From 850e9232a329d24e4c4e4377689c526aabbf0c1b Mon Sep 17 00:00:00 2001 From: "Aode (Lion)" Date: Sun, 17 Oct 2021 14:04:36 -0500 Subject: [PATCH] Add interface bridge config --- config.toml | 12 +++++ src/startup/mod.rs | 10 ++-- src/startup/preload.rs | 120 +++++++++++++++-------------------------- templates/home.rs.html | 13 +++++ 4 files changed, 72 insertions(+), 83 deletions(-) diff --git a/config.toml b/config.toml index 17498a5..07a1e59 100644 --- a/config.toml +++ b/config.toml @@ -15,6 +15,18 @@ shared-internal = true nats = [ "wg2" ] +bridges = [ + ["wg0", "vlan20"], + ["wg1", "vlan20"], + ["wg3", "vlan20"], + ["wg4", "vlan20"], + ["wg0", "wg1"], + ["wg0", "wg3"], + ["wg0", "wg4"], + ["wg1", "wg3"], + ["wg1", "wg4"], + ["wg3", "wg4"] +] [server] debug = true diff --git a/src/startup/mod.rs b/src/startup/mod.rs index a57b73d..7111033 100644 --- a/src/startup/mod.rs +++ b/src/startup/mod.rs @@ -26,9 +26,9 @@ struct InterfaceConfig { #[derive(serde::Deserialize)] #[serde(rename_all = "kebab-case")] struct NetworkConfig { - shared_internal: bool, #[serde(default)] nats: Vec, + bridges: Vec<[String; 2]>, } #[derive(serde::Deserialize)] @@ -42,8 +42,8 @@ pub struct Interfaces { pub(crate) internal: Vec, pub(crate) vlan: Vec, pub(crate) tunnel: Vec, - pub(crate) shared_internal: bool, pub(crate) nats: Vec, + pub(crate) bridges: Vec<[String; 2]>, } #[derive(Debug, Hash, PartialEq, Eq, PartialOrd, Ord)] @@ -94,7 +94,7 @@ impl Interfaces { mask: 24, }], vlan: vec![InterfaceInfo { - interface: String::from("vlan20@enp1s0"), + interface: String::from("vlan20"), ip: "192.168.6.20".parse()?, mask: 24, }], @@ -115,8 +115,8 @@ impl Interfaces { mask: 24, }, ], - shared_internal: false, nats: Vec::new(), + bridges: Vec::new(), }); } @@ -160,8 +160,8 @@ impl Interfaces { internal, vlan, tunnel, - shared_internal: config.network.shared_internal, nats: config.network.nats.clone(), + bridges: config.network.bridges.clone(), }) } diff --git a/src/startup/preload.rs b/src/startup/preload.rs index e69eef6..a0f1d24 100644 --- a/src/startup/preload.rs +++ b/src/startup/preload.rs @@ -123,50 +123,24 @@ fn filter(interfaces: &Interfaces) -> String { ); } - if interfaces.shared_internal { - for iface in &interfaces.internal { - // jface (jeans iface) - for jface in &interfaces.internal { - // Allow internal traffic across all internal interfaces - filter += &format!( - "-A OUTPUT -o {intif} -s {extip}/{extmask} -d {jntip}/{jntmask} -j ACCEPT\n", - intif = iface.interface, - extip = interfaces.external.ip, - extmask = interfaces.external.mask, - jntip = jface.ip, // jeans IP - jntmask = jface.mask, // jeans mask - ); + for iface in &interfaces.internal { + // Allow internal traffic only on network associated with interface + filter += &format!( + "-A OUTPUT -o {intif} -s {extip}/{extmask} -d {intip}/{intmask} -j ACCEPT\n", + intif = iface.interface, + extip = interfaces.external.ip, + extmask = interfaces.external.mask, + intip = iface.ip, + intmask = iface.mask, + ); - // Allow internal traffic from self to internal networks - filter += &format!( - "-A OUTPUT -o {intif} -s {intip}/32 -d {jntip}/{jntmask} -j ACCEPT\n", - intif = iface.interface, - intip = iface.ip, - jntip = jface.ip, // jeans IP - jntmask = jface.mask, // jeans mask - ); - } - } - } else { - for iface in &interfaces.internal { - // Allow internal traffic only on network associated with interface - filter += &format!