From 58bd1dd0b92ba6666d3efe5186fffbbac6b87a04 Mon Sep 17 00:00:00 2001 From: chn Date: Fri, 20 Sep 2024 01:43:27 +0800 Subject: [PATCH] modules.services.xray: fix firewall --- devices/pc/default.nix | 1 - devices/srv1/node0/default.nix | 3 --- devices/surface/default.nix | 1 - devices/xmupc1/default.nix | 1 - devices/xmupc2/default.nix | 1 - modules/services/default.nix | 2 -- modules/services/docker.nix | 1 - modules/services/wireguard.nix | 1 - modules/services/xray/default.nix | 9 +++++++++ modules/system/security.nix | 2 ++ 10 files changed, 11 insertions(+), 11 deletions(-) diff --git a/devices/pc/default.nix b/devices/pc/default.nix index 5ea84e90..eb991d86 100644 --- a/devices/pc/default.nix +++ b/devices/pc/default.nix @@ -105,7 +105,6 @@ inputs: ++ [{ name = "4006024680.com"; value = "192.168.199.1"; }] ); }; - firewall.trustedInterfaces = [ "virbr0" "waydroid0" ]; acme.cert."debug.mirism.one" = {}; frpClient = { diff --git a/devices/srv1/node0/default.nix b/devices/srv1/node0/default.nix index 59b78190..8b70a397 100644 --- a/devices/srv1/node0/default.nix +++ b/devices/srv1/node0/default.nix @@ -55,8 +55,5 @@ inputs: options = [ "rbind" ]; }; }; - # without this, tproxy does not work - # TODO: why? - networking.firewall.trustedInterfaces = [ "eno146" ]; }; } diff --git a/devices/surface/default.nix b/devices/surface/default.nix index df81337e..4817e1c6 100644 --- a/devices/surface/default.nix +++ b/devices/surface/default.nix @@ -43,7 +43,6 @@ inputs: "dispatchcnglobal.yuanshen.com" ]); }; - firewall.trustedInterfaces = [ "virbr0" ]; wireguard = { enable = true; diff --git a/devices/xmupc1/default.nix b/devices/xmupc1/default.nix index 96e04a7e..2328d25a 100644 --- a/devices/xmupc1/default.nix +++ b/devices/xmupc1/default.nix @@ -57,7 +57,6 @@ inputs: snapper.enable = true; sshd = { passwordAuthentication = true; groupBanner = true; }; xray.client.enable = true; - firewall.trustedInterfaces = [ "virbr0" ]; smartd.enable = true; beesd.instances = { diff --git a/devices/xmupc2/default.nix b/devices/xmupc2/default.nix index 1c0a61ad..50eb9dfa 100644 --- a/devices/xmupc2/default.nix +++ b/devices/xmupc2/default.nix @@ -60,7 +60,6 @@ inputs: snapper.enable = true; sshd = { passwordAuthentication = true; groupBanner = true; }; xray.client.enable = true; - firewall.trustedInterfaces = [ "virbr0" ]; smartd.enable = true; beesd.instances.root = { device = "/"; hashTableSizeMB = 16384; threads = 4; }; wireguard = diff --git a/modules/services/default.nix b/modules/services/default.nix index e75950ef..cde6d81d 100644 --- a/modules/services/default.nix +++ b/modules/services/default.nix @@ -3,7 +3,6 @@ inputs: imports = inputs.localLib.findModules ./.; options.nixos.services = let inherit (inputs.lib) mkOption types; in { - firewall.trustedInterfaces = mkOption { type = types.listOf types.nonEmptyStr; default = []; }; smartd.enable = mkOption { type = types.bool; default = false; }; wallabag.enable = mkOption { type = types.bool; default = false; }; noisetorch.enable = mkOption { type = types.bool; default = inputs.config.nixos.system.gui.preferred; }; @@ -16,7 +15,6 @@ inputs: inherit (builtins) map listToAttrs toString; in mkMerge [ - { networking.firewall.trustedInterfaces = services.firewall.trustedInterfaces; } (mkIf services.smartd.enable { services.smartd.enable = true; }) ( mkIf services.wallabag.enable diff --git a/modules/services/docker.nix b/modules/services/docker.nix index 5da8cd40..37a7d84d 100644 --- a/modules/services/docker.nix +++ b/modules/services/docker.nix @@ -33,7 +33,6 @@ inputs: storageDriver = "overlay2"; daemon.settings.dns = [ "1.1.1.1" ]; }; - nixos.services.firewall.trustedInterfaces = [ "docker0" ]; } ]; } diff --git a/modules/services/wireguard.nix b/modules/services/wireguard.nix index e397d6b2..fb2982b0 100644 --- a/modules/services/wireguard.nix +++ b/modules/services/wireguard.nix @@ -41,7 +41,6 @@ inputs: firewall = { allowedUDPPorts = inputs.lib.mkIf (!wireguard.behindNat) [ wireguard.listenPort ]; - trustedInterfaces = [ "wireguard" ]; }; wireguard.interfaces.wireguard = { diff --git a/modules/services/xray/default.nix b/modules/services/xray/default.nix index 750448ae..15a04f9d 100644 --- a/modules/services/xray/default.nix +++ b/modules/services/xray/default.nix @@ -25,6 +25,8 @@ inputs: noproxyTcpPorts = mkOption { type = types.listOf types.ints.unsigned; default = []; }; noproxyUdpPorts = mkOption { type = types.listOf types.ints.unsigned; default = []; }; }; + # 是否允许代理来自其它机器的流量(相关端口会被放行) + allowForward = mkOption { type = types.bool; default = true; }; }; server = mkOption { @@ -329,6 +331,13 @@ inputs: groups.v2ray.gid = inputs.config.nixos.user.gid.v2ray; }; environment.etc."resolv.conf".text = "nameserver 127.0.0.1"; + networking.firewall = + { + allowedTCPPorts = [ 53 ]; + allowedUDPPorts = [ 53 ]; + allowedTCPPortRanges = [{ from = 10880; to = 10884; }]; + allowedUDPPortRanges = [{ from = 10880; to = 10884; }]; + }; } ) ( diff --git a/modules/system/security.nix b/modules/system/security.nix index 455aeed4..e2585164 100644 --- a/modules/system/security.nix +++ b/modules/system/security.nix @@ -43,5 +43,7 @@ inputs: sudo.extraConfig = "Defaults pwfeedback"; }; systemd.user.extraConfig = "DefaultLimitNOFILE=65536:524288"; + # needed by xray tproxy if we want to forward traffic from other machine + networking.firewall.checkReversePath = false; }; }