jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

nat table

Browse Source
This commit is contained in:
Danilo Reyes
2026-02-06 06:44:47 -06:00
parent a15db616b4
commit 1fd29a5f4f
3 changed files with 59 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

101
hosts/vps/configuration.nix
View File

@@ -47,57 +47,70 @@ in
};
};
image.modules.linode = { };
networking.hostName = "vps";
services.smartd.enable = lib.mkForce false;
environment.systemPackages = [ ];
networking.nftables.enable = true;
networking.firewall = {
enable = true;
filterForward = true;
checkReversePath = "loose";
allowedTCPPorts = [ sshPort ] ++ webPorts;
allowedUDPPorts = [ wgPort ];
extraForwardRules = ''
iifname "${wgInterface}" ip saddr ${wgFriend1}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
iifname "${wgInterface}" ip saddr ${wgFriend2}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
iifname "${wgInterface}" ip saddr ${wgFriend3}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
iifname "${wgInterface}" ip saddr ${wgFriend4}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
iifname "${wgInterface}" ip saddr ${homeServer}/32 ip daddr ${wgFriend1}/32 tcp dport ${syncthingPort} accept
iifname "${wgInterface}" ip saddr ${homeServer}/32 ip daddr ${wgFriend2}/32 tcp dport ${syncthingPort} accept
iifname "${wgInterface}" ip saddr ${homeServer}/32 ip daddr ${wgFriend3}/32 tcp dport ${syncthingPort} accept
iifname "${wgInterface}" ip saddr ${homeServer}/32 ip daddr ${wgFriend4}/32 tcp dport ${syncthingPort} accept
networking = {
hostName = "vps";
nat = {
inherit externalInterface;
enable = true;
internalInterfaces = [ "wg0" ];
forwardPorts = [
{
sourcePort = giteaSshPort;
proto = "tcp";
destination = "${homeServer}:${giteaSshPortStr}";
}
];
};
nftables = {
enable = true;
tables."vps-snat" = {
family = "ip";
content = ''
chain postrouting {
type nat hook postrouting priority srcnat;
iifname "${externalInterface}" oifname "${wgInterface}" ip daddr ${homeServer}/32 tcp dport ${giteaSshPortStr} masquerade comment "snat ssh forward"
}
'';
};
};
firewall = {
enable = true;
filterForward = true;
checkReversePath = "loose";
allowedTCPPorts = [ sshPort ] ++ webPorts;
allowedUDPPorts = [ wgPort ];
extraForwardRules = ''
iifname "${wgInterface}" ip saddr ${wgFriend1}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
iifname "${wgInterface}" ip saddr ${wgFriend2}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
iifname "${wgInterface}" ip saddr ${wgFriend3}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
iifname "${wgInterface}" ip saddr ${wgFriend4}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
iifname "${wgInterface}" ip saddr ${homeServer}/32 ip daddr ${wgFriend1}/32 tcp dport ${syncthingPort} accept
iifname "${wgInterface}" ip saddr ${homeServer}/32 ip daddr ${wgFriend2}/32 tcp dport ${syncthingPort} accept
iifname "${wgInterface}" ip saddr ${homeServer}/32 ip daddr ${wgFriend3}/32 tcp dport ${syncthingPort} accept
iifname "${wgInterface}" ip saddr ${homeServer}/32 ip daddr ${wgFriend4}/32 tcp dport ${syncthingPort} accept
iifname "${wgInterface}" ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 tcp dport { ${synapseClientPort}, ${synapseFederationPort}, ${syncplayPort} } accept
iifname "${wgInterface}" ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 tcp dport { ${synapseClientPort}, ${synapseFederationPort}, ${syncplayPort} } accept
iifname "${wgInterface}" ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept
iifname "${wgInterface}" ip saddr ${wgFriend1}/32 ip daddr ${homeServer}/32 tcp dport ${stashPort} accept
iifname "${wgInterface}" ip saddr ${wgGuest1}/32 ip daddr ${homeServer}/32 tcp dport ${stashPort} accept
iifname "${wgInterface}" ip saddr ${wgGuestsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept
iifname "${wgInterface}" ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept
iifname "${wgInterface}" ip saddr ${wgFriend1}/32 ip daddr ${homeServer}/32 tcp dport ${stashPort} accept
iifname "${wgInterface}" ip saddr ${wgGuest1}/32 ip daddr ${homeServer}/32 tcp dport ${stashPort} accept
iifname "${wgInterface}" ip saddr ${wgGuestsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept
iifname "${wgInterface}" ip saddr ${wgFriendsSubnet} oifname "${externalInterface}" accept
iifname "${wgInterface}" ip saddr ${wgGuestsSubnet} oifname "${externalInterface}" accept
iifname "${wgInterface}" ip saddr ${wgFriendsSubnet} oifname "${externalInterface}" accept
iifname "${wgInterface}" ip saddr ${wgGuestsSubnet} oifname "${externalInterface}" accept
iifname "${externalInterface}" ip daddr ${homeServer}/32 tcp dport ${giteaSshPortStr} accept
iifname "${externalInterface}" ip daddr ${homeServer}/32 tcp dport ${giteaSshPortStr} accept
ip saddr ${wgFriendsSubnet} ip daddr ${wgServerSubnet} drop
ip saddr ${wgServerSubnet} ip daddr ${wgFriendsSubnet} drop
ip saddr ${wgGuestsSubnet} ip daddr ${wgServerSubnet} drop
ip saddr ${wgServerSubnet} ip daddr ${wgGuestsSubnet} drop
ip saddr ${wgGuestsSubnet} ip daddr ${wgFriendsSubnet} drop
ip saddr ${wgFriendsSubnet} ip daddr ${wgGuestsSubnet} drop
'';
};
networking.nat = {
enable = true;
inherit externalInterface;
internalInterfaces = [ "wg0" ];
forwardPorts = [
{
sourcePort = giteaSshPort;
proto = "tcp";
destination = "${homeServer}:${giteaSshPortStr}";
}
];
ip saddr ${wgFriendsSubnet} ip daddr ${wgServerSubnet} drop
ip saddr ${wgServerSubnet} ip daddr ${wgFriendsSubnet} drop
ip saddr ${wgGuestsSubnet} ip daddr ${wgServerSubnet} drop
ip saddr ${wgServerSubnet} ip daddr ${wgGuestsSubnet} drop
ip saddr ${wgGuestsSubnet} ip daddr ${wgFriendsSubnet} drop
ip saddr ${wgFriendsSubnet} ip daddr ${wgGuestsSubnet} drop
'';
};
};
security.sudo-rs.extraRules = [
{