aboutsummaryrefslogtreecommitdiffstats
path: root/roles/space_server/files
diff options
context:
space:
mode:
Diffstat (limited to 'roles/space_server/files')
-rw-r--r--roles/space_server/files/networkd/10-lan.network1
-rw-r--r--roles/space_server/files/networkd/10-lan21.netdev6
-rw-r--r--roles/space_server/files/networkd/10-lan21.network18
-rw-r--r--roles/space_server/files/nftables.conf49
-rw-r--r--roles/space_server/files/nftables.service2
5 files changed, 76 insertions, 0 deletions
diff --git a/roles/space_server/files/networkd/10-lan.network b/roles/space_server/files/networkd/10-lan.network
index 1a9f004..1221be8 100644
--- a/roles/space_server/files/networkd/10-lan.network
+++ b/roles/space_server/files/networkd/10-lan.network
@@ -18,3 +18,4 @@ VLAN=lan13
VLAN=lan14
VLAN=lan15
VLAN=lan20
+VLAN=lan21
diff --git a/roles/space_server/files/networkd/10-lan21.netdev b/roles/space_server/files/networkd/10-lan21.netdev
new file mode 100644
index 0000000..85a79c2
--- /dev/null
+++ b/roles/space_server/files/networkd/10-lan21.netdev
@@ -0,0 +1,6 @@
+[NetDev]
+Name=lan21
+Kind=vlan
+
+[VLAN]
+Id=21
diff --git a/roles/space_server/files/networkd/10-lan21.network b/roles/space_server/files/networkd/10-lan21.network
new file mode 100644
index 0000000..7ac5b75
--- /dev/null
+++ b/roles/space_server/files/networkd/10-lan21.network
@@ -0,0 +1,18 @@
+[Match]
+Name=lan21
+
+[Link]
+ARP=yes
+
+[Network]
+DHCP=no
+IPv6AcceptRA=no
+LinkLocalAddressing=no
+Address=185.38.175.129/28
+Address=2a01:4262:1ab:ffff::1/64
+Address=fe80::1/64
+IPForward=yes
+LLMNR=no
+MulticastDNS=no
+LLDP=yes
+EmitLLDP=no
diff --git a/roles/space_server/files/nftables.conf b/roles/space_server/files/nftables.conf
index 3502959..93ecc25 100644
--- a/roles/space_server/files/nftables.conf
+++ b/roles/space_server/files/nftables.conf
@@ -48,6 +48,15 @@ define nat64_net4 = 10.42.128.0/17
define colo_if = lan20
+define tor_if = lan21
+define tor_net4 = 185.38.175.128/28
+define tor_net6 = 2a01:4262:1ab:ffff::/64
+
+define local_ip4 = { $ext_ip4, $adm_ip4, $wire_ip4, $priv_ip4, $free_ip4, $pass_ip4 }
+define local_ip6 = { $ext_ip6 }
+define local_net4 = { $ext_ip4, $free_nat, $int_net4 }
+define local_net6 = 2a01:4262:1ab::/52
+
define avahi_ifs = { $wire_if, $priv_if, $pass_if }
table ip filter {
@@ -118,6 +127,10 @@ table ip filter {
chain forward {
type filter hook forward priority 0;
+ # handle tor traffic - before ct
+ iif $tor_if ip saddr $tor_net4 ip daddr != $local_net4 accept
+ oif $tor_if ip daddr $tor_net4 ip saddr != $local_net4 accept
+
ct state established,related accept
ct state invalid drop
@@ -207,6 +220,10 @@ table ip6 filter {
chain forward {
type filter hook forward priority 0;
+ # handle tor traffic - before ct
+ iif $tor_if ip6 saddr $tor_net6 ip6 daddr != $local_net6 accept
+ oif $tor_if ip6 daddr $tor_net6 ip6 saddr != $local_net6 accept
+
ct state established,related accept
ct state invalid drop
@@ -281,3 +298,35 @@ table ip6 nat {
# type nat hook postrouting priority -150;
#}
}
+
+table ip raw {
+ chain prerouting {
+ type filter hook prerouting priority -300; policy accept
+
+ iif lo accept
+
+ # always do connection tracking for local IP's
+ ip saddr $local_ip4 accept
+ ip daddr $local_ip4 accept
+
+ # avoid connection tracking for most Tor traffic
+ ip saddr $tor_net4 ip daddr != $local_net4 notrack
+ ip daddr $tor_net4 ip saddr != $local_net4 notrack
+ }
+}
+
+table ip6 raw {
+ chain prerouting {
+ type filter hook prerouting priority -300; policy accept
+
+ iif lo accept
+
+ # always do connection tracking for local IP's
+ ip6 saddr $local_ip6 accept
+ ip6 daddr $local_ip6 accept
+
+ # avoid connection tracking for most Tor traffic
+ ip6 saddr $tor_net6 ip6 daddr != $local_net6 notrack
+ ip6 daddr $tor_net6 ip6 saddr != $local_net6 notrack
+ }
+}
diff --git a/roles/space_server/files/nftables.service b/roles/space_server/files/nftables.service
index 89e9cfe..54efd9c 100644
--- a/roles/space_server/files/nftables.service
+++ b/roles/space_server/files/nftables.service
@@ -8,6 +8,7 @@ Requires=sys-devices-virtual-net-lan13.device
Requires=sys-devices-virtual-net-lan14.device
Requires=sys-devices-virtual-net-lan15.device
Requires=sys-devices-virtual-net-lan20.device
+Requires=sys-devices-virtual-net-lan21.device
Requires=sys-devices-virtual-net-nat64.device
After=sys-devices-virtual-net-lan10.device
After=sys-devices-virtual-net-lan11.device
@@ -16,6 +17,7 @@ After=sys-devices-virtual-net-lan13.device
After=sys-devices-virtual-net-lan14.device
After=sys-devices-virtual-net-lan15.device
After=sys-devices-virtual-net-lan20.device
+After=sys-devices-virtual-net-lan21.device
After=sys-devices-virtual-net-nat64.device
Before=network-online.target
generated by cgit v1.2.1 (git 2.18.0) at 2024-07-01 13:57:22 +0000