diff options
| author | Alex Auvolat <alex@adnab.me> | 2021-12-13 11:30:41 +0100 |
|---|---|---|
| committer | Alex Auvolat <alex@adnab.me> | 2021-12-13 11:30:41 +0100 |
| commit | 860f69adb6ef4b277c750b6d57c7693870f57592 (patch) | |
| tree | b617b2c2174e2a6295f56988ec9bda261ffed6b6 | |
| parent | 22dc7adc4cf097056dd12c787131b625e6eb94d9 (diff) | |
| download | nixcfg-860f69adb6ef4b277c750b6d57c7693870f57592.tar.gz nixcfg-860f69adb6ef4b277c750b6d57c7693870f57592.zip | |
Configure firewall
| -rw-r--r-- | configuration.nix | 50 | ||||
| -rw-r--r-- | node/carcajou.nix | 6 | ||||
| -rw-r--r-- | node/cariacou.nix | 6 | ||||
| -rw-r--r-- | node/caribou.nix | 6 |
4 files changed, 56 insertions, 12 deletions
diff --git a/configuration.nix b/configuration.nix index e2fbe3b..124af9a 100644 --- a/configuration.nix +++ b/configuration.nix @@ -263,18 +263,44 @@ in }; # Open ports in the firewall. - networking.firewall.allowedTCPPorts = [ - (builtins.head ({ openssh.ports = [22]; } // node_config.services).openssh.ports) - 3990 3991 3992 # Garage - 4646 4647 4648 # Nomad - 8500 8300 8301 8302 # Consul - 19999 # Netdata - ]; - networking.firewall.allowedUDPPorts = [ - 4648 # Nomad - 8301 8302 # Consul - node_config.networking.wireguard.interfaces.wg0.listenPort - ]; + networking.firewall = { + allowedTCPPorts = [ + (builtins.head ({ openssh.ports = [22]; } // node_config.services).openssh.ports) + #3990 3991 3992 # Garage + #4646 4647 4648 # Nomad + #8500 8300 8301 8302 # Consul + #19999 # Netdata + ]; + allowedUDPPorts = [ + #4648 # Nomad + #8301 8302 # Consul + node_config.networking.wireguard.interfaces.wg0.listenPort + ]; + extraCommands = '' + iptables -N VPN + iptables -A INPUT -s 10.42.0.0/16 -j VPN + iptables -A VPN -p tcp --dport 3990 -j ACCEPT + iptables -A VPN -p tcp --dport 3991 -j ACCEPT + iptables -A VPN -p tcp --dport 3992 -j ACCEPT + iptables -A VPN -p tcp --dport 4646 -j ACCEPT + iptables -A VPN -p tcp --dport 4647 -j ACCEPT + iptables -A VPN -p tcp --dport 4648 -j ACCEPT + iptables -A VPN -p udp --dport 4648 -j ACCEPT + iptables -A VPN -p tcp --dport 8500 -j ACCEPT + iptables -A VPN -p tcp --dport 8300 -j ACCEPT + iptables -A VPN -p tcp --dport 8301 -j ACCEPT + iptables -A VPN -p tcp --dport 8302 -j ACCEPT + iptables -A VPN -p udp --dport 8301 -j ACCEPT + iptables -A VPN -p udp --dport 8302 -j ACCEPT + iptables -A VPN -p tcp --dport 19999 -j ACCEPT + ''; + #flush the chain then remove it + extraStopCommands = '' + iptables -D INPUT -s 10.42.0.0/16 -j VPN + iptables -F VPN + iptables -X VPN + ''; + }; # Or disable the firewall altogether. # networking.firewall.enable = false; diff --git a/node/carcajou.nix b/node/carcajou.nix index 74109bd..0698663 100644 --- a/node/carcajou.nix +++ b/node/carcajou.nix @@ -17,6 +17,12 @@ prefixLength = 24; } ]; + networking.interfaces.eno1.ipv6.addresses = [ + { + address = "2a01:e0a:c:a720::22"; + prefixLength = 64; + } + ]; networking.wireguard.interfaces.wg0 = { ips = [ "10.42.0.22/16" ]; diff --git a/node/cariacou.nix b/node/cariacou.nix index bb43c22..7b57fe2 100644 --- a/node/cariacou.nix +++ b/node/cariacou.nix @@ -17,6 +17,12 @@ prefixLength = 24; } ]; + networking.interfaces.eno1.ipv6.addresses = [ + { + address = "2a01:e0a:c:a720::21"; + prefixLength = 64; + } + ]; networking.wireguard.interfaces.wg0 = { ips = [ "10.42.0.21/16" ]; diff --git a/node/caribou.nix b/node/caribou.nix index 366251a..77fc35b 100644 --- a/node/caribou.nix +++ b/node/caribou.nix @@ -17,6 +17,12 @@ prefixLength = 24; } ]; + networking.interfaces.eno1.ipv6.addresses = [ + { + address = "2a01:e0a:c:a720::23"; + prefixLength = 64; + } + ]; networking.wireguard.interfaces.wg0 = { ips = [ "10.42.0.23/16" ]; |