krebs.iptables: precedence -> mkOrder

This commit is contained in:
tv 2022-12-30 21:34:05 +01:00
parent 42f604cd1b
commit 2ebbec1f2d
11 changed files with 64 additions and 64 deletions

View File

@ -43,10 +43,6 @@ let
target = mkOption { target = mkOption {
type = str; type = str;
}; };
precedence = mkOption {
type = int;
default = 0;
};
v4 = mkOption { v4 = mkOption {
type = bool; type = bool;
default = true; default = true;
@ -145,13 +141,11 @@ let
buildChain = tn: cn: buildChain = tn: cn:
let let
filteredRules = filter (r: r."${v}") ts."${tn}"."${cn}".rules; filteredRules = filter (r: r."${v}") ts."${tn}"."${cn}".rules;
sortedRules = sort (a: b: a.precedence > b.precedence) filteredRules;
in in
#TODO: double check should be unneccessary, refactor! #TODO: double check should be unneccessary, refactor!
if ts.${tn}.${cn}.rules or null != null then if ts.${tn}.${cn}.rules or null != null then
concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([] concatMapStringsSep "\n" (rule: "\n-A ${cn} ${rule}") ([]
++ map (buildRule tn cn) sortedRules ++ map (buildRule tn cn) filteredRules
) )
else else
"" ""

View File

@ -57,7 +57,7 @@ with import <stockholm/lib>;
]; ];
krebs.iptables.tables.nat.PREROUTING.rules = [ krebs.iptables.tables.nat.PREROUTING.rules = [
{ predicate = "-i eth0 -p tcp -m tcp --dport 22"; target = "ACCEPT"; precedence = 101; } { predicate = "-i eth0 -p tcp -m tcp --dport 22"; target = "ACCEPT"; }
]; ];
# workaround for ssh access from yubikey via android # workaround for ssh access from yubikey via android

View File

@ -15,8 +15,8 @@
]; ];
}; };
# krebs.iptables.tables.filter.FORWARD.rules = [ # krebs.iptables.tables.filter.FORWARD.rules = [
# { v6 = false; precedence = 1000; predicate = "--destination 95.216.1.130"; target = "ACCEPT"; } # { v6 = false; predicate = "--destination 95.216.1.130"; target = "ACCEPT"; }
# { v6 = false; precedence = 1000; predicate = "--source 95.216.1.130"; target = "ACCEPT"; } # { v6 = false; predicate = "--source 95.216.1.130"; target = "ACCEPT"; }
# ]; # ];
} }
]; ];

