router: small port 25 changes
technically this is relevant for security since it blocks requests to port 25 over ipv6 from clients other than the server, but it doesn't matter on my network because i don't have ipv6
This commit is contained in:
parent
fc95bb1e97
commit
4f650b2091
|
@ -58,6 +58,15 @@ let
|
||||||
else if rule.target4.address or null == netAddresses.lan4 || rule.target6.address or null == netAddresses.lan6 then "rule"
|
else if rule.target4.address or null == netAddresses.lan4 || rule.target6.address or null == netAddresses.lan6 then "rule"
|
||||||
else "mark";
|
else "mark";
|
||||||
|
|
||||||
|
dnatRuleProtos = rule:
|
||||||
|
let
|
||||||
|
inherit (notnft.inetProtos) tcp udp;
|
||||||
|
in
|
||||||
|
if rule.tcp && rule.udp then notnft.dsl.set [ tcp udp ]
|
||||||
|
else if rule.tcp then tcp
|
||||||
|
else if rule.udp then udp
|
||||||
|
else throw "Invalid rule: either tcp or udp must be set";
|
||||||
|
|
||||||
# nftables rules generator
|
# nftables rules generator
|
||||||
# selfIp4/selfIp6 = block packets from these addresses
|
# selfIp4/selfIp6 = block packets from these addresses
|
||||||
# extraInetEntries = stuff to add to inet table
|
# extraInetEntries = stuff to add to inet table
|
||||||
|
@ -463,8 +472,7 @@ in {
|
||||||
inetDnatRules =
|
inetDnatRules =
|
||||||
builtins.concatLists (map
|
builtins.concatLists (map
|
||||||
(rule: let
|
(rule: let
|
||||||
inherit (notnft.inetProtos) tcp udp;
|
protocols = dnatRuleProtos rule;
|
||||||
protocols = if rule.tcp && rule.udp then notnft.dsl.set [ tcp udp ] else if rule.tcp then tcp else udp;
|
|
||||||
rule4 = rule.target4; rule6 = rule.target6;
|
rule4 = rule.target4; rule6 = rule.target6;
|
||||||
in with notnft.dsl; with payload;
|
in with notnft.dsl; with payload;
|
||||||
lib.optionals (rule4 != null) [
|
lib.optionals (rule4 != null) [
|
||||||
|
@ -521,22 +529,20 @@ in {
|
||||||
[(is.eq ip6.daddr "@force_unvpn6") (mangle meta.mark wan_table)]
|
[(is.eq ip6.daddr "@force_unvpn6") (mangle meta.mark wan_table)]
|
||||||
[(is.eq ip.saddr "@force_unvpn4") (mangle meta.mark wan_table)]
|
[(is.eq ip.saddr "@force_unvpn4") (mangle meta.mark wan_table)]
|
||||||
[(is.eq ip6.saddr "@force_unvpn6") (mangle meta.mark wan_table)]
|
[(is.eq ip6.saddr "@force_unvpn6") (mangle meta.mark wan_table)]
|
||||||
# block requests to port 25 from hosts other than the server so they can't send mail pretending to originate from my domain
|
# force vpn to/from force_vpn4/force_vpn6 even if we previously decided to unvpn this connection
|
||||||
# only do this for br0 since other adapters aren't forwarded from
|
|
||||||
[(is.eq meta.iifname "br0") (is.ne ether.saddr cfg.serverMac) (is.eq ip.protocol (f: f.tcp)) (is.eq tcp.dport 25) (log "smtp ") drop]
|
|
||||||
# don't vpn smtp requests so spf works fine (and in case the vpn blocks requests over port 25, which it usually does)
|
|
||||||
[(is.eq ip.protocol (f: f.tcp)) (is.eq tcp.dport 25) (mangle meta.mark wan_table)]
|
|
||||||
[(is.eq ip6.nexthdr (f: f.tcp)) (is.eq tcp.dport 25) (mangle meta.mark wan_table)]
|
|
||||||
# finally, force vpn to/from force_vpn4/force_vpn6 even if we previously decided to unvpn this connection
|
|
||||||
[(is.eq ip.daddr "@force_vpn4") (mangle meta.mark vpn_table)]
|
[(is.eq ip.daddr "@force_vpn4") (mangle meta.mark vpn_table)]
|
||||||
[(is.eq ip6.daddr "@force_vpn6") (mangle meta.mark vpn_table)]
|
[(is.eq ip6.daddr "@force_vpn6") (mangle meta.mark vpn_table)]
|
||||||
