diff --git a/ingress-nginx/services/service-200.yaml b/ingress-nginx/services/service-200.yaml index 56b9a16..cb086d6 100644 --- a/ingress-nginx/services/service-200.yaml +++ b/ingress-nginx/services/service-200.yaml @@ -6,6 +6,7 @@ metadata: spec: type: LoadBalancer loadBalancerIP: 192.168.200.10 + externalTrafficPolicy: Local selector: app.kubernetes.io/name: ingress-nginx ports: diff --git a/wireguard/deployments/deployment.yaml b/wireguard/deployments/deployment.yaml index 61ece73..8b05ec8 100644 --- a/wireguard/deployments/deployment.yaml +++ b/wireguard/deployments/deployment.yaml @@ -24,9 +24,9 @@ spec: - name: WG_DEFAULT_ADDRESS value: "192.168.254.x" - name: WG_DEFAULT_ALLOWEDIPS - value: "192.168.0.0/24,10.42.0.0/16" + value: "192.168.0.0/24,10.42.0.0/16,192.168.200.0/24" - name: WG_DEFAULT_DNS - value: "192.168.0.1" + value: "192.168.200.11" - name: PASSWORD_HASH valueFrom: secretKeyRef: diff --git a/wireguard/deployments/iptables.yaml b/wireguard/deployments/iptables.yaml new file mode 100644 index 0000000..45c9c6e --- /dev/null +++ b/wireguard/deployments/iptables.yaml @@ -0,0 +1,65 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: wg-nat-rules + namespace: wireguard +spec: + selector: + matchLabels: + app: wg-nat-rules + template: + metadata: + labels: + app: wg-nat-rules + spec: + hostNetwork: true + containers: + - name: iptables + image: alpine:latest + securityContext: + privileged: true + command: + - /bin/sh + - -c + - | + set -e + # Variables (ajústalas si cambian) + WG_IF="wg0" + WG_SUBNET="192.168.254.0/24" # subred de tus peers en wg-easy + LB200_CIDR="192.168.200.0/24" # red br-srv / MetalLB (Ingress / servicios internos) + LAN_CIDR="192.168.0.0/24" # tu LAN clásica + POD_CIDR="10.244.0.0/16" # Pod CIDR (opcional) + SVC_CIDR="10.96.0.0/12" # Service CIDR (opcional) + + # Herramientas + apk add --no-cache iptables iproute2 >/dev/null 2>&1 || true + + # IP forward y rp_filter (no hagas fallar el contenedor si no deja) + sysctl -w net.ipv4.ip_forward=1 || true + sysctl -w net.ipv4.conf.all.rp_filter=0 || true + sysctl -w net.ipv4.conf.default.rp_filter=0 || true + + # FORWARD: permite tráfico desde wg0 hacia 200.x y 0.x, y retorno + iptables -C FORWARD -i ${WG_IF} -d ${LB200_CIDR} -j ACCEPT 2>/dev/null || \ + iptables -A FORWARD -i ${WG_IF} -d ${LB200_CIDR} -j ACCEPT + iptables -C FORWARD -i ${WG_IF} -d ${LAN_CIDR} -j ACCEPT 2>/dev/null || \ + iptables -A FORWARD -i ${WG_IF} -d ${LAN_CIDR} -j ACCEPT + iptables -C FORWARD -o ${WG_IF} -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 2>/dev/null || \ + iptables -A FORWARD -o ${WG_IF} -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT + + # NAT: WG -> 200.x (Ingress/DNS internos) + iptables -t nat -C POSTROUTING -s ${WG_SUBNET} -d ${LB200_CIDR} -j MASQUERADE 2>/dev/null || \ + iptables -t nat -A POSTROUTING -s ${WG_SUBNET} -d ${LB200_CIDR} -j MASQUERADE + + # NAT: WG -> 192.168.0.0/24 (LAN) + iptables -t nat -C POSTROUTING -s ${WG_SUBNET} -d ${LAN_CIDR} -j MASQUERADE 2>/dev/null || \ + iptables -t nat -A POSTROUTING -s ${WG_SUBNET} -d ${LAN_CIDR} -j MASQUERADE + + # (Opcional) NAT: WG -> Pod/Service CIDR si alguna vez accedes a Pods/ClusterIP + # iptables -t nat -C POSTROUTING -s ${WG_SUBNET} -d ${POD_CIDR} -j MASQUERADE 2>/dev/null || \ + # iptables -t nat -A POSTROUTING -s ${WG_SUBNET} -d ${POD_CIDR} -j MASQUERADE + # iptables -t nat -C POSTROUTING -s ${WG_SUBNET} -d ${SVC_CIDR} -j MASQUERADE 2>/dev/null || \ + # iptables -t nat -A POSTROUTING -s ${WG_SUBNET} -d ${SVC_CIDR} -j MASQUERADE + + # Mantener vivo + sleep infinity