Optimize new fw rules and tweak postfix

Signed-off-by: Egor Savkin <es@m-labs.hk>
Stop rejecting packages from the tunnel
2024-10-15 17:41:28 +08:00 · 2024-10-10 15:52:20 +08:00 · 2024-10-09 11:15:31 +08:00 · 2024-10-09 11:08:12 +08:00 · 2024-10-09 11:08:12 +08:00 · 2024-10-09 11:08:12 +08:00
2 changed files with 9 additions and 8 deletions
--- a/nixbld-etc-nixos/configuration.nix
+++ b/nixbld-etc-nixos/configuration.nix
@ -92,16 +92,12 @@ in
    firewall = {
      allowedTCPPorts = [ 53 80 443 2222 7402 ];
      allowedUDPPorts = [ 53 67 500 4500 ];
-      trustedInterfaces = [ netifLan netifUSA ];
+      trustedInterfaces = [ netifLan ];
      logRefusedConnections = false;
      extraCommands = ''
        iptables -A INPUT -s 5.78.86.156 -p gre -j ACCEPT
        iptables -A INPUT -s 5.78.86.156 -p ah -j ACCEPT
      '';
-      extraStopCommands = ''
-        iptables -D INPUT -s 5.78.86.156 -p gre -j ACCEPT
-        iptables -D INPUT -s 5.78.86.156 -p ah -j ACCEPT
-      '';
    };
    useDHCP = false;
    interfaces."${netifWan}".useDHCP = true;  # PCCW - always wants active DHCP lease or cuts you off
@ -539,6 +535,11 @@ in
        "/kasli/192.168.1.70"
        "/kasli-customer/192.168.1.75"
        "/stabilizer-customer/192.168.1.76"
+
+        # Google can't do DNS geolocation correctly and slows down websites of everyone using
+        # their shitty font cloud hosting. In HK, you sometimes get IPs behind the GFW that you
+        # cannot reach.
+        "/fonts.googleapis.com/142.250.207.74"
      ];

      dhcp-match = "set:ipxe,175"; # https://forum.ipxe.org/showthread.php?tid=6077
@ -1264,6 +1265,7 @@ in
  services.postfix = {
    mapFiles.sender_transport = pkgs.writeText "sender_transport" ''
        @m-labs-intl.com intltunnel:
+        * :
    '';
    config = {
      sender_dependent_default_transport_maps = "hash:/var/lib/postfix/conf/sender_transport";
@ -1291,8 +1293,7 @@ in

  services.nextcloud = {
    enable = true;
-    package = pkgs.nextcloud30;
-    extraApps = { inherit (config.services.nextcloud.package.packages.apps) forms; };
+    package = pkgs.nextcloud29;
    hostName = "files.m-labs.hk";
    https = true;
    maxUploadSize = "2G";
--- a/nixbld-etc-nixos/named/m-labs-intl.com
+++ b/nixbld-etc-nixos/named/m-labs-intl.com
@ -1,7 +1,7 @@
 $TTL 7200

@						SOA	ns.m-labs-intl.com. sb.m-labs.hk. (
-							2024101401
+							2024081503
 							7200
 							3600
 							86400
Author	SHA1	Message	Date
Egor Savkin	2ee23bc03a	Optimize new fw rules and tweak postfix Signed-off-by: Egor Savkin <es@m-labs.hk>	2024-10-15 17:41:28 +08:00
Egor Savkin	60903e955f	Stop rejecting packages from the tunnel Appears that firewall rejects packages before they are getting unwrapped to GRE Signed-off-by: Egor Savkin <es@m-labs.hk>	2024-10-10 15:52:20 +08:00
Egor Savkin	4d7e836f07	Rebase and add intl interface to exceptions Signed-off-by: Egor Savkin <es@m-labs.hk>	2024-10-09 11:15:31 +08:00
Egor Savkin	e7570aa4ce	Fix postfix settings so it should load successfully and accept and send messages through tunnel Signed-off-by: Egor Savkin <es@m-labs.hk>	2024-10-09 11:08:12 +08:00
Egor Savkin	eab2d70941	Fix postfix settings so it should load successfully Signed-off-by: Egor Savkin <es@m-labs.hk>	2024-10-09 11:08:12 +08:00
Egor Savkin	cbb077c441	Add virtual ips for the gre tunnel Signed-off-by: Egor Savkin <es@m-labs.hk>	2024-10-09 11:08:12 +08:00
Egor Savkin	42b3d6ccf3	Return swan into the zoo Signed-off-by: Egor Savkin <es@m-labs.hk>	2024-10-09 11:08:12 +08:00
Egor Savkin	b1fb18a6c5	Use IPv6 for WG transport to decrease latency by 20% Signed-off-by: Egor Savkin <es@m-labs.hk>	2024-10-09 11:08:12 +08:00
Egor Savkin	29352302be	Ip rules instead of iptables tracking Signed-off-by: Egor Savkin <es@m-labs.hk>	2024-10-09 11:08:12 +08:00
Egor Savkin	47e3d4cb88	Apply tested client configuration Adds an additional route, but doesn't enforce it so other apps will remain the same, but smtp can use tunnel for sending. Also sends replies through the tunnel if connection arrives on the tunnel. Better have something tested and working before I start doing "perfect". Signed-off-by: Egor Savkin <es@m-labs.hk>	2024-10-09 11:08:12 +08:00
Egor Savkin	5066b8cb9e	Use wireguard instead of strongswan since its in the kernel Signed-off-by: Egor Savkin <es@m-labs.hk>	2024-10-09 11:08:12 +08:00
Egor Savkin	74ecfdb430	WIP: Use gre/ipsec instead of proxy Signed-off-by: Egor Savkin <es@m-labs.hk>	2024-10-09 11:08:12 +08:00
Egor Savkin	8e5a45ac91	Use proxychains-ng instead of tsocks Signed-off-by: Egor Savkin <es@m-labs.hk>	2024-10-09 11:08:12 +08:00
Egor Savkin	ef4fd68829	Use tsocks to wrap socks and add sock transport type Signed-off-by: Egor Savkin <es@m-labs.hk>	2024-10-09 11:08:12 +08:00
Egor Savkin	cd2eac023e	Use wildcard instead of explicit specification As in example at https://www.postfix.org/transport.5.html Signed-off-by: Egor Savkin <es@m-labs.hk>	2024-10-09 11:08:12 +08:00
Egor Savkin	05e3a47208	Use postfix options for routing mails through ssh tunnel Signed-off-by: Egor Savkin <es@m-labs.hk>	2024-10-09 11:08:12 +08:00