(network) moved dnsmasq configuration to examples/network, added

`nftables.conf`
2025-11-17 22:51:17 +01:00
parent f493d6883a
commit 11a9486a8c
3 changed files with 42 additions and 2 deletions
--- a/examples/network/dnsmasq.conf
+++ b/examples/network/dnsmasq.conf
@@ -0,0 +1,59 @@
+# Configuration file for dnsmasq.
+#
+# Format is one option per line, legal options are the same
+# as the long options legal on the command line. See
+# "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details.
+
+# Listen on this specific port instead of the standard DNS port
+# (53). Setting this to zero completely disables DNS function,
+# leaving only DHCP and/or TFTP.
+#port=5353
+
+# The following two options make you a better netizen, since they
+# tell dnsmasq to filter out queries which the public DNS cannot
+# answer, and which load the servers (especially the root servers)
+# unnecessarily. If you have a dial-on-demand link they also stop
+# these requests from bringing up the link unnecessarily.
+
+# Never forward plain names (without a dot or domain part)
+domain-needed
+# Never forward addresses in the non-routed address spaces.
+bogus-priv
+
+# Uncomment this to filter useless windows-originated DNS requests
+# which can trigger dial-on-demand links needlessly.
+# Note that (amongst other things) this blocks all SRV requests,
+# so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk.
+# This option only affects forwarding, SRV records originating for
+# dnsmasq (via srv-host= lines) are not suppressed by it.
+filterwin2k
+
+# If you want dnsmasq to listen for DHCP and DNS requests only on
+# specified interfaces (and the loopback) give the name of the
+# interface (eg eth0) here.
+# Repeat the line for more than one interface.
+interface=enp3s0
+
+# Set this (and domain: see below) if you want to have a domain
+# automatically added to simple names in a hosts-file.
+expand-hosts
+
+# Set the domain for dnsmasq. this is optional, but if it is set, it
+# does the following things.
+# 1) Allows DHCP hosts to have fully qualified domain names, as long
+#     as the domain part matches this setting.
+# 2) Sets the "domain" DHCP option thereby potentially setting the
+#    domain of all systems configured by DHCP
+# 3) Provides the domain part for "expand-hosts"
+domain=quakers
+
+# Uncomment this to enable the integrated DHCP server, you need
+# to supply the range of addresses available for lease and optionally
+# a lease time. If you have more than one network, you will need to
+# repeat this for each network on which you want to supply DHCP
+# service.
+dhcp-range=10.0.0.2,10.0.0.254,12h
+
+
+# For static ip assignment use the option `dhcp-host`
+#dhcp-host=11:22:33:44:55:66,192.168.0.60
--- a/examples/network/nftables.conf
+++ b/examples/network/nftables.conf
@@ -0,0 +1,40 @@
+#!/usr/sbin/nft -f
+
+# example configuration for a router
+
+define loop_interface = "lo"
+define wan_interface = "enp0s0"
+define lan_interface = "enp1s0"
+define local_network = 192.168.1.0/24
+
+flush ruleset
+
+table ip routing {
+    chain masquerading {
+        type nat hook postrouting priority 100; policy accept;
+        ip saddr { $local_network } ip daddr != { $local_network } oifname { $wan_interface } masquerade
+    }
+}
+
+table inet filter {
+    chain input {
+        type filter hook input priority 0; policy drop;
+        iif { $loop_interface } accept
+        iif { $lan_interface } accept
+        ct state { related, established } accept
+        ct state invalid drop
+        meta l4proto icmp accept
+        icmp type echo-request limit rate 5/second accept
+    }
+
+    chain output {
+        type filter hook output priority 0; policy accept;
+    }
+
+    chain forward {
+        type filter hook forward priority 0; policy drop;
+        ct state { related, established } accept
+        ct state invalid drop
+        iif { $lan_interface } accept
+    }
+}