M-Labs/it-infra
M-Labs
/
it-infra
8
0
Fork 5
Code Issues 10 Pull Requests 2 Releases Wiki Activity

Ip rules instead of iptables tracking 

Signed-off-by: Egor Savkin <es@m-labs.hk>
This commit is contained in:
Egor Savkin 2024-09-11 11:28:03 +08:00
parent 5e13fc0bc2
commit 2f1c11d779
1 changed files with 2 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
nixbld-etc-nixos/configuration.nix
View File

@ -252,22 +252,12 @@ in
listenPort = 51820; listenPort = 51820;
privateKeyFile = "/path/to/private/key"; # just `wg-quick genkey > /path/to/private/key` privateKeyFile = "/path/to/private/key"; # just `wg-quick genkey > /path/to/private/key`
postUp = '' postUp = ''
${pkgs.iproute2}/bin/ip rule add from all fwmark 1 lookup 51820 ${pkgs.iproute2}/bin/ip rule add from 10.42.0.0/30 lookup 51820
${pkgs.iproute2}/bin/ip route add default via 10.42.0.1 dev intl0 table 51820 ${pkgs.iproute2}/bin/ip route add default via 10.42.0.1 dev intl0 table 51820
${pkgs.iptables}/bin/iptables -t mangle -A PREROUTING -i intl0 -p tcp -j MARK --set-mark 1
${pkgs.iptables}/bin/iptables -A OUTPUT -o intl0 -m connmark --mark 1 -j ACCEPT
${pkgs.iptables}/bin/iptables -A INPUT -i intl0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
${pkgs.iptables}/bin/iptables -t mangle -A PREROUTING -m conntrack --ctstate NEW -i intl0 -p tcp -j CONNMARK --save-mark
${pkgs.iptables}/bin/iptables -t mangle -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark
''; '';
preDown = '' preDown = ''
${pkgs.iproute2}/bin/ip rule del from all fwmark 1 lookup 51820 ${pkgs.iproute2}/bin/ip rule del from 10.42.0.0/30 lookup 51820
${pkgs.iproute2}/bin/ip route del default via 10.42.0.1 dev intl0 table 51820 ${pkgs.iproute2}/bin/ip route del default via 10.42.0.1 dev intl0 table 51820
${pkgs.iptables}/bin/iptables -t mangle -D PREROUTING -i intl0 -p tcp -j MARK --set-mark 1
${pkgs.iptables}/bin/iptables -D OUTPUT -o intl0 -m connmark --mark 1 -j ACCEPT
${pkgs.iptables}/bin/iptables -D INPUT -i intl0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
${pkgs.iptables}/bin/iptables -t mangle -D PREROUTING -m conntrack --ctstate NEW -i intl0 -p tcp -j CONNMARK --save-mark
${pkgs.iptables}/bin/iptables -t mangle -D OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark
''; '';
peers = [ peers = [
{ {