nixpkgs/nixos/modules/services/networking/nat-iptables.nix
TNE 46b2df60a5 nixos/nat: Allow NAT to still function when a forward default DROP iptables rule is in effect.
This allows feature parity with the nftables "filterForward" firewall option when adding a ip forwarding default drop iptables rule.
2024-12-01 09:36:02 +01:00

227 lines
8.5 KiB
Nix

# This module enables Network Address Translation (NAT).
# XXX: todo: support multiple upstream links
# see http://yesican.chsoft.biz/lartc/MultihomedLinuxNetworking.html
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.networking.nat;
mkDest = externalIP:
if externalIP == null
then "-j MASQUERADE"
else "-j SNAT --to-source ${externalIP}";
dest = mkDest cfg.externalIP;
destIPv6 = mkDest cfg.externalIPv6;
# Whether given IP (plus optional port) is an IPv6.
isIPv6 = ip: builtins.length (lib.splitString ":" ip) > 2;
helpers = import ./helpers.nix { inherit config lib; };
flushNat = ''
${helpers}
ip46tables -w -t nat -D PREROUTING -j nixos-nat-pre 2>/dev/null|| true
ip46tables -w -t nat -F nixos-nat-pre 2>/dev/null || true
ip46tables -w -t nat -X nixos-nat-pre 2>/dev/null || true
ip46tables -w -t nat -D POSTROUTING -j nixos-nat-post 2>/dev/null || true
ip46tables -w -t nat -F nixos-nat-post 2>/dev/null || true
ip46tables -w -t nat -X nixos-nat-post 2>/dev/null || true
ip46tables -w -t nat -D OUTPUT -j nixos-nat-out 2>/dev/null || true
ip46tables -w -t nat -F nixos-nat-out 2>/dev/null || true
ip46tables -w -t nat -X nixos-nat-out 2>/dev/null || true
ip46tables -w -t filter -D FORWARD -j nixos-filter-forward 2>/dev/null || true
ip46tables -w -t filter -F nixos-filter-forward 2>/dev/null || true
ip46tables -w -t filter -X nixos-filter-forward 2>/dev/null || true
${cfg.extraStopCommands}
'';
mkSetupNat = { iptables, dest, internalIPs, forwardPorts, externalIp }: ''
# We can't match on incoming interface in POSTROUTING, so
# mark packets coming from the internal interfaces.
${concatMapStrings (iface: ''
${iptables} -w -t nat -A nixos-nat-pre \
-i '${iface}' -j MARK --set-mark 1
${iptables} -w -t filter -A nixos-filter-forward \
-i '${iface}' ${optionalString (cfg.externalInterface != null) "-o ${cfg.externalInterface}"} -j ACCEPT
'') cfg.internalInterfaces}
# NAT the marked packets.
${optionalString (cfg.internalInterfaces != []) ''
${iptables} -w -t nat -A nixos-nat-post -m mark --mark 1 \
${optionalString (cfg.externalInterface != null) "-o ${cfg.externalInterface}"} ${dest}
''}
# NAT packets coming from the internal IPs.
${concatMapStrings (range: ''
${iptables} -w -t nat -A nixos-nat-post \
-s '${range}' ${optionalString (cfg.externalInterface != null) "-o ${cfg.externalInterface}"} ${dest}
${iptables} -w -t filter -A nixos-filter-forward \
-s '${range}' ${optionalString (cfg.externalInterface != null) "-o ${cfg.externalInterface}"} -j ACCEPT
