jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

working version firewall

Browse Source
This commit is contained in:
Danilo Reyes
2026-02-05 17:49:11 -06:00
parent afbffaa203
commit 6079e6446c
1 changed files with 64 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files

127
hosts/vps/configuration.nix
View File

@@ -4,6 +4,24 @@
inputs, inputs,
... ...
}: }:
let
externalInterface = config.my.interfaces.${config.networking.hostName};
homeServer = config.my.ips.wg-server;
wgFriendsSubnet = "${config.my.ips.wg-friends}/24";
wgGuestsSubnet = "${config.my.ips.wg-gs}/24";
wgServerSubnet = "10.77.0.0/24";
wgFriend1 = config.my.ips.wg-friend1;
wgFriend2 = config.my.ips.wg-friend2;
wgFriend3 = config.my.ips.wg-friend3;
wgFriend4 = config.my.ips.wg-friend4;
giteaSshPort = 22;
giteaSshPortStr = toString giteaSshPort;
syncthingPort = toString 22000;
synapseFederationPort = toString 8448;
synapseClientPort = toString config.my.servers.synapse.port;
syncplayPort = toString config.my.servers.syncplay.port;
stashPort = toString config.my.servers.stash.port;
in
{ {
imports = [ imports = [
./hardware-configuration.nix ./hardware-configuration.nix
@@ -24,73 +42,56 @@
networking.hostName = "vps"; networking.hostName = "vps";
services.smartd.enable = lib.mkForce false; services.smartd.enable = lib.mkForce false;
environment.systemPackages = [ ]; environment.systemPackages = [ ];
networking.firewall = networking.nftables.enable = true;
let networking.firewall = {
externalInterface = config.my.interfaces.${config.networking.hostName}; enable = true;
filterForward = true;
checkReversePath = "loose";
allowedTCPPorts = [
80
443
3456
];
allowedUDPPorts = [ 51820 ];
extraForwardRules = ''
iifname "wg0" ip saddr ${wgFriend1}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
iifname "wg0" ip saddr ${wgFriend2}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
iifname "wg0" ip saddr ${wgFriend3}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
iifname "wg0" ip saddr ${wgFriend4}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
iifname "wg0" ip saddr ${homeServer}/32 ip daddr ${wgFriend1}/32 tcp dport ${syncthingPort} accept
iifname "wg0" ip saddr ${homeServer}/32 ip daddr ${wgFriend2}/32 tcp dport ${syncthingPort} accept
iifname "wg0" ip saddr ${homeServer}/32 ip daddr ${wgFriend3}/32 tcp dport ${syncthingPort} accept
iifname "wg0" ip saddr ${homeServer}/32 ip daddr ${wgFriend4}/32 tcp dport ${syncthingPort} accept
homeServer = config.my.ips.wg-server; iifname "wg0" ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 tcp dport { ${synapseClientPort}, ${synapseFederationPort}, ${syncplayPort} } accept
wgSubnet = "${config.my.ips.wg-s}/24";
wgFriendsSubnet = "${config.my.ips.wg-friends}/24";
wgGuestsSubnet = "${config.my.ips.wg-gs}/24";
wgFriend1 = config.my.ips.wg-friend1;
wgFriend2 = config.my.ips.wg-friend2;
wgFriend3 = config.my.ips.wg-friend3;
wgFriend4 = config.my.ips.wg-friend4;
giteaSshPort = toString 22; iifname "wg0" ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept
syncthingPort = toString 22000; iifname "wg0" ip saddr ${wgGuestsSubnet} ip daddr ${homeServer}/32 tcp dport ${stashPort} accept
synapseFederationPort = toString 8448; iifname "wg0" ip saddr ${wgGuestsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept
synapseClientPort = toString config.my.servers.synapse.port;
syncplayPort = toString config.my.servers.syncplay.port;
