jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

004-vps-migration #5

Merged
jawz merged 47 commits from 004-vps-migration into main 2026-02-06 09:20:18 -06:00
Conversation 0 Commits 47 Files Changed 38 +127 -1
2 changed files with 127 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit f01817a15f - Show all commits

2
hosts/vps/configuration.nix
View File

@@ -30,7 +30,7 @@
};
};
environment.etc."iptables.rules".source = ../../iptables;
networking.firewall.enable = false;
networking.firewall.enable = lib.mkForce false;
networking.nftables.enable = false;
systemd.services.iptables-restore = {
description = "Apply iptables ruleset";

126
iptables Normal file
View File

@@ -0,0 +1,126 @@
# Generated by iptables-save v1.8.11 (nf_tables) on Fri Jan 2 03:44:23 2026
*mangle
:PREROUTING ACCEPT [95853893:179831236298]
:INPUT ACCEPT [94316554:179510512585]
:FORWARD ACCEPT [1536524:320567864]
:OUTPUT ACCEPT [49857522:93072472240]
:POSTROUTING ACCEPT [51393797:93393029789]
COMMIT
# Completed on Fri Jan 2 03:44:23 2026
# Generated by iptables-save v1.8.11 (nf_tables) on Fri Jan 2 03:44:23 2026
*raw
:PREROUTING ACCEPT [95853893:179831236298]
:OUTPUT ACCEPT [49857522:93072472240]
COMMIT
# Completed on Fri Jan 2 03:44:23 2026
# Generated by iptables-save v1.8.11 (nf_tables) on Fri Jan 2 03:44:23 2026
*filter
:INPUT ACCEPT [94315678:179510353216]
:FORWARD ACCEPT [46534:2774394]
:OUTPUT ACCEPT [49857520:93072471971]
# --- Incoming (INPUT) rules for VPS itself ---
# Accept SSH on port 3456 (new SSH port)
# allow SSH to VPS
-A INPUT -p tcp --dport 3456 -m conntrack --ctstate NEW -j ACCEPT
# allow established connections (responses)
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# (Optionally, add other INPUT rules for any services the VPS itself runs, if any, like HTTP/HTTPS if needed)
# If a default DROP policy is desired on INPUT, or an explicit drop rule:
# -A INPUT -j DROP # (optional: lock down any other input)
# --- Forwarding (FORWARD) rules for VPN traffic ---
# allow return traffic for established sessions
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
# Syncthing between 10.8.0.2 and home server
# 10.8.0.2 -> 10.77.0.0 Syncthing
-A FORWARD -s 10.8.0.2/32 -d 10.77.0.2/32 -p tcp --dport 22000 -j ACCEPT
-A FORWARD -s 10.8.0.3/32 -d 10.77.0.2/32 -p tcp --dport 22000 -j ACCEPT
-A FORWARD -s 10.8.0.4/32 -d 10.77.0.2/32 -p tcp --dport 22000 -j ACCEPT
-A FORWARD -s 10.8.0.5/32 -d 10.77.0.2/32 -p tcp --dport 22000 -j ACCEPT
# home -> 10.8.0.0 Syncthing
-A FORWARD -s 10.77.0.2/32 -d 10.8.0.2/32 -p tcp --dport 22000 -j ACCEPT
-A FORWARD -s 10.77.0.2/32 -d 10.8.0.3/32 -p tcp --dport 22000 -j ACCEPT
-A FORWARD -s 10.77.0.2/32 -d 10.8.0.4/32 -p tcp --dport 22000 -j ACCEPT
-A FORWARD -s 10.77.0.2/32 -d 10.8.0.5/32 -p tcp --dport 22000 -j ACCEPT
