nixpkgs/nixos/modules/services/networking/nat.nix
Max Veytsman de1cbcc692 nixos/nat: fix typo in comment
This iptables directive is marking packets coming from the internal interfaces so they can later be NATed by the rule in 22378e6996/nixos/modules/services/networking/nat.nix (L38-L42) .

Fix the comment accordingly.
2019-11-04 17:00:22 +01:00

283 lines
8.9 KiB
Nix

# This module enables Network Address Translation (NAT).
# XXX: todo: support multiple upstream links
# see http://yesican.chsoft.biz/lartc/MultihomedLinuxNetworking.html
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.networking.nat;
dest = if cfg.externalIP == null then "-j MASQUERADE" else "-j SNAT --to-source ${cfg.externalIP}";
flushNat = ''
iptables -w -t nat -D PREROUTING -j nixos-nat-pre 2>/dev/null|| true
iptables -w -t nat -F nixos-nat-pre 2>/dev/null || true
iptables -w -t nat -X nixos-nat-pre 2>/dev/null || true
iptables -w -t nat -D POSTROUTING -j nixos-nat-post 2>/dev/null || true
iptables -w -t nat -F nixos-nat-post 2>/dev/null || true
iptables -w -t nat -X nixos-nat-post 2>/dev/null || true
${cfg.extraStopCommands}
'';
setupNat = ''
# Create subchain where we store rules
iptables -w -t nat -N nixos-nat-pre
iptables -w -t nat -N nixos-nat-post
# We can't match on incoming interface in POSTROUTING, so
# mark packets coming from the internal interfaces.
${concatMapStrings (iface: ''
iptables -w -t nat -A nixos-nat-pre \
-i '${iface}' -j MARK --set-mark 1
'') cfg.internalInterfaces}
# NAT the marked packets.
${optionalString (cfg.internalInterfaces != []) ''
iptables -w -t nat -A nixos-nat-post -m mark --mark 1 \
${optionalString (cfg.externalInterface != null) "-o ${cfg.externalInterface}"} ${dest}
''}
# NAT packets coming from the internal IPs.
${concatMapStrings (range: ''
iptables -w -t nat -A nixos-nat-post \
-s '${range}' ${optionalString (cfg.externalInterface != null) "-o ${cfg.externalInterface}"} ${dest}
'') cfg.internalIPs}
# NAT from external ports to internal ports.
${concatMapStrings (fwd: ''
iptables -w -t nat -A nixos-nat-pre \
-i ${toString cfg.externalInterface} -p ${fwd.proto} \
--dport ${builtins.toString fwd.sourcePort} \
-j DNAT --to-destination ${fwd.destination}
${concatMapStrings (loopbackip:
let
m = builtins.match "([0-9.]+):([0-9-]+)" fwd.destination;
destinationIP = if (m == null) then throw "bad ip:ports `${fwd.destination}'" else elemAt m 0;
destinationPorts = if (m == null) then throw "bad ip:ports `${fwd.destination}'" else elemAt m 1;
in ''
# Allow connections to ${loopbackip}:${toString fwd.sourcePort} from the host itself
iptables -w -t nat -A OUTPUT \
-d ${loopbackip} -p ${fwd.proto} \
--dport ${builtins.toString fwd.sourcePort} \
-j DNAT --to-destination ${fwd.destination}
# Allow connections to ${loopbackip}:${toString fwd.sourcePort} from other hosts behind NAT
iptables -w -t nat -A nixos-nat-pre \
-d ${loopbackip} -p ${fwd.proto} \
--dport ${builtins.toString fwd.sourcePort} \
-j DNAT --to-destination ${fwd.destination}
iptables -w -t nat -A nixos-nat-post \
-d ${destinationIP} -p ${fwd.proto} \
--dport ${destinationPorts} \
-j SNAT --to-source ${loopbackip}
'') fwd.loopbackIPs}
'') cfg.forwardPorts}
${optionalString (cfg.dmzHost != null) ''
iptables -w -t nat -A nixos-nat-pre \
-i ${toString cfg.externalInterface} -j DNAT \
--to-destination ${cfg.dmzHost}
''}
${cfg.extraCommands}
# Append our chains to the nat tables
iptables -w -t nat -A PREROUTING -j nixos-nat-pre
iptables -w -t nat -A POSTROUTING -j nixos-nat-post
'';
in
{
###### interface
options = {
networking.nat.enable = mkOption {
type = types.bool;
default = false;
description =
''
Whether to enable Network Address Translation (NAT).
'';
};
networking.nat.internalInterfaces = mkOption {
type = types.listOf types.str;
default = [];
example = [ "eth0" ];
description =
''
The interfaces for which to perform NAT. Packets coming from
