From b5a418308e39e57d7f409188eb927526ffe3d306 Mon Sep 17 00:00:00 2001 From: asonix Date: Tue, 9 Jul 2024 18:20:53 -0500 Subject: [PATCH] Be more specific with internal postrouting, add extra dns resolvers --- modules/router/default.nix | 29 +++++++++++++++++++++++------ 1 file changed, 23 insertions(+), 6 deletions(-) diff --git a/modules/router/default.nix b/modules/router/default.nix index 1827c1a..f778837 100644 --- a/modules/router/default.nix +++ b/modules/router/default.nix @@ -356,7 +356,9 @@ in chain postrouting { type nat hook postrouting priority 100; policy accept; oifname $WAN masquerade - iifname { $WAN, $BRIDGE, $DEVICES, $WIFI } oifname $BRIDGE masquerade + iifname $BRIDGE oifname $BRIDGE ip daddr $HTTP_HOST tcp dport { 80, 443 } masquerade + iifname $BRIDGE oifname $BRIDGE ip daddr $FORGEJO_HOST tcp dport $FORGEJO_SSH_PORT masquerade + iifname $BRIDGE oifname $BRIDGE ip daddr $DRAWPILE_HOST tcp dport $DRAWPILE_TCP_PORT masquerade } } @@ -371,7 +373,9 @@ in chain postrouting { type nat hook postrouting priority 100; policy accept; oifname $WAN masquerade - iifname { $WAN, $BRIDGE, $DEVICES, $WIFI } oifname $BRIDGE masquerade + iifname $BRIDGE oifname $BRIDGE ip6 daddr $HTTP_HOST_V6 tcp dport { 80, 443 } masquerade + iifname $BRIDGE oifname $BRIDGE ip6 daddr $FORGEJO_HOST_V6 tcp dport $FORGEJO_SSH_PORT masquerade + iifname $BRIDGE oifname $BRIDGE ip6 daddr $DRAWPILE_HOST_V6 tcp dport $DRAWPILE_TCP_PORT masquerade } } ''; @@ -386,10 +390,23 @@ in enable = true; settings = { server = [ - "9.9.9.9" - "9.9.9.10" - "2620:fe::fe" - "2620:fe::9" + # OpenDNS + "208.67.222.222" + "208.67.220.220" + "2620:119:53::35" + "2620:119:53::53" + + # Quad9 + "9.9.9.11" + "149.112.112.11" + "2620:fe::11" + "2620:fe::fe:11" + + # Cloudflare + "1.1.1.1" + "1.0.0.1" + "2606:4700:4700::1111" + "2606:4700:4700::1001" ]; domain-needed = true; bogus-priv = true;