update nftables, hostconfig readme

2020-11-28 03:44:21 -05:00 · 2020-11-28 03:44:21 -05:00 · 712c87c530
commit 712c87c530
parent e8e87854dc
2 changed files with 74 additions and 6 deletions
--- a/host/README.md
+++ b/host/README.md
@ -61,7 +61,7 @@ Host myhub
 - `systemctl start tor`
 - `cp sysctl.conf /etc/`
 - `chattr +i /etc/sysctl.conf`
- `sysctl -f /etc/sysctl.conf`
+- `/sbin/sysctl -f /etc/sysctl.conf`
 - `cp default/docker /etc/default/docker`
 - `chattr +i /etc/default/docker`
 - `ip link add docker0 type bridge` 
@ -69,5 +69,68 @@ Host myhub
 - `ip addr add 100.64.63.129/25 dev docker0`
 - `systemctl enable docker`
 - `systemctl start docker`
- `rm -rf /etc/nftables/*`
- `cp -rvp nftables/ /etc`
+- create `/etc/systemd/network/50-WAN.link` and add the following
+
+```
+[Match]
+MACAddress=<replace_this_with_the_MAC_address_of_your_WAN_interface>
+
+[Link]
+Description=WAN
+MACAddressPolicy=persistent 
+Name=WAN
+
+```
+#### systemd-networkd address configuration (DHCP)
+- If you need to change this, visit https://www.freedesktop.org/software/systemd/man/systemd.network.html for more information
+
+- create `/etc/systemd/network/51-WAN.network` and add the following
+
+```
+[Match]
+Name=WAN
+
+[Network]
+Description=WAN
+DHCP=yes
+MulticastDNS=false
+LinkLocalAddressing=fallback
+IPv4LLRoute=true
+LLDP=routers-only
+IPv6AcceptRA=true
+IPForward=true
+IPMasquerade=true
+LLMNR=false
+```
+
+#### systemd-networkd address configuration (static)
+- If you need to change this, visit https://www.freedesktop.org/software/systemd/man/systemd.network.html for more information
+
+- create `/etc/systemd/network/51-WAN.network` and add the following
+
+```
+[Match]
+Name=WAN
+
+[Network]
+Description=WAN
+DHCP=no
+Address=192.168.122.88/24
+Gateway=192.168.122.1
+MulticastDNS=false
+LinkLocalAddressing=fallback
+IPv4LLRoute=true
+LLDP=routers-only
+IPv6AcceptRA=true
+IPForward=true
+IPMasquerade=true
+LLMNR=false
+```
+
+- `chattr +i /etc/systemd/network/50-WAN.link`
+- `chattr +i /etc/systemd/network/51-WAN.network`
+- `systemctl enable systemd-networkd`
+- `sync ; sync ; /sbin/reboot -f`
+- Re-SSH the host, CWD to `docker-hybrid/host`
+- `cp nftables/nftables.rules /etc/nftables.conf`
+- `chattr +i /etc/nftables.conf`
--- a/host/nftables/nftables.rules
+++ b/host/nftables/nftables.rules
@ -1,6 +1,11 @@
 table inet hybrid {
+  chain POSTROUTING {
+                type nat hook postrouting priority 0; policy accept;
+                oifname "WAN" ip saddr 198.18.48.0/20 counter masquerade comment "masqueraded egress-routed clients"
+        }
+
 	chain input {
-          type filter hook input    priority -50;    policy accept;
+          type filter hook input    priority 0;    policy accept;
          ct state {established, related} counter accept comment "related/established in to docker host";
          udp sport 53 ip saddr 100.64.48.0/20 ip daddr 100.64.48.0/20 counter accept comment "UDP DNS query from egress (100.64.48.0/20)";
 	}
@ -12,7 +17,7 @@ table inet hybrid {
  }

 	chain forward {
-          type filter hook forward  priority -50;    policy accept;
+          type filter hook forward  priority 0;    policy accept;
          ct state {established, related}                         jump   ct_fwd;
          ip saddr 100.64.48.0/20 ip daddr    100.64.16.0/20 counter accept comment "egress (100.64.48.0/20) to internally-routed (100.64.16.0/20)";
          ip saddr 100.64.48.0/20 ip daddr != 100.64.0.0/17  counter accept comment "egress (100.64.48.0/20) to global but not to partition (100.64.0.0/17)";
@ -23,7 +28,7 @@ table inet hybrid {
 	}

 	chain output {
-          type filter hook output   priority -50;    policy accept;
+          type filter hook output   priority 0;    policy accept;
          udp sport 53 ip saddr 100.64.48.0/20 ip daddr 100.64.48.0/20 counter accept  comment "UDP DNS query response to egress (100.64.48.0/20)";
 	}
 }