jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

working version firewall

Browse Source
This commit is contained in:
Danilo Reyes
2026-02-05 17:49:11 -06:00
parent afbffaa203
commit 6079e6446c
1 changed files with 64 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files

103
hosts/vps/configuration.nix
View File

@@ -4,6 +4,24 @@
inputs, inputs,
... ...
}: }:
let
externalInterface = config.my.interfaces.${config.networking.hostName};
homeServer = config.my.ips.wg-server;
wgFriendsSubnet = "${config.my.ips.wg-friends}/24";
wgGuestsSubnet = "${config.my.ips.wg-gs}/24";
wgServerSubnet = "10.77.0.0/24";
wgFriend1 = config.my.ips.wg-friend1;
wgFriend2 = config.my.ips.wg-friend2;
wgFriend3 = config.my.ips.wg-friend3;
wgFriend4 = config.my.ips.wg-friend4;
giteaSshPort = 22;
giteaSshPortStr = toString giteaSshPort;
syncthingPort = toString 22000;
synapseFederationPort = toString 8448;
synapseClientPort = toString config.my.servers.synapse.port;
syncplayPort = toString config.my.servers.syncplay.port;
stashPort = toString config.my.servers.stash.port;
in
{ {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
@@ -24,28 +42,11 @@
networking.hostName = "vps"; networking.hostName = "vps";
services.smartd.enable = lib.mkForce false; services.smartd.enable = lib.mkForce false;
environment.systemPackages = [ ]; environment.systemPackages = [ ];
networking.firewall = networking.nftables.enable = true;
let networking.firewall = {
externalInterface = config.my.interfaces.${config.networking.hostName};
homeServer = config.my.ips.wg-server;
wgSubnet = "${config.my.ips.wg-s}/24";
wgFriendsSubnet = "${config.my.ips.wg-friends}/24";
wgGuestsSubnet = "${config.my.ips.wg-gs}/24";
wgFriend1 = config.my.ips.wg-friend1;
wgFriend2 = config.my.ips.wg-friend2;
wgFriend3 = config.my.ips.wg-friend3;
wgFriend4 = config.my.ips.wg-friend4;
giteaSshPort = toString 22;
syncthingPort = toString 22000;
synapseFederationPort = toString 8448;
synapseClientPort = toString config.my.servers.synapse.port;
syncplayPort = toString config.my.servers.syncplay.port;
stashPort = toString config.my.servers.stash.port;
in
{
enable = true; enable = true;
filterForward = true;
checkReversePath = "loose";
allowedTCPPorts = [ allowedTCPPorts = [
80 80
443 443
@@ -53,43 +54,43 @@
]; ];
allowedUDPPorts = [ 51820 ]; allowedUDPPorts = [ 51820 ];
extraForwardRules = '' extraForwardRules = ''
ip saddr ${wgFriend1}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept iifname "wg0" ip saddr ${wgFriend1}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
ip saddr ${wgFriend2}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept iifname "wg0" ip saddr ${wgFriend2}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
ip saddr ${wgFriend3}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept iifname "wg0" ip saddr ${wgFriend3}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
ip saddr ${wgFriend4}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept iifname "wg0" ip saddr ${wgFriend4}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
ip saddr ${homeServer}/32 ip daddr ${wgFriend1}/32 tcp dport ${syncthingPort} accept iifname "wg0" ip saddr ${homeServer}/32 ip daddr ${wgFriend1}/32 tcp dport ${syncthingPort} accept
ip saddr ${homeServer}/32 ip daddr ${wgFriend2}/32 tcp dport ${syncthingPort} accept iifname "wg0" ip saddr ${homeServer}/32 ip daddr ${wgFriend2}/32 tcp dport ${syncthingPort} accept
