|
|
||||||
iifname "enp4s0" tcp dport 32765 dnat to 10.46.32.2:32765
|
|
||||||
iifname "enp4s0" udp dport 32765 dnat to 10.46.32.2:32765
|
|
||||||
iifname "enp4s0" tcp dport 32768 dnat to 10.46.32.2:32768
|
|
||||||
iifname "enp4s0" udp dport 32768 dnat to 10.46.32.2:32768
|
|
||||||
iifname "enp4s0" tcp dport 20048 dnat to 10.46.32.2:20048
|
|
||||||
iifname "enp4s0" udp dport 20048 dnat to 10.46.32.2:20048
|
|
||||||
}
|
|
||||||
}
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
|
|
||||||
firewall = {
|
firewall = {
|
||||||
allowedTCPPorts = [ 80 443 8123 20 21 22 2223 990 989 445 111 2049 32765 32768 20048 ];
|
allowedTCPPorts = [ 80 443 8123 20 21 22 2223 990 989 445 111 2049 32765 32768 20048 ];
|
||||||
allowedUDPPorts = [ 111 2049 20048 32765 32768 ];
|
allowedUDPPorts = [ 111 2049 20048 32765 32768 ];
|
||||||
|
trustedInterfaces = [ "incusbr0" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# here’s the custom nftables filter ruleset for forwarded traffic:
|
||||||
|
nftables.ruleset = ''
|
||||||
|
table ip filter {
|
||||||
|
chain forward {
|
||||||
|
type filter hook forward priority 0; policy drop;
|
||||||
|
# allow established/related replies
|
||||||
|
ct state established,related accept
|
||||||
|
|
||||||
|
# allow new+established VM→Internet
|
||||||
|
iifname "incusbr0" oifname "enp4s0" ct state new,established accept
|
||||||
|
iifname "incusbr1" oifname "enp4s0" ct state new,established accept
|
||||||
|
|
||||||
|
# allow natted replies
|
||||||
|
iifname "enp4s0" oifname "incusbr0" tcp dport 8123 ct state new,established accept
|
||||||
|
iifname "enp4s0" oifname "incusbr0" tcp dport 80 ct state new,established accept
|
||||||
|
iifname "enp4s0" oifname "incusbr0" tcp dport 443 ct state new,established accept
|
||||||
|
}
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
|
||||||
bridges = {
|
bridges = {
|
||||||
incusbr0 = {
|
incusbr0 = {
|
||||||
interfaces = [];
|
interfaces = [];
|
||||||
|
|||||||
Reference in New Issue
Block a user