router: small port 25 changes

technically this is relevant for security since it blocks requests to
port 25 over ipv6 from clients other than the server, but it doesn't
matter on my network because i don't have ipv6
This commit is contained in:
chayleaf 2023-08-13 16:40:21 +07:00
parent fc95bb1e97
commit 4f650b2091

View file

@ -58,6 +58,15 @@ let
else if rule.target4.address or null == netAddresses.lan4 || rule.target6.address or null == netAddresses.lan6 then "rule" else if rule.target4.address or null == netAddresses.lan4 || rule.target6.address or null == netAddresses.lan6 then "rule"
else "mark"; else "mark";
dnatRuleProtos = rule:
let
inherit (notnft.inetProtos) tcp udp;
in
if rule.tcp && rule.udp then notnft.dsl.set [ tcp udp ]
else if rule.tcp then tcp
else if rule.udp then udp
else throw "Invalid rule: either tcp or udp must be set";
# nftables rules generator # nftables rules generator
# selfIp4/selfIp6 = block packets from these addresses # selfIp4/selfIp6 = block packets from these addresses
# extraInetEntries = stuff to add to inet table # extraInetEntries = stuff to add to inet table
@ -463,8 +472,7 @@ in {
inetDnatRules = inetDnatRules =
builtins.concatLists (map builtins.concatLists (map
(rule: let (rule: let
inherit (notnft.inetProtos) tcp udp; protocols = dnatRuleProtos rule;
protocols = if rule.tcp && rule.udp then notnft.dsl.set [ tcp udp ] else if rule.tcp then tcp else udp;
rule4 = rule.target4; rule6 = rule.target6; rule4 = rule.target4; rule6 = rule.target6;
in with notnft.dsl; with payload; in with notnft.dsl; with payload;
lib.optionals (rule4 != null) [ lib.optionals (rule4 != null) [
@ -521,22 +529,20 @@ in {
[(is.eq ip6.daddr "@force_unvpn6") (mangle meta.mark wan_table)] [(is.eq ip6.daddr "@force_unvpn6") (mangle meta.mark wan_table)]
[(is.eq ip.saddr "@force_unvpn4") (mangle meta.mark wan_table)] [(is.eq ip.saddr "@force_unvpn4") (mangle meta.mark wan_table)]
[(is.eq ip6.saddr "@force_unvpn6") (mangle meta.mark wan_table)] [(is.eq ip6.saddr "@force_unvpn6") (mangle meta.mark wan_table)]
# block requests to port 25 from hosts other than the server so they can't send mail pretending to originate from my domain # force vpn to/from force_vpn4/force_vpn6 even if we previously decided to unvpn this connection
# only do this for br0 since other adapters aren't forwarded from
[(is.eq meta.iifname "br0") (is.ne ether.saddr cfg.serverMac) (is.eq ip.protocol (f: f.tcp)) (is.eq tcp.dport 25) (log "smtp ") drop]
# don't vpn smtp requests so spf works fine (and in case the vpn blocks requests over port 25, which it usually does)
[(is.eq ip.protocol (f: f.tcp)) (is.eq tcp.dport 25) (mangle meta.mark wan_table)]
[(is.eq ip6.nexthdr (f: f.tcp)) (is.eq tcp.dport 25) (mangle meta.mark wan_table)]
# finally, force vpn to/from force_vpn4/force_vpn6 even if we previously decided to unvpn this connection
[(is.eq ip.daddr "@force_vpn4") (mangle meta.mark vpn_table)] [(is.eq ip.daddr "@force_vpn4") (mangle meta.mark vpn_table)]
[(is.eq ip6.daddr "@force_vpn6") (mangle meta.mark vpn_table)] [(is.eq ip6.daddr "@force_vpn6") (mangle meta.mark vpn_table)]
[(is.eq ip.saddr "@force_vpn4") (mangle meta.mark vpn_table)] [(is.eq ip.saddr "@force_vpn4") (mangle meta.mark vpn_table)]
[(is.eq ip6.saddr "@force_vpn6") (mangle meta.mark vpn_table)] [(is.eq ip6.saddr "@force_vpn6") (mangle meta.mark vpn_table)]
# block requests to port 25 from hosts other than the server so they can't send mail pretending to originate from my domain
# only do this for br0 since traffic from other interfaces isn't forwarded to wan
[(is.eq meta.iifname "br0") (is.ne ether.saddr cfg.serverMac) (is.eq meta.l4proto (f: f.tcp)) (is.eq tcp.dport 25) (log "smtp ") drop]
# don't vpn smtp requests so spf works fine (and in case the vpn blocks requests over port 25, which it usually does)
[(is.eq meta.l4proto (f: f.tcp)) (is.eq tcp.dport 25) (mangle meta.mark wan_table)]
] ++ # 1. dnat non-vpn: change rttable to wan ] ++ # 1. dnat non-vpn: change rttable to wan
builtins.concatLists (map builtins.concatLists (map
(rule: let (rule: let
inherit (notnft.inetProtos) tcp udp; protocols = dnatRuleProtos rule;
protocols = if rule.tcp && rule.udp then notnft.dsl.set [ tcp udp ] else if rule.tcp then tcp else udp;
rule4 = rule.target4; rule6 = rule.target6; rule4 = rule.target4; rule6 = rule.target6;
in with notnft.dsl; with payload; in with notnft.dsl; with payload;
lib.optionals (rule4 != null) [ lib.optionals (rule4 != null) [
@ -550,8 +556,7 @@ in {
++ # 2. dnat vpn: change rttable to vpn ++ # 2. dnat vpn: change rttable to vpn
builtins.concatLists (map builtins.concatLists (map
(rule: let (rule: let
inherit (notnft.inetProtos) tcp udp; protocols = dnatRuleProtos rule;
protocols = if rule.tcp && rule.udp then notnft.dsl.set [ tcp udp ] else if rule.tcp then tcp else udp;
rule4 = rule.target4; rule6 = rule.target6; rule4 = rule.target4; rule6 = rule.target6;
in with notnft.dsl; with payload; in with notnft.dsl; with payload;
lib.optionals (rule4 != null) [ lib.optionals (rule4 != null) [
@ -640,8 +645,7 @@ in {
inetDnatRules = inetDnatRules =
builtins.concatLists (map builtins.concatLists (map
(rule: let (rule: let
inherit (notnft.inetProtos) tcp udp; protocols = dnatRuleProtos rule;
protocols = if rule.tcp && rule.udp then notnft.dsl.set [ tcp udp ] else if rule.tcp then tcp else udp;
rule4 = rule.target4; rule6 = rule.target6; rule4 = rule.target4; rule6 = rule.target6;
in with notnft.dsl; with payload; in with notnft.dsl; with payload;
lib.optionals (rule4 != null) [ lib.optionals (rule4 != null) [
@ -657,8 +661,7 @@ in {
# if i ever need this again, i have it right here # if i ever need this again, i have it right here
builtins.concatLists (map builtins.concatLists (map
(rule: let (rule: let
inherit (notnft.inetProtos) tcp udp; protocols = dnatRuleProtos rule;
protocols = if rule.tcp && rule.udp then notnft.dsl.set [ tcp udp ] else if rule.tcp then tcp else udp;
rule4 = rule.target4; rule6 = rule.target6; rule4 = rule.target4; rule6 = rule.target6;
in with notnft.dsl; with payload; in with notnft.dsl; with payload;
lib.optionals (rule4 != null) [ lib.optionals (rule4 != null) [