stashPort = toString config.my.servers.stash.port;
in
{
enable = true;
allowedTCPPorts = [
80
443
3456
];
allowedUDPPorts = [ 51820 ];
extraForwardRules = ''
ip saddr ${wgFriend1}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
ip saddr ${wgFriend2}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
ip saddr ${wgFriend3}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
ip saddr ${wgFriend4}/32 ip daddr ${homeServer}/32 tcp dport ${syncthingPort} accept
ip saddr ${homeServer}/32 ip daddr ${wgFriend1}/32 tcp dport ${syncthingPort} accept
ip saddr ${homeServer}/32 ip daddr ${wgFriend2}/32 tcp dport ${syncthingPort} accept
ip saddr ${homeServer}/32 ip daddr ${wgFriend3}/32 tcp dport ${syncthingPort} accept
ip saddr ${homeServer}/32 ip daddr ${wgFriend4}/32 tcp dport ${syncthingPort} accept
ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 tcp dport { ${synapseClientPort}, ${synapseFederationPort}, ${syncplayPort} } accept iifname "wg0" ip saddr ${wgFriendsSubnet} oifname "${externalInterface}" accept
iifname "wg0" ip saddr ${wgGuestsSubnet} oifname "${externalInterface}" accept
ip saddr ${wgFriendsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept ip saddr ${wgFriendsSubnet} ip daddr ${wgServerSubnet} drop
ip saddr ${homeServer}/32 ip daddr ${wgFriendsSubnet} icmp type echo-reply accept ip saddr ${wgServerSubnet} ip daddr ${wgFriendsSubnet} drop
ip saddr ${wgGuestsSubnet} ip daddr ${wgServerSubnet} drop
ip saddr ${wgGuestsSubnet} ip daddr ${homeServer}/32 tcp dport ${stashPort} accept ip saddr ${wgServerSubnet} ip daddr ${wgGuestsSubnet} drop
ip saddr ${wgGuestsSubnet} ip daddr ${homeServer}/32 icmp type echo-request accept ip saddr ${wgGuestsSubnet} ip daddr ${wgFriendsSubnet} drop
ip saddr ${homeServer}/32 ip daddr ${wgGuestsSubnet} icmp type echo-reply accept ip saddr ${wgFriendsSubnet} ip daddr ${wgGuestsSubnet} drop
'';
ip saddr ${wgFriendsSubnet} ip daddr ${wgSubnet} drop };
ip saddr ${wgSubnet} ip daddr ${wgFriendsSubnet} drop networking.nat = {
ip saddr ${wgGuestsSubnet} ip daddr ${wgSubnet} drop enable = true;
ip saddr ${wgSubnet} ip daddr ${wgGuestsSubnet} drop inherit externalInterface;
ip saddr ${wgGuestsSubnet} ip daddr ${wgFriendsSubnet} drop internalInterfaces = [ "wg0" ];
ip saddr ${wgFriendsSubnet} ip daddr ${wgGuestsSubnet} drop forwardPorts = [
''; {
extraCommands = '' sourcePort = giteaSshPort;
iptables -t nat -A PREROUTING -p tcp --dport ${giteaSshPort} -j DNAT --to-destination ${homeServer}:${giteaSshPort} proto = "tcp";
iptables -t nat -A POSTROUTING -d ${homeServer}/32 -p tcp --dport ${giteaSshPort} -j MASQUERADE destination = "${homeServer}:${giteaSshPortStr}";
iptables -t nat -A POSTROUTING -s ${wgFriendsSubnet} -o ${externalInterface} -j MASQUERADE }
iptables -t nat -A POSTROUTING -s ${wgGuestsSubnet} -o ${externalInterface} -j MASQUERADE ];
''; };
extraStopCommands = ''
iptables -t nat -D PREROUTING -p tcp --dport ${giteaSshPort} -j DNAT --to-destination ${homeServer}:${giteaSshPort} || true
iptables -t nat -D POSTROUTING -d ${homeServer}/32 -p tcp --dport ${giteaSshPort} -j MASQUERADE || true
iptables -t nat -D POSTROUTING -s ${wgFriendsSubnet} -o ${externalInterface} -j MASQUERADE || true
iptables -t nat -D POSTROUTING -s ${wgGuestsSubnet} -o ${externalInterface} -j MASQUERADE || true
'';
};
security.sudo-rs.extraRules = [ security.sudo-rs.extraRules = [
{ {
users = [ "nixremote" ]; users = [ "nixremote" ];