View File

@ -33,9 +33,9 @@ with import <stockholm/lib>;
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6o6sdTu/CX1LW2Ff5bNDqGEAGwAsjf0iIe5DCdC7YikCct+7x4LTXxY+nDlPMeGcOF88X9/qFwdyh+9E4g0nUAZaeL14Uc14QDqDt/aiKjIXXTepxE/i4JD9YbTqStAnA/HYAExU15yqgUdj2dnHu7OZcGxk0ZR1OY18yclXq7Rq0Fd3pN3lPP1T4QHM9w66r83yJdFV9szvu5ral3/QuxQnCNohTkR6LoJ4Ny2RbMPTRtb+jPbTQYTWUWwV69mB8ot5nRTP4MRM9pu7vnoPF4I2S5DvSnx4C5zdKzsb7zmIvD4AmptZLrXj4UXUf00Xf7Js5W100Ne2yhYyhq+35 riot@lagrange" "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC6o6sdTu/CX1LW2Ff5bNDqGEAGwAsjf0iIe5DCdC7YikCct+7x4LTXxY+nDlPMeGcOF88X9/qFwdyh+9E4g0nUAZaeL14Uc14QDqDt/aiKjIXXTepxE/i4JD9YbTqStAnA/HYAExU15yqgUdj2dnHu7OZcGxk0ZR1OY18yclXq7Rq0Fd3pN3lPP1T4QHM9w66r83yJdFV9szvu5ral3/QuxQnCNohTkR6LoJ4Ny2RbMPTRtb+jPbTQYTWUWwV69mB8ot5nRTP4MRM9pu7vnoPF4I2S5DvSnx4C5zdKzsb7zmIvD4AmptZLrXj4UXUf00Xf7Js5W100Ne2yhYyhq+35 riot@lagrange"
]; ];
}; };
krebs.iptables.tables.filter.FORWARD.rules = [ krebs.iptables.tables.filter.FORWARD.rules = mkBefore [
{ v6 = false; precedence = 1000; predicate = "--destination 95.216.1.130"; target = "ACCEPT"; } { v6 = false; predicate = "--destination 95.216.1.130"; target = "ACCEPT"; }
{ v6 = false; precedence = 1000; predicate = "--source 95.216.1.130"; target = "ACCEPT"; } { v6 = false; predicate = "--source 95.216.1.130"; target = "ACCEPT"; }
]; ];
} }
{ {
@ -227,13 +227,13 @@ with import <stockholm/lib>;
imports = [ imports = [
<stockholm/lass/2configs/wiregrill.nix> <stockholm/lass/2configs/wiregrill.nix>
]; ];
krebs.iptables.tables.nat.PREROUTING.rules = [ krebs.iptables.tables.nat.PREROUTING.rules = mkOrder 999 [
{ v6 = false; precedence = 1000; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; } { v6 = false; predicate = "-s 10.244.1.0/24"; target = "ACCEPT"; }
{ v4 = false; precedence = 1000; predicate = "-s 42:1::/32"; target = "ACCEPT"; } { v4 = false; predicate = "-s 42:1::/32"; target = "ACCEPT"; }
]; ];
krebs.iptables.tables.filter.FORWARD.rules = [ krebs.iptables.tables.filter.FORWARD.rules = mkBefore [
{ precedence = 1000; predicate = "-i wiregrill -o retiolum"; target = "ACCEPT"; } { predicate = "-i wiregrill -o retiolum"; target = "ACCEPT"; }
{ precedence = 1000; predicate = "-i retiolum -o wiregrill"; target = "ACCEPT"; } { predicate = "-i retiolum -o wiregrill"; target = "ACCEPT"; }
]; ];
krebs.iptables.tables.nat.POSTROUTING.rules = [ krebs.iptables.tables.nat.POSTROUTING.rules = [
{ v4 = false; predicate = "-s 42:1::/32 ! -d 42:1::/48"; target = "MASQUERADE"; } { v4 = false; predicate = "-s 42:1::/32 ! -d 42:1::/48"; target = "MASQUERADE"; }
@ -252,7 +252,7 @@ with import <stockholm/lib>;
} }
{ {
krebs.iptables.tables.filter.INPUT.rules = [ krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p udp --dport 60000:61000"; target = "ACCEPT";} { predicate = "-p udp --dport 60000:61000"; target = "ACCEPT"; }
]; ];
} }
<stockholm/lass/2configs/murmur.nix> <stockholm/lass/2configs/murmur.nix>

View File

@ -68,8 +68,8 @@ in {
{ v6 = false; predicate = "-o br0"; target = "REJECT --reject-with icmp-port-unreachable"; } { v6 = false; predicate = "-o br0"; target = "REJECT --reject-with icmp-port-unreachable"; }
{ v6 = false; predicate = "-i br0"; target = "REJECT --reject-with icmp-port-unreachable"; } { v6 = false; predicate = "-i br0"; target = "REJECT --reject-with icmp-port-unreachable"; }
]; ];
krebs.iptables.tables.nat.PREROUTING.rules = [ krebs.iptables.tables.nat.PREROUTING.rules = mkBefore [
{ v6 = false; predicate = "-s 10.99.0.0/24"; target = "ACCEPT"; precedence = 1000; } { v6 = false; predicate = "-s 10.99.0.0/24"; target = "ACCEPT"; }
]; ];
krebs.iptables.tables.nat.POSTROUTING.rules = [ krebs.iptables.tables.nat.POSTROUTING.rules = [
#TODO find out what this is about? #TODO find out what this is about?