ip saddr ${homeServer}/32 ip daddr ${wgFriend3}/32 tcp dport ${syncthingPort} accept iifname "wg0" ip saddr ${homeServer}/32 ip daddr ${wgFriend3}/32 tcp dport ${syncthingPort} accept
ip saddr ${homeServer}/32 ip daddr ${wgFriend4}/32 tcp dport ${syncthingPort} accept iifname "wg0" ip saddr ${homeServer}/32 ip daddr ${wgFriend4}/32 tcp dport ${syncthingPort} accept
ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 tcp dport { ${synapseClientPort}, ${synapseFederationPort}, ${syncplayPort} } accept iifname "wg0" ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 tcp dport { ${synapseClientPort}, ${synapseFederationPort}, ${syncplayPort} } accept
ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept iifname "wg0" ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept
ip saddr ${homeServer}/32 ip daddr ${wgFriendsSubnet} icmp type echo-reply accept iifname "wg0" ip saddr ${wgGuestsSubnet} ip daddr ${homeServer}/32 tcp dport ${stashPort} accept
iifname "wg0" ip saddr ${wgGuestsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept
ip saddr ${wgGuestsSubnet} ip daddr ${homeServer}/32 tcp dport ${stashPort} accept iifname "wg0" ip saddr ${wgFriendsSubnet} oifname "${externalInterface}" accept
ip saddr ${wgGuestsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept iifname "wg0" ip saddr ${wgGuestsSubnet} oifname "${externalInterface}" accept
ip saddr ${homeServer}/32 ip daddr ${wgGuestsSubnet} icmp type echo-reply accept
ip saddr ${wgFriendsSubnet} ip daddr ${wgSubnet} drop ip saddr ${wgFriendsSubnet} ip daddr ${wgServerSubnet} drop
ip saddr ${wgSubnet} ip daddr ${wgFriendsSubnet} drop ip saddr ${wgServerSubnet} ip daddr ${wgFriendsSubnet} drop
ip saddr ${wgGuestsSubnet} ip daddr ${wgSubnet} drop ip saddr ${wgGuestsSubnet} ip daddr ${wgServerSubnet} drop
ip saddr ${wgSubnet} ip daddr ${wgGuestsSubnet} drop ip saddr ${wgServerSubnet} ip daddr ${wgGuestsSubnet} drop
ip saddr ${wgGuestsSubnet} ip daddr ${wgFriendsSubnet} drop ip saddr ${wgGuestsSubnet} ip daddr ${wgFriendsSubnet} drop
ip saddr ${wgFriendsSubnet} ip daddr ${wgGuestsSubnet} drop ip saddr ${wgFriendsSubnet} ip daddr ${wgGuestsSubnet} drop
''; '';
extraCommands = '' };
iptables -t nat -A PREROUTING -p tcp --dport ${giteaSshPort} -j DNAT --to-destination ${homeServer}:${giteaSshPort} networking.nat = {
iptables -t nat -A POSTROUTING -d ${homeServer}/32 -p tcp --dport ${giteaSshPort} -j MASQUERADE enable = true;
iptables -t nat -A POSTROUTING -s ${wgFriendsSubnet} -o ${externalInterface} -j MASQUERADE inherit externalInterface;
iptables -t nat -A POSTROUTING -s ${wgGuestsSubnet} -o ${externalInterface} -j MASQUERADE internalInterfaces = [ "wg0" ];
''; forwardPorts = [
extraStopCommands = '' {
iptables -t nat -D PREROUTING -p tcp --dport ${giteaSshPort} -j DNAT --to-destination ${homeServer}:${giteaSshPort} || true sourcePort = giteaSshPort;
iptables -t nat -D POSTROUTING -d ${homeServer}/32 -p tcp --dport ${giteaSshPort} -j MASQUERADE || true proto = "tcp";
iptables -t nat -D POSTROUTING -s ${wgFriendsSubnet} -o ${externalInterface} -j MASQUERADE || true destination = "${homeServer}:${giteaSshPortStr}";
iptables -t nat -D POSTROUTING -s ${wgGuestsSubnet} -o ${externalInterface} -j MASQUERADE || true }
''; ];
}; };
security.sudo-rs.extraRules = [ security.sudo-rs.extraRules = [
{ {