these interface and destined for the external interface will
be rewritten.
'';
};
networking.nat.internalIPs = mkOption {
type = types.listOf types.str;
default = [];
example = [ "192.168.1.0/24" ];
description =
''
The IP address ranges for which to perform NAT. Packets
coming from these addresses (on any interface) and destined
for the external interface will be rewritten.
'';
};
networking.nat.externalInterface = mkOption {
type = types.nullOr types.str;
default = null;
example = "eth1";
description =
''
The name of the external network interface.
'';
};
networking.nat.externalIP = mkOption {
type = types.nullOr types.str;
default = null;
example = "203.0.113.123";
description =
''
The public IP address to which packets from the local
network are to be rewritten. If this is left empty, the
IP address associated with the external interface will be
used.
'';
};
networking.nat.forwardPorts = mkOption {
type = with types; listOf (submodule {
options = {
sourcePort = mkOption {
type = types.either types.int (types.strMatching "[[:digit:]]+:[[:digit:]]+");
example = 8080;
description = "Source port of the external interface; to specify a port range, use a string with a colon (e.g. \"60000:61000\")";
};
destination = mkOption {
type = types.str;
example = "10.0.0.1:80";
description = "Forward connection to destination ip:port; to specify a port range, use ip:start-end";
};
proto = mkOption {
type = types.str;
default = "tcp";
example = "udp";
description = "Protocol of forwarded connection";
};
loopbackIPs = mkOption {
type = types.listOf types.str;
default = [];
example = literalExample ''[ "55.1.2.3" ]'';
description = "Public IPs for NAT reflection; for connections to `loopbackip:sourcePort' from the host itself and from other hosts behind NAT";
};
};
});
default = [];
example = [ { sourcePort = 8080; destination = "10.0.0.1:80"; proto = "tcp"; } ];
description =
''
List of forwarded ports from the external interface to
internal destinations by using DNAT.
'';
};
networking.nat.dmzHost = mkOption {
type = types.nullOr types.str;
default = null;
example = "10.0.0.1";
description =
''
The local IP address to which all traffic that does not match any
forwarding rule is forwarded.
'';
};
networking.nat.extraCommands = mkOption {
type = types.lines;
default = "";
example = "iptables -A INPUT -p icmp -j ACCEPT";
description =
''
Additional shell commands executed as part of the nat
initialisation script.
'';
};
networking.nat.extraStopCommands = mkOption {
type = types.lines;
default = "";
example = "iptables -D INPUT -p icmp -j ACCEPT || true";
description =
''
Additional shell commands executed as part of the nat
teardown script.
'';
};
};
###### implementation
config = mkMerge [
{ networking.firewall.extraCommands = mkBefore flushNat; }
(mkIf config.networking.nat.enable {
assertions = [
{ assertion = (cfg.dmzHost != null) -> (cfg.externalInterface != null);
message = "networking.nat.dmzHost requires networking.nat.externalInterface";
}
{ assertion = (cfg.forwardPorts != []) -> (cfg.externalInterface != null);
message = "networking.nat.forwardPorts requires networking.nat.externalInterface";
}
];
environment.systemPackages = [ pkgs.iptables ];
boot = {
kernelModules = [ "nf_nat_ftp" ];
kernel.sysctl = {
"net.ipv4.conf.all.forwarding" = mkOverride 99 true;
"net.ipv4.conf.default.forwarding" = mkOverride 99 true;
};
};
networking.firewall = mkIf config.networking.firewall.enable {
extraCommands = setupNat;
extraStopCommands = flushNat;
};
systemd.services = mkIf (!config.networking.firewall.enable) { nat = {
description = "Network Address Translation";
wantedBy = [ "network.target" ];
after = [ "network-pre.target" "systemd-modules-load.service" ];
path = [ pkgs.iptables ];
unitConfig.ConditionCapability = "CAP_NET_ADMIN";
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = flushNat + setupNat;
postStop = flushNat;
}; };
})
];
}