# Matrix/Synapse access from 10.8 subnet to home server
# allow Matrix client port
-A FORWARD -s 10.8.0.0/24 -d 10.77.0.2/32 -p tcp --dport 8008 -j ACCEPT
# allow Matrix federation port
-A FORWARD -s 10.8.0.0/24 -d 10.77.0.2/32 -p tcp --dport 8448 -j ACCEPT
# allow TURN/other (if used)
-A FORWARD -s 10.8.0.0/24 -d 10.77.0.2/32 -p tcp --dport 8999 -j ACCEPT
# ICMP between 10.8 subnet and home
# ping home from 10.8 clients
-A FORWARD -s 10.8.0.0/24 -d 10.77.0.2/32 -p icmp -j ACCEPT
# ping 10.8 clients from home
-A FORWARD -s 10.77.0.2/32 -d 10.8.0.0/24 -p icmp -j ACCEPT
# New Friend's subnet (10.9) access rule
# allow new subnet to access port 9999 on home
-A FORWARD -s 10.9.0.2/24 -d 10.77.0.2/32 -p tcp --dport 9999 -j ACCEPT
# allow ping to home
-A FORWARD -s 10.9.0.2/24 -d 10.77.0.2/32 -p icmp -j ACCEPT
# allow ping reply from home
-A FORWARD -s 10.77.0.2/32 -d 10.9.0.2/24 -p icmp -j ACCEPT
# Allow VPN subnets to reach Internet (MASQUERADE will SNAT them)
# 10.8 clients to internet
-A FORWARD -s 10.8.0.0/24 -o eth0 -j ACCEPT
# 10.9 clients to internet
-A FORWARD -s 10.9.0.2/24 -o eth0 -j ACCEPT
# Drop all other traffic between these subnets and home or between subnets (isolation)
# drop any 10.8 -> home not allowed
-A FORWARD -s 10.8.0.0/24 -d 10.77.0.0/24 -j DROP
# drop any home -> 10.8 not allowed
-A FORWARD -s 10.77.0.0/24 -d 10.8.0.0/24 -j DROP
# drop any 10.9 -> home not allowed (except 9999/ping above)
-A FORWARD -s 10.9.0.0/24 -d 10.77.0.0/24 -j DROP
# drop any home -> 10.9 not allowed
-A FORWARD -s 10.77.0.0/24 -d 10.9.0.0/24 -j DROP
# drop 10.9 -> 10.8 (no client-to-client)
-A FORWARD -s 10.9.0.0/24 -d 10.8.0.0/24 -j DROP
# drop 10.8 -> 10.9
-A FORWARD -s 10.8.0.0/24 -d 10.9.0.0/24 -j DROP
COMMIT
*nat
:PREROUTING ACCEPT [3368888:178175988]
:INPUT ACCEPT [3348703:174454011]
:OUTPUT ACCEPT [30120:1902454]
:POSTROUTING ACCEPT [32339:2018208]
# Port forwarding (DNAT) rules:
# forward SSH (port 22) to home server
-A PREROUTING -p tcp --dport 22 -j DNAT --to-destination 10.77.0.2:22
# forward port 51412 to home (TCP)
-A PREROUTING -p tcp --dport 51412 -j DNAT --to-destination 10.77.0.2:51412
# forward port 51412 to home (UDP)
-A PREROUTING -p udp --dport 51412 -j DNAT --to-destination 10.77.0.2:51412
# (Remove the above 51412 rules if not used; keep 22 as its for Giteas SSH access)
# Masquerade (SNAT) rules:
# masquerade replies from home for SSH
-A POSTROUTING -d 10.77.0.2/32 -p tcp --dport 22 -j MASQUERADE
# masquerade replies for 51412 (TCP)
-A POSTROUTING -d 10.77.0.2/32 -p tcp --dport 51412 -j MASQUERADE
#masquerade replies for 51412 (UDP)
-A POSTROUTING -d 10.77.0.2/32 -p udp --dport 51412 -j MASQUERADE
# (If 51412 rules removed above, remove their masquerade lines too)
# NAT for 10.8.0.x clients to internet
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
# NAT for 10.9.0.x clients to internet
-A POSTROUTING -s 10.9.0.0/24 -o eth0 -j MASQUERADE
COMMIT