( - "-A OUTPUT -o {intif} -s {extip}/{extmask} -d {intip}/{intmask} -j ACCEPT\n", - intif = iface.interface, - extip = interfaces.external.ip, - extmask = interfaces.external.mask, - intip = iface.ip, - intmask = iface.mask, - ); - - // Allow traffic from self to networks associated with interface - filter += &format!( - "-A OUTPUT -o {intif} -s {intip}/32 -d {intip}/{intmask} -j ACCEPT\n", - intif = iface.interface, - intip = iface.ip, - intmask = iface.mask, - ); - } + // Allow traffic from self to networks associated with interface + filter += &format!( + "-A OUTPUT -o {intif} -s {intip}/32 -d {intip}/{intmask} -j ACCEPT\n", + intif = iface.interface, + intip = iface.ip, + intmask = iface.mask, + ); } for iface in interfaces.internal.iter().chain(&interfaces.vlan) { @@ -272,19 +246,15 @@ fn filter(interfaces: &Interfaces) -> String { } } - // Accept packets over tunnel interfaces + // Allow forwarding packets over tunnel interfaces for iface in &interfaces.tunnel { filter += &format!( - "-A FORWARD -i {tunface} -j ACCEPT\n", - tunface = iface.interface, - ); - filter += &format!( - "-A FORWARD -o {tunface} -j ACCEPT\n", + "-A FORWARD -i {tunface} -o {tunface} -j ACCEPT\n", tunface = iface.interface, ); } - // Accept TCP packets + // Allow VLANs to respond to related external traffic for iface in interfaces.internal.iter().chain(&interfaces.vlan) { filter += &format!( "-A FORWARD -i {extif} -o {intif} -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n", @@ -293,34 +263,35 @@ fn filter(interfaces: &Interfaces) -> String { ); } + // Allow packets across VLAN interface for iface in &interfaces.vlan { - // Allow packets across vlan interface filter += &format!( "-A FORWARD -i {intif} -o {intif} -j ACCEPT\n", intif = iface.interface, ); } - if interfaces.shared_internal { - for iface in &interfaces.internal { - // jface (jeans interface) - for jface in &interfaces.internal { - // Allow packets across internal interfaces - filter += &format!( - "-A FORWARD -i {intif} -o {jntif} -j ACCEPT\n", - intif = iface.interface, - jntif = jface.interface, // jntif (jeans intif) - ); - } - } - } else { - for iface in &interfaces.internal { - // Allow packets across internal interface - filter += &format!( - "-A FORWARD -i {intif} -o {intif} -j ACCEPT\n", - intif = iface.interface, - ); - } + for iface in &interfaces.internal { + // Allow packets across internal interface + filter += &format!( + "-A FORWARD -i {intif} -o {intif} -j ACCEPT\n", + intif = iface.interface, + ); + } + + // Bridge interfaces + for [left, right] in interfaces.bridges.iter() { + filter += &format!( + "-A FORWARD -i {left} -o {right} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT\n", + left = left, + right = right, + ); + + filter += &format!( + "-A FORWARD -i {right} -o {left} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT\n", + left = left, + right = right, + ); } // Forward packets to the internet @@ -389,10 +360,3 @@ fn nat(interfaces: &Interfaces) -> String { nat } - -// TODO: SSH -// # Internal interface, SSH traffic accepted on port 3128 -// -A INPUT -i $INTIF -p tcp --dport 3128 -j ACCEPT -// -// # External interface, SSH traffic allowed on port 3128 -// -A INPUT -i $EXTIF -m conntrack -p tcp -s $UNIVERSE -d $EXTIP --dport 3128 -j ACCEPT diff --git a/templates/home.rs.html b/templates/home.rs.html index f71025e..12378a7 100644 --- a/templates/home.rs.html +++ b/templates/home.rs.html @@ -44,6 +44,19 @@ +
+

VLANs

+
+
    + @for iface in &interfaces.vlan { +
  • +

    IP: @iface.ip

    +

    Interface: @iface.interface

    +
    • + } +
+
+

Admin