'') internalIPs}
# Related connections are allowed
${iptables} -w -t filter -A nixos-filter-forward \
-m state --state ESTABLISHED,RELATED -j ACCEPT
# NAT from external ports to internal ports.
${concatMapStrings (fwd: ''
${iptables} -w -t nat -A nixos-nat-pre \
-i ${toString cfg.externalInterface} -p ${fwd.proto} \
${optionalString (externalIp != null) "-d ${externalIp}"} --dport ${builtins.toString fwd.sourcePort} \
-j DNAT --to-destination ${fwd.destination}
${iptables} -w -t filter -A nixos-filter-forward \
-i ${toString cfg.externalInterface} -p ${fwd.proto} \
--dport ${builtins.toString fwd.sourcePort} -j ACCEPT
${concatMapStrings (loopbackip:
let
matchIP = if isIPv6 fwd.destination then "[[]([0-9a-fA-F:]+)[]]" else "([0-9.]+)";
m = builtins.match "${matchIP}:([0-9-]+)" fwd.destination;
destinationIP = if m == null then throw "bad ip:ports `${fwd.destination}'" else elemAt m 0;
destinationPorts = if m == null then throw "bad ip:ports `${fwd.destination}'" else builtins.replaceStrings ["-"] [":"] (elemAt m 1);
in ''
# Allow connections to ${loopbackip}:${toString fwd.sourcePort} from the host itself
${iptables} -w -t nat -A nixos-nat-out \
-d ${loopbackip} -p ${fwd.proto} \
--dport ${builtins.toString fwd.sourcePort} \
-j DNAT --to-destination ${fwd.destination}
# Allow connections to ${loopbackip}:${toString fwd.sourcePort} from other hosts behind NAT
${concatMapStrings (range: ''
${iptables} -w -t nat -A nixos-nat-pre \
-d ${loopbackip} -p ${fwd.proto} -s '${range}' \
--dport ${builtins.toString fwd.sourcePort} \
-j DNAT --to-destination ${fwd.destination}
${iptables} -w -t nat -A nixos-nat-post \
-d ${destinationIP} -p ${fwd.proto} \
-s '${range}' --dport ${destinationPorts} \
-j SNAT --to-source ${loopbackip}
${iptables} -w -t filter -A nixos-filter-forward \
-d ${destinationIP} -p ${fwd.proto} \
-s '${range}' --dport ${destinationPorts} -j ACCEPT
'') internalIPs}
${concatMapStrings (iface: ''
${iptables} -w -t nat -A nixos-nat-pre \
-d ${loopbackip} -p ${fwd.proto} -i '${iface}' \
--dport ${builtins.toString fwd.sourcePort} \
-j DNAT --to-destination ${fwd.destination}
${iptables} -w -t nat -A nixos-nat-post \
-d ${destinationIP} -p ${fwd.proto} \
-i '${iface}' --dport ${destinationPorts} \
-j SNAT --to-source ${loopbackip}
${iptables} -w -t filter -A nixos-filter-forward \
-d ${destinationIP} -p ${fwd.proto} \
-i '${iface}' --dport ${destinationPorts} -j ACCEPT
'') cfg.internalInterfaces}
'') fwd.loopbackIPs}
'') forwardPorts}
'';
setupNat = ''
${helpers}
# Create subchains where we store rules
ip46tables -w -t nat -N nixos-nat-pre
ip46tables -w -t nat -N nixos-nat-post
ip46tables -w -t nat -N nixos-nat-out
ip46tables -w -t filter -N nixos-filter-forward
${mkSetupNat {
iptables = "iptables";
inherit dest;
inherit (cfg) internalIPs;
forwardPorts = filter (x: !(isIPv6 x.destination)) cfg.forwardPorts;
externalIp = cfg.externalIP;
}}
${optionalString cfg.enableIPv6 (mkSetupNat {
iptables = "ip6tables";
dest = destIPv6;
internalIPs = cfg.internalIPv6s;
forwardPorts = filter (x: isIPv6 x.destination) cfg.forwardPorts;
externalIp = cfg.externalIPv6;
})}
${optionalString (cfg.dmzHost != null) ''
iptables -w -t nat -A nixos-nat-pre \
-i ${toString cfg.externalInterface} -j DNAT \
--to-destination ${cfg.dmzHost}
''}
${cfg.extraCommands}
# Append our chains to the nat tables
ip46tables -w -t nat -A PREROUTING -j nixos-nat-pre
ip46tables -w -t nat -A POSTROUTING -j nixos-nat-post
ip46tables -w -t nat -A OUTPUT -j nixos-nat-out
ip46tables -w -t filter -A FORWARD -j nixos-filter-forward
'';
in
{
options = {
networking.nat.extraCommands = mkOption {
type = types.lines;
default = "";
example = "iptables -A INPUT -p icmp -j ACCEPT";
description = ''
Additional shell commands executed as part of the nat
initialisation script.
This option is incompatible with the nftables based nat module.
'';
};
networking.nat.extraStopCommands = mkOption {
type = types.lines;
default = "";
example = "iptables -D INPUT -p icmp -j ACCEPT || true";
description = ''
Additional shell commands executed as part of the nat
teardown script.
This option is incompatible with the nftables based nat module.
'';
};
};
config = mkIf (!config.networking.nftables.enable)
(mkMerge [
({ networking.firewall.extraCommands = mkBefore flushNat; })
(mkIf config.networking.nat.enable {
networking.firewall = mkIf config.networking.firewall.enable {
extraCommands = setupNat;
extraStopCommands = flushNat;
};
systemd.services = mkIf (!config.networking.firewall.enable) {
nat = {
description = "Network Address Translation";
wantedBy = [ "network.target" ];
after = [ "network-pre.target" "systemd-modules-load.service" ];
path = [ config.networking.firewall.package ];
unitConfig.ConditionCapability = "CAP_NET_ADMIN";
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = flushNat + setupNat;
postStop = flushNat;
};
};
})
]);
}