jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

firewall migration

Browse Source
This commit is contained in:
Danilo Reyes
2026-02-05 12:45:39 -06:00
parent e1f7c2291a
commit c09268891e
3 changed files with 70 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

74
hosts/vps/configuration.nix
View File

@@ -5,6 +5,10 @@
pkgs,
...
}:
let
externalInterface = config.my.interfaces.${config.networking.hostName};
homeServer = config.my.ips.wg-server;
in
{
imports = [
./hardware-configuration.nix
@@ -21,18 +25,64 @@
];
};
};
environment.etc."iptables.rules".source = ../../iptables;
networking.firewall.enable = lib.mkForce false;
networking.nftables.enable = false;
systemd.services.iptables-restore = {
description = "Apply iptables ruleset";
wantedBy = [ "multi-user.target" ];
after = [ "network-pre.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "${pkgs.iptables}/bin/iptables-restore --wait /etc/iptables.rules";
};
networking.firewall = {
enable = true;
allowedTCPPorts = [
80
443
3456
];
allowedUDPPorts = [ 51820 ];
extraForwardRules = ''
ct state established,related accept
ip daddr ${homeServer}/32 tcp dport { 22, 51412 } accept
ip daddr ${homeServer}/32 udp dport 51412 accept
ip saddr 10.8.0.2/32 ip daddr ${homeServer}/32 tcp dport 22000 accept
ip saddr 10.8.0.3/32 ip daddr ${homeServer}/32 tcp dport 22000 accept
ip saddr 10.8.0.4/32 ip daddr ${homeServer}/32 tcp dport 22000 accept
ip saddr 10.8.0.5/32 ip daddr ${homeServer}/32 tcp dport 22000 accept
ip saddr ${homeServer}/32 ip daddr 10.8.0.2/32 tcp dport 22000 accept
ip saddr ${homeServer}/32 ip daddr 10.8.0.3/32 tcp dport 22000 accept
ip saddr ${homeServer}/32 ip daddr 10.8.0.4/32 tcp dport 22000 accept
ip saddr ${homeServer}/32 ip daddr 10.8.0.5/32 tcp dport 22000 accept
ip saddr 10.8.0.0/24 ip daddr ${homeServer}/32 tcp dport { 8008, 8448, 8999 } accept
ip saddr 10.8.0.0/24 ip daddr ${homeServer}/32 icmp type echo-request accept
ip saddr ${homeServer}/32 ip daddr 10.8.0.0/24 icmp type echo-reply accept
ip saddr 10.9.0.0/24 ip daddr ${homeServer}/32 tcp dport 9999 accept
ip saddr 10.9.0.0/24 ip daddr ${homeServer}/32 icmp type echo-request accept
ip saddr ${homeServer}/32 ip daddr 10.9.0.0/24 icmp type echo-reply accept
ip saddr 10.8.0.0/24 oifname "${externalInterface}" accept
ip saddr 10.9.0.0/24 oifname "${externalInterface}" accept
ip saddr 10.8.0.0/24 ip daddr 10.77.0.0/24 drop
ip saddr 10.77.0.0/24 ip daddr 10.8.0.0/24 drop
ip saddr 10.9.0.0/24 ip daddr 10.77.0.0/24 drop
ip saddr 10.77.0.0/24 ip daddr 10.9.0.0/24 drop
ip saddr 10.9.0.0/24 ip daddr 10.8.0.0/24 drop
ip saddr 10.8.0.0/24 ip daddr 10.9.0.0/24 drop
'';
extraCommands = ''
iptables -t nat -A PREROUTING -p tcp --dport 22 -j DNAT --to-destination ${homeServer}:22
iptables -t nat -A PREROUTING -p tcp --dport 51412 -j DNAT --to-destination ${homeServer}:51412
iptables -t nat -A PREROUTING -p udp --dport 51412 -j DNAT --to-destination ${homeServer}:51412
iptables -t nat -A POSTROUTING -d ${homeServer}/32 -p tcp --dport 22 -j MASQUERADE
iptables -t nat -A POSTROUTING -d ${homeServer}/32 -p tcp --dport 51412 -j MASQUERADE
iptables -t nat -A POSTROUTING -d ${homeServer}/32 -p udp --dport 51412 -j MASQUERADE
'';
extraStopCommands = ''
iptables -t nat -D PREROUTING -p tcp --dport 22 -j DNAT --to-destination ${homeServer}:22 || true
iptables -t nat -D PREROUTING -p tcp --dport 51412 -j DNAT --to-destination ${homeServer}:51412 || true
iptables -t nat -D PREROUTING -p udp --dport 51412 -j DNAT --to-destination ${homeServer}:51412 || true
iptables -t nat -D POSTROUTING -d ${homeServer}/32 -p tcp --dport 22 -j MASQUERADE || true
iptables -t nat -D POSTROUTING -d ${homeServer}/32 -p tcp --dport 51412 -j MASQUERADE || true
iptables -t nat -D POSTROUTING -d ${homeServer}/32 -p udp --dport 51412 -j MASQUERADE || true
'';
};
image.modules.linode = { };
networking.hostName = "vps";