Compare commits
3 Commits
23e1fa029a
...
9383227c5b
Author | SHA1 | Date |
---|---|---|
Sébastien Bourdeauducq | 9383227c5b | |
Sébastien Bourdeauducq | 233998b8f3 | |
Sébastien Bourdeauducq | 90a6b84c09 |
|
@ -6,6 +6,8 @@ let
|
||||||
netifLan = "enp5s0f1";
|
netifLan = "enp5s0f1";
|
||||||
netifWifi = "wlp6s0";
|
netifWifi = "wlp6s0";
|
||||||
netifSit = "henet0";
|
netifSit = "henet0";
|
||||||
|
netifAlt = "alt0";
|
||||||
|
netifAltVlan = "vlan0";
|
||||||
hydraWwwOutputs = "/var/www/hydra-outputs";
|
hydraWwwOutputs = "/var/www/hydra-outputs";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
@ -176,11 +178,20 @@ in
|
||||||
iptables -w -A block-insecure-devices -m mac --mac-source d8:9c:67:ab:83:e7 -j DROP # HP printer, wifi
|
iptables -w -A block-insecure-devices -m mac --mac-source d8:9c:67:ab:83:e7 -j DROP # HP printer, wifi
|
||||||
iptables -w -A block-insecure-devices -m mac --mac-source f4:39:09:f7:3c:d7 -j DROP # HP printer, ethernet
|
iptables -w -A block-insecure-devices -m mac --mac-source f4:39:09:f7:3c:d7 -j DROP # HP printer, ethernet
|
||||||
iptables -w -A FORWARD -j block-insecure-devices
|
iptables -w -A FORWARD -j block-insecure-devices
|
||||||
|
|
||||||
|
iptables -w -N pccw-sucks
|
||||||
|
iptables -A pccw-sucks -o ${netifSit} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360
|
||||||
|
iptables -A pccw-sucks -o ${netifAlt} -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1380
|
||||||
|
iptables -w -A FORWARD -j pccw-sucks
|
||||||
'';
|
'';
|
||||||
extraStopCommands = ''
|
extraStopCommands = ''
|
||||||
iptables -w -D FORWARD -j block-insecure-devices 2>/dev/null|| true
|
iptables -w -D FORWARD -j block-insecure-devices 2>/dev/null|| true
|
||||||
iptables -w -F block-insecure-devices 2>/dev/null|| true
|
iptables -w -F block-insecure-devices 2>/dev/null|| true
|
||||||
iptables -w -X block-insecure-devices 2>/dev/null|| true
|
iptables -w -X block-insecure-devices 2>/dev/null|| true
|
||||||
|
|
||||||
|
iptables -w -D FORWARD -j pccw-sucks 2>/dev/null|| true
|
||||||
|
iptables -w -F pccw-sucks 2>/dev/null|| true
|
||||||
|
iptables -w -X pccw-sucks 2>/dev/null|| true
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
sits."${netifSit}" = {
|
sits."${netifSit}" = {
|
||||||
|
@ -193,14 +204,14 @@ in
|
||||||
addresses = [{ address = "2001:470:18:390::2"; prefixLength = 64; }];
|
addresses = [{ address = "2001:470:18:390::2"; prefixLength = 64; }];
|
||||||
routes = [{ address = "::"; prefixLength = 0; }];
|
routes = [{ address = "::"; prefixLength = 0; }];
|
||||||
};
|
};
|
||||||
greTunnels.alt0 = {
|
greTunnels."${netifAlt}" = {
|
||||||
dev = netifWan;
|
dev = netifWan;
|
||||||
remote = "103.206.98.1";
|
remote = "103.206.98.1";
|
||||||
local = "94.190.212.123";
|
local = "94.190.212.123";
|
||||||
ttl = 255;
|
ttl = 255;
|
||||||
type = "tun";
|
type = "tun";
|
||||||
};
|
};
|
||||||
interfaces.alt0 = {
|
interfaces."${netifAlt}" = {
|
||||||
ipv4.addresses = [
|
ipv4.addresses = [
|
||||||
{
|
{
|
||||||
address = "103.206.98.227";
|
address = "103.206.98.227";
|
||||||
|
@ -217,12 +228,12 @@ in
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
vlans = {
|
vlans = {
|
||||||
vlan0 = {
|
"${netifAltVlan}" = {
|
||||||
id = 2;
|
id = 2;
|
||||||
interface = netifLan;
|
interface = netifLan;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
interfaces.vlan0 = {
|
interfaces."${netifAltVlan}" = {
|
||||||
ipv4.addresses = [{
|
ipv4.addresses = [{
|
||||||
address = "103.206.98.200";
|
address = "103.206.98.200";
|
||||||
prefixLength = 29;
|
prefixLength = 29;
|
||||||
|
@ -255,7 +266,7 @@ in
|
||||||
id = "fqdn:igw0.hkg.as150788.net";
|
id = "fqdn:igw0.hkg.as150788.net";
|
||||||
pubkeys = [ "/etc/swanctl/pubkey/igw0.hkg.as150788.net" ];
|
pubkeys = [ "/etc/swanctl/pubkey/igw0.hkg.as150788.net" ];
|
||||||
};
|
};
|
||||||
children.alt0 = {
|
children."${netifAlt}" = {
|
||||||
mode = "transport";
|
mode = "transport";
|
||||||
ah_proposals = [ "sha256-curve25519" ];
|
ah_proposals = [ "sha256-curve25519" ];
|
||||||
remote_ts = [ "103.206.98.1[gre]" ];
|
remote_ts = [ "103.206.98.1[gre]" ];
|
||||||
|
@ -263,6 +274,11 @@ in
|
||||||
start_action = "start";
|
start_action = "start";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
# prevent race condition similar to https://github.com/NixOS/nixpkgs/issues/27070
|
||||||
|
systemd.services.strongswan-swanctl = {
|
||||||
|
after = [ "network-addresses-${netifAlt}.service" ];
|
||||||
|
requires = [ "network-addresses-${netifAlt}.service" ];
|
||||||
|
};
|
||||||
|
|
||||||
systemd.services.network-custom-route-backup = {
|
systemd.services.network-custom-route-backup = {
|
||||||
wantedBy = [ "network.target" ];
|
wantedBy = [ "network.target" ];
|
||||||
|
|
Loading…
Reference in New Issue