From 712c87c5305e6bf58d1c08a2603e106834a71ae9 Mon Sep 17 00:00:00 2001 From: philoctetes409bc Date: Sat, 28 Nov 2020 03:44:21 -0500 Subject: [PATCH] update nftables, hostconfig readme --- host/README.md | 69 ++++++++++++++++++++++++++++++++++-- host/nftables/nftables.rules | 11 ++++-- 2 files changed, 74 insertions(+), 6 deletions(-) diff --git a/host/README.md b/host/README.md index 3e45de9..8c025f6 100644 --- a/host/README.md +++ b/host/README.md @@ -61,7 +61,7 @@ Host myhub - `systemctl start tor` - `cp sysctl.conf /etc/` - `chattr +i /etc/sysctl.conf` -- `sysctl -f /etc/sysctl.conf` +- `/sbin/sysctl -f /etc/sysctl.conf` - `cp default/docker /etc/default/docker` - `chattr +i /etc/default/docker` - `ip link add docker0 type bridge` @@ -69,5 +69,68 @@ Host myhub - `ip addr add 100.64.63.129/25 dev docker0` - `systemctl enable docker` - `systemctl start docker` -- `rm -rf /etc/nftables/*` -- `cp -rvp nftables/ /etc` +- create `/etc/systemd/network/50-WAN.link` and add the following + +``` +[Match] +MACAddress= + +[Link] +Description=WAN +MACAddressPolicy=persistent +Name=WAN + +``` +#### systemd-networkd address configuration (DHCP) +- If you need to change this, visit https://www.freedesktop.org/software/systemd/man/systemd.network.html for more information + +- create `/etc/systemd/network/51-WAN.network` and add the following + +``` +[Match] +Name=WAN + +[Network] +Description=WAN +DHCP=yes +MulticastDNS=false +LinkLocalAddressing=fallback +IPv4LLRoute=true +LLDP=routers-only +IPv6AcceptRA=true +IPForward=true +IPMasquerade=true +LLMNR=false +``` + +#### systemd-networkd address configuration (static) +- If you need to change this, visit https://www.freedesktop.org/software/systemd/man/systemd.network.html for more information + +- create `/etc/systemd/network/51-WAN.network` and add the following + +``` +[Match] +Name=WAN + +[Network] +Description=WAN +DHCP=no +Address=192.168.122.88/24 +Gateway=192.168.122.1 +MulticastDNS=false +LinkLocalAddressing=fallback +IPv4LLRoute=true +LLDP=routers-only +IPv6AcceptRA=true +IPForward=true +IPMasquerade=true +LLMNR=false +``` + +- `chattr +i /etc/systemd/network/50-WAN.link` +- `chattr +i /etc/systemd/network/51-WAN.network` +- `systemctl enable systemd-networkd` +- `sync ; sync ; /sbin/reboot -f` +- Re-SSH the host, CWD to `docker-hybrid/host` +- `cp nftables/nftables.rules /etc/nftables.conf` +- `chattr +i /etc/nftables.conf` diff --git a/host/nftables/nftables.rules b/host/nftables/nftables.rules index c073592..cb046e2 100644 --- a/host/nftables/nftables.rules +++ b/host/nftables/nftables.rules @@ -1,6 +1,11 @@ table inet hybrid { + chain POSTROUTING { + type nat hook postrouting priority 0; policy accept; + oifname "WAN" ip saddr 198.18.48.0/20 counter masquerade comment "masqueraded egress-routed clients" + } + chain input { - type filter hook input priority -50; policy accept; + type filter hook input priority 0; policy accept; ct state {established, related} counter accept comment "related/established in to docker host"; udp sport 53 ip saddr 100.64.48.0/20 ip daddr 100.64.48.0/20 counter accept comment "UDP DNS query from egress (100.64.48.0/20)"; } @@ -12,7 +17,7 @@ table inet hybrid { } chain forward { - type filter hook forward priority -50; policy accept; + type filter hook forward priority 0; policy accept; ct state {established, related} jump ct_fwd; ip saddr 100.64.48.0/20 ip daddr 100.64.16.0/20 counter accept comment "egress (100.64.48.0/20) to internally-routed (100.64.16.0/20)"; ip saddr 100.64.48.0/20 ip daddr != 100.64.0.0/17 counter accept comment "egress (100.64.48.0/20) to global but not to partition (100.64.0.0/17)"; @@ -23,7 +28,7 @@ table inet hybrid { } chain output { - type filter hook output priority -50; policy accept; + type filter hook output priority 0; policy accept; udp sport 53 ip saddr 100.64.48.0/20 ip daddr 100.64.48.0/20 counter accept comment "UDP DNS query response to egress (100.64.48.0/20)"; } }