View File

@ -8,8 +8,8 @@
{ v6 = false; predicate = "-o ve-+"; target = "REJECT --reject-with icmp-port-unreachable"; } { v6 = false; predicate = "-o ve-+"; target = "REJECT --reject-with icmp-port-unreachable"; }
{ v6 = false; predicate = "-i ve-+"; target = "REJECT --reject-with icmp-port-unreachable"; } { v6 = false; predicate = "-i ve-+"; target = "REJECT --reject-with icmp-port-unreachable"; }
]; ];
krebs.iptables.tables.nat.PREROUTING.rules = [ krebs.iptables.tables.nat.PREROUTING.rules = lib.mkBefore [
{ v6 = false; predicate = "-s 10.233.2.0/24"; target = "ACCEPT"; precedence = 1000; } { v6 = false; predicate = "-s 10.233.2.0/24"; target = "ACCEPT"; }
]; ];
krebs.iptables.tables.nat.POSTROUTING.rules = [ krebs.iptables.tables.nat.POSTROUTING.rules = [
{ v6 = false; predicate = "-s 10.233.2.0/24 -d 224.0.0.0/24"; target = "RETURN"; } { v6 = false; predicate = "-s 10.233.2.0/24 -d 224.0.0.0/24"; target = "RETURN"; }

View File

@ -189,28 +189,34 @@ with import <stockholm/lib>;
enable = true; enable = true;
tables = { tables = {
nat.PREROUTING.rules = [ nat.PREROUTING.rules = [
{ predicate = "-i retiolum -p tcp -m tcp --dport 22"; target = "ACCEPT"; precedence = 101; } { predicate = "-i retiolum -p tcp -m tcp --dport 22"; target = "ACCEPT"; }
{ predicate = "-i wiregrill -p tcp -m tcp --dport 22"; target = "ACCEPT"; precedence = 101; } { predicate = "-i wiregrill -p tcp -m tcp --dport 22"; target = "ACCEPT"; }
{ predicate = "-p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; precedence = 100; } { predicate = "-p tcp -m tcp --dport 22"; target = "REDIRECT --to-ports 0"; }
{ predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 99; } { predicate = "-p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; }
]; ];
nat.OUTPUT.rules = [ nat.OUTPUT.rules = [
{ predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; precedence = 100; } { predicate = "-o lo -p tcp -m tcp --dport 45621"; target = "REDIRECT --to-ports 22"; }
]; ];
filter.INPUT.policy = "DROP"; filter.INPUT.policy = "DROP";
filter.FORWARD.policy = "DROP"; filter.FORWARD.policy = "DROP";
filter.INPUT.rules = [ filter.INPUT.rules = mkMerge [
{ predicate = "-i retiolum -p udp --dport 60000:61000"; target = "ACCEPT";} (mkBefore [
{ predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; precedence = 10001; } { predicate = "-m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
{ predicate = "-p icmp"; target = "ACCEPT"; precedence = 10000; } { predicate = "-p icmp"; target = "ACCEPT"; }
{ predicate = "-p ipv6-icmp"; target = "ACCEPT"; v4 = false; precedence = 10000; } { predicate = "-p ipv6-icmp"; target = "ACCEPT"; v4 = false; }
{ predicate = "-i lo"; target = "ACCEPT"; precedence = 9999; } { predicate = "-i lo"; target = "ACCEPT"; }
{ predicate = "-p tcp --dport 22"; target = "ACCEPT"; precedence = 9998; } { predicate = "-p tcp --dport 22"; target = "ACCEPT"; }
{ predicate = "-p tcp -i retiolum"; target = "REJECT --reject-with tcp-reset"; precedence = -10000; } ])
{ predicate = "-p udp -i retiolum"; target = "REJECT --reject-with icmp-port-unreachable"; v6 = false; precedence = -10000; } (mkOrder 1000 [
{ predicate = "-i retiolum"; target = "REJECT --reject-with icmp-proto-unreachable"; v6 = false; precedence = -10000; } { predicate = "-i retiolum -p udp --dport 60000:61000"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p udp -m udp --dport 53"; target = "ACCEPT"; } { predicate = "-i retiolum -p udp -m udp --dport 53"; target = "ACCEPT"; }
{ predicate = "-i retiolum -p tcp --dport 19999"; target = "ACCEPT"; } { predicate = "-i retiolum -p tcp --dport 19999"; target = "ACCEPT"; }
])
(mkAfter [
{ predicate = "-p tcp -i retiolum"; target = "REJECT --reject-with tcp-reset"; }
{ predicate = "-p udp -i retiolum"; target = "REJECT --reject-with icmp-port-unreachable"; v6 = false; }
{ predicate = "-i retiolum"; target = "REJECT --reject-with icmp-proto-unreachable"; v6 = false; }
])
]; ];
}; };
}; };

