Networking: Difference between revisions

From NixOS Wiki
imported>Ento
m Fix indentation
imported>Onny
Add section on port forwarding
Line 1: Line 1:
This site provides snippets for configuring your network ''just right'' for the use case you are looking for. All configuration is for <code>configuration.nix</code>
This site provides snippets for configuring your network ''just right'' for the use case you are looking for. All configuration is for <code>configuration.nix</code>


== Configuration ==


== Hosts file ==
=== Hosts file ===


To edit <code>/etc/hosts</code> just add something like this to your <code>configuration.nix</code>:
To edit <code>/etc/hosts</code> just add something like this to your <code>configuration.nix</code>:
Line 12: Line 13:
</syntaxhighlight>
</syntaxhighlight>


=== Port forwarding ===
In this example we're going to forward the port <code>80</code> via NAT from our external network interface <code>ens3</code> to the host <code>10.100.0.3</code> on our internal interface <code>wg0</code>.
<syntaxhighlight lang="nix">
networking = {
  firewall = {
    enable = true;
    allowedTCPPorts = [ 80 ];
    extraCommands = "iptables -t nat -A POSTROUTING -d 10.100.0.3 -p tcp -m tcp --dport 80 -j MASQUERADE";
  };
  nat = {
    enable = true;
    internalInterfaces = [ "wg0" ];
    externalInterface = "ens3";
    forwardPorts = [
      {
        sourcePort = 80;
        proto = "tcp";
        destination = "10.100.0.3:80";
      }
    ];
  };
};
</syntaxhighlight>


= IPv6 =
= IPv6 =

Revision as of 10:14, 21 January 2023

This site provides snippets for configuring your network just right for the use case you are looking for. All configuration is for configuration.nix

Configuration

Hosts file

To edit /etc/hosts just add something like this to your configuration.nix:

networking.extraHosts = ''
  127.0.0.2 other-localhost
  10.0.0.1 server
'';

Port forwarding

In this example we're going to forward the port 80 via NAT from our external network interface ens3 to the host 10.100.0.3 on our internal interface wg0.

networking = {
  firewall = {
    enable = true;
    allowedTCPPorts = [ 80 ];
    extraCommands = "iptables -t nat -A POSTROUTING -d 10.100.0.3 -p tcp -m tcp --dport 80 -j MASQUERADE";
  };
  nat = {
    enable = true;
    internalInterfaces = [ "wg0" ];
    externalInterface = "ens3";
    forwardPorts = [
      {
        sourcePort = 80;
        proto = "tcp";
        destination = "10.100.0.3:80";
      }
    ];
  };
};

IPv6

Prefix delegation with fixed DUID

Sometimes the hosting provider manages ipv6 networks via a so-called DUID or clientid. This snippet is required to make the network routable:

{ config, pkgs, ... }:

let
  # Get this from your hosting provider
  clientid = "00:11:22:33:44:55:66:77:88:99";
  interface = "enp2s0";
  subnet =  "56";
  network = "2001:bbb:3333:1111::/${subnet}";
  own_ip =  "2001:bbb:3333:1111::1/${subnet}";
in {
  # ... snip ...

  networking.enableIPv6 = true;
  networking.useDHCP = true;
  networking.dhcpcd.persistent = true;
  networking.dhcpcd.extraConfig = ''
    clientid "${clientid}"
    noipv6rs
    interface ${interface}
    ia_pd 1/${network} ${interface}
    static ip6_address=${own_ip}
  '';
  environment.etc."dhcpcd.duid".text = clientid;

}

Source: gleber gist for online.net IPv6 config in NixOS

Note: Recent versions of dhcpcd move the duid file to /var/db/dcpcd/duid. For that to work, you have to replace the above environment.etc line with something like:

systemd.services.dhcpcd.preStart = ''
  cp ${pkgs.writeText "duid" "<ID>"} /var/db/dhcpcd/duid
'';

VLAN's

vlan information in the manual

The below is a complete networking example, showing 2 interfaces, 1 with VLAN trunk tagging and 1 without.

eth1 is a normal network interface @ 192.168.1.2, with no VLAN information.

eth0 is the vlan trunk tagged, with 2 VLAN's tagged, vlan 100 and vlan 101.

vlan100 is in the 10.1.1.X network and vlan 101 is in the 10.10.10.X network.

the hostID should be random data, derived from something like:

head -c4 /dev/urandom | od -A none -t x4

see the manual for more information.


Complete networking section example:

    networking = {
      hostId = "deadb33f";
      hostName = "nixos";
      domain = "example.com";
      dhcpcd.enable = false;
      usePredictableInterfaceNames = false;
      interfaces.eth1.ipv4.addresses = [{
        address = "192.168.1.2";
        prefixLength = 28;
      }];
      vlans = {
        vlan100 = { id=100; interface="eth0"; };
        vlan101 = { id=101; interface="eth0"; };
      };
      interfaces.vlan100.ipv4.addresses = [{
        address = "10.1.1.2";
        prefixLength = 24;
      }];
      interfaces.vlan101.ipv4.addresses = [{
        address = "10.10.10.3";
        prefixLength = 24;
      }];
      defaultGateway = "192.168.1.1";
      nameservers = [ "1.1.1.1" "8.8.8.8" ];
    };