M-Labs/it-infra
M-Labs
/
it-infra
8
0
Fork 5
Code Issues 10 Pull Requests 2 Releases Wiki Activity

WIP: Use postfix options for routing mails through tunnel #45

Draft
esavkin wants to merge 9 commits from enable-mail-proxy-and-tunnel into master
pull from: enable-mail-proxy-and-tunnel
merge into: M-Labs:master
Conversation 1 Commits 9 Files Changed 2 +2 -12
1 changed files with 2 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 6dded5a701 - Show all commits

14
nixbld-etc-nixos/configuration.nix
View File

@ -252,22 +252,12 @@ in
listenPort = 51820;
privateKeyFile = "/path/to/private/key"; # just `wg-quick genkey > /path/to/private/key`
postUp = ''
${pkgs.iproute2}/bin/ip rule add from all fwmark 1 lookup 51820
${pkgs.iproute2}/bin/ip rule add from 10.42.0.0/30 lookup 51820
${pkgs.iproute2}/bin/ip route add default via 10.42.0.1 dev intl0 table 51820
${pkgs.iptables}/bin/iptables -t mangle -A PREROUTING -i intl0 -p tcp -j MARK --set-mark 1
${pkgs.iptables}/bin/iptables -A OUTPUT -o intl0 -m connmark --mark 1 -j ACCEPT
${pkgs.iptables}/bin/iptables -A INPUT -i intl0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
${pkgs.iptables}/bin/iptables -t mangle -A PREROUTING -m conntrack --ctstate NEW -i intl0 -p tcp -j CONNMARK --save-mark
${pkgs.iptables}/bin/iptables -t mangle -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark
'';
preDown = ''
${pkgs.iproute2}/bin/ip rule del from all fwmark 1 lookup 51820
${pkgs.iproute2}/bin/ip rule del from 10.42.0.0/30 lookup 51820
esavkin marked this conversation as resolved Outdated
esavkin commented 2024-09-10 11:37:51 +08:00
Outdated
Review
Copy Link

TODO: needs disabling routing tables (Table = off in wg conf file), so it will open interface and let apps choose to use interface instead of forwarding all the traffic

TODO: needs disabling routing tables (`Table = off` in wg conf file), so it will open interface and let apps choose to use interface instead of forwarding all the traffic
sb10q commented 2024-09-10 15:37:46 +08:00
Outdated
Review
Copy Link

You need to set up the policy-based routing for the interface choosing part. As has been done before with existing altnet and HKBN connections.

You need to set up the policy-based routing for the interface choosing part. As has been done before with existing altnet and HKBN connections.
${pkgs.iproute2}/bin/ip route del default via 10.42.0.1 dev intl0 table 51820
${pkgs.iptables}/bin/iptables -t mangle -D PREROUTING -i intl0 -p tcp -j MARK --set-mark 1
${pkgs.iptables}/bin/iptables -D OUTPUT -o intl0 -m connmark --mark 1 -j ACCEPT
${pkgs.iptables}/bin/iptables -D INPUT -i intl0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
${pkgs.iptables}/bin/iptables -t mangle -D PREROUTING -m conntrack --ctstate NEW -i intl0 -p tcp -j CONNMARK --save-mark
${pkgs.iptables}/bin/iptables -t mangle -D OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j CONNMARK --restore-mark
'';
peers = [
{