View File

@ -56,8 +56,8 @@ with import <stockholm/lib>;
{ v6 = false; predicate = "-o int0"; target = "REJECT --reject-with icmp-port-unreachable"; } { v6 = false; predicate = "-o int0"; target = "REJECT --reject-with icmp-port-unreachable"; }
{ v6 = false; predicate = "-i int0"; target = "REJECT --reject-with icmp-port-unreachable"; } { v6 = false; predicate = "-i int0"; target = "REJECT --reject-with icmp-port-unreachable"; }
]; ];
krebs.iptables.tables.nat.PREROUTING.rules = [ krebs.iptables.tables.nat.PREROUTING.rules = mkBefore [
{ v6 = false; predicate = "-s 10.42.0.0/24"; target = "ACCEPT"; precedence = 1000; } { v6 = false; predicate = "-s 10.42.0.0/24"; target = "ACCEPT"; }
]; ];
krebs.iptables.tables.nat.POSTROUTING.rules = [ krebs.iptables.tables.nat.POSTROUTING.rules = [
{ v6 = false; predicate = "-s 10.42.0.0/24 ! -d 10.42.0.0/24"; target = "MASQUERADE"; } { v6 = false; predicate = "-s 10.42.0.0/24 ! -d 10.42.0.0/24"; target = "MASQUERADE"; }

View File

@ -18,22 +18,22 @@ with import <stockholm/lib>;
} }
]; ];
krebs.iptables.tables.nat.PREROUTING.rules = [ krebs.iptables.tables.nat.PREROUTING.rules = mkBefore [
{ v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 22"; target = "DNAT --to-destination 192.168.122.208:22"; } { v6 = false; predicate = "-d 213.239.205.246 -p tcp --dport 22"; target = "DNAT --to-destination 192.168.122.208:22"; }
{ v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 25"; target = "DNAT --to-destination 192.168.122.208:25"; } { v6 = false; predicate = "-d 213.239.205.246 -p tcp --dport 25"; target = "DNAT --to-destination 192.168.122.208:25"; }
{ v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 80"; target = "DNAT --to-destination 192.168.122.208:1080"; } { v6 = false; predicate = "-d 213.239.205.246 -p tcp --dport 80"; target = "DNAT --to-destination 192.168.122.208:1080"; }
{ v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 443"; target = "DNAT --to-destination 192.168.122.208:1443"; } { v6 = false; predicate = "-d 213.239.205.246 -p tcp --dport 443"; target = "DNAT --to-destination 192.168.122.208:1443"; }
]; ];
krebs.iptables.tables.filter.FORWARD.rules = [ krebs.iptables.tables.filter.FORWARD.rules = mkBefore [
{ v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } { v6 = false; predicate = "-d 192.168.122.208 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
{ v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 25 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } { v6 = false; predicate = "-d 192.168.122.208 -p tcp --dport 25 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
{ v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 1080 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } { v6 = false; predicate = "-d 192.168.122.208 -p tcp --dport 1080 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
{ v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 1443 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; } { v6 = false; predicate = "-d 192.168.122.208 -p tcp --dport 1443 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
]; ];
krebs.iptables.tables.nat.OUTPUT.rules = [ krebs.iptables.tables.nat.OUTPUT.rules = mkBefore [
{ v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 443"; target = "DNAT --to-destination 192.168.122.208:1443"; } { v6 = false; predicate = "-d 213.239.205.246 -p tcp --dport 443"; target = "DNAT --to-destination 192.168.122.208:1443"; }
]; ];
# TODO use bridge interfaces instead of this crap # TODO use bridge interfaces instead of this crap