[(is.eq ip.saddr "@force_vpn4") (mangle meta.mark vpn_table)]
|
[(is.eq ip.saddr "@force_vpn4") (mangle meta.mark vpn_table)]
|
||||||
[(is.eq ip6.saddr "@force_vpn6") (mangle meta.mark vpn_table)]
|
[(is.eq ip6.saddr "@force_vpn6") (mangle meta.mark vpn_table)]
|
||||||
|
# block requests to port 25 from hosts other than the server so they can't send mail pretending to originate from my domain
|
||||||
|
# only do this for br0 since traffic from other interfaces isn't forwarded to wan
|
||||||
|
[(is.eq meta.iifname "br0") (is.ne ether.saddr cfg.serverMac) (is.eq meta.l4proto (f: f.tcp)) (is.eq tcp.dport 25) (log "smtp ") drop]
|
||||||
|
# don't vpn smtp requests so spf works fine (and in case the vpn blocks requests over port 25, which it usually does)
|
||||||
|
[(is.eq meta.l4proto (f: f.tcp)) (is.eq tcp.dport 25) (mangle meta.mark wan_table)]
|
||||||
] ++ # 1. dnat non-vpn: change rttable to wan
|
] ++ # 1. dnat non-vpn: change rttable to wan
|
||||||
builtins.concatLists (map
|
builtins.concatLists (map
|
||||||
(rule: let
|
(rule: let
|
||||||
inherit (notnft.inetProtos) tcp udp;
|
protocols = dnatRuleProtos rule;
|
||||||
protocols = if rule.tcp && rule.udp then notnft.dsl.set [ tcp udp ] else if rule.tcp then tcp else udp;
|
|
||||||
rule4 = rule.target4; rule6 = rule.target6;
|
rule4 = rule.target4; rule6 = rule.target6;
|
||||||
in with notnft.dsl; with payload;
|
in with notnft.dsl; with payload;
|
||||||
lib.optionals (rule4 != null) [
|
lib.optionals (rule4 != null) [
|
||||||
|
@ -550,8 +556,7 @@ in {
|
||||||
++ # 2. dnat vpn: change rttable to vpn
|
++ # 2. dnat vpn: change rttable to vpn
|
||||||
builtins.concatLists (map
|
builtins.concatLists (map
|
||||||
(rule: let
|
(rule: let
|
||||||
inherit (notnft.inetProtos) tcp udp;
|
protocols = dnatRuleProtos rule;
|
||||||
protocols = if rule.tcp && rule.udp then notnft.dsl.set [ tcp udp ] else if rule.tcp then tcp else udp;
|
|
||||||
rule4 = rule.target4; rule6 = rule.target6;
|
rule4 = rule.target4; rule6 = rule.target6;
|
||||||
in with notnft.dsl; with payload;
|
in with notnft.dsl; with payload;
|
||||||
lib.optionals (rule4 != null) [
|
lib.optionals (rule4 != null) [
|
||||||
|
@ -640,8 +645,7 @@ in {
|
||||||
inetDnatRules =
|
inetDnatRules =
|
||||||
builtins.concatLists (map
|
builtins.concatLists (map
|
||||||
(rule: let
|
(rule: let
|
||||||
inherit (notnft.inetProtos) tcp udp;
|
protocols = dnatRuleProtos rule;
|
||||||
protocols = if rule.tcp && rule.udp then notnft.dsl.set [ tcp udp ] else if rule.tcp then tcp else udp;
|
|
||||||
rule4 = rule.target4; rule6 = rule.target6;
|
rule4 = rule.target4; rule6 = rule.target6;
|
||||||
in with notnft.dsl; with payload;
|
in with notnft.dsl; with payload;
|
||||||
lib.optionals (rule4 != null) [
|
lib.optionals (rule4 != null) [
|
||||||
|
@ -657,8 +661,7 @@ in {
|
||||||
# if i ever need this again, i have it right here
|
# if i ever need this again, i have it right here
|
||||||
builtins.concatLists (map
|
builtins.concatLists (map
|
||||||
(rule: let
|
(rule: let
|
||||||
inherit (notnft.inetProtos) tcp udp;
|
protocols = dnatRuleProtos rule;
|
||||||
protocols = if rule.tcp && rule.udp then notnft.dsl.set [ tcp udp ] else if rule.tcp then tcp else udp;
|
|
||||||
rule4 = rule.target4; rule6 = rule.target6;
|
rule4 = rule.target4; rule6 = rule.target6;
|
||||||
in with notnft.dsl; with payload;
|
in with notnft.dsl; with payload;
|
||||||
lib.optionals (rule4 != null) [
|
lib.optionals (rule4 != null) [
|
||||||
|
|
Loading…
Reference in a new issue