View File

@ -20,8 +20,8 @@
krebs.iptables.tables.filter.OUTPUT.rules = [ krebs.iptables.tables.filter.OUTPUT.rules = [
{ v6 = false; predicate = "-o virbr0 -p udp -m udp --dport 68"; target = "ACCEPT"; } { v6 = false; predicate = "-o virbr0 -p udp -m udp --dport 68"; target = "ACCEPT"; }
]; ];
krebs.iptables.tables.nat.PREROUTING.rules = [ krebs.iptables.tables.nat.PREROUTING.rules = lib.mkBefore [
{ v6 = false; predicate = "-s 192.168.122.0/24"; target = "ACCEPT"; precedence = 1000; } { v6 = false; predicate = "-s 192.168.122.0/24"; target = "ACCEPT"; }
]; ];
krebs.iptables.tables.nat.POSTROUTING.rules = [ krebs.iptables.tables.nat.POSTROUTING.rules = [
{ v6 = false; predicate = "-s 192.168.122.0/24 -d 224.0.0.0/24"; target = "RETURN"; } { v6 = false; predicate = "-s 192.168.122.0/24 -d 224.0.0.0/24"; target = "RETURN"; }

View File

@ -16,13 +16,13 @@ in mkIf (hasAttr "wiregrill" config.krebs.build.host.nets) {
krebs.iptables.tables.filter.INPUT.rules = [ krebs.iptables.tables.filter.INPUT.rules = [
{ predicate = "-p udp --dport ${toString self.wireguard.port}"; target = "ACCEPT"; } { predicate = "-p udp --dport ${toString self.wireguard.port}"; target = "ACCEPT"; }
]; ];
krebs.iptables.tables.filter.FORWARD.rules = mkIf isRouter [ krebs.iptables.tables.filter.FORWARD.rules = mkIf isRouter (mkBefore [
{ precedence = 1000; predicate = "-i wiregrill -o wiregrill"; target = "ACCEPT"; } { predicate = "-i wiregrill -o wiregrill"; target = "ACCEPT"; }
{ precedence = 1000; predicate = "-i wiregrill -o retiolum"; target = "ACCEPT"; } { predicate = "-i wiregrill -o retiolum"; target = "ACCEPT"; }
{ precedence = 1000; predicate = "-i retiolum -o wiregrill"; target = "ACCEPT"; } { predicate = "-i retiolum -o wiregrill"; target = "ACCEPT"; }
{ precedence = 1000; predicate = "-i wiregrill -o eth0"; target = "ACCEPT"; } { predicate = "-i wiregrill -o eth0"; target = "ACCEPT"; }
{ precedence = 1000; predicate = "-o wiregrill -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; } { predicate = "-o wiregrill -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
]; ]);
systemd.network.networks.wiregrill = { systemd.network.networks.wiregrill = {
matchConfig.Name = "wiregrill"; matchConfig.Name = "wiregrill";
address = address =