aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlex Auvolat <alex@adnab.me>2021-12-13 11:30:41 +0100
committerAlex Auvolat <alex@adnab.me>2021-12-13 11:30:41 +0100
commit860f69adb6ef4b277c750b6d57c7693870f57592 (patch)
treeb617b2c2174e2a6295f56988ec9bda261ffed6b6
parent22dc7adc4cf097056dd12c787131b625e6eb94d9 (diff)
downloadnixcfg-860f69adb6ef4b277c750b6d57c7693870f57592.tar.gz
nixcfg-860f69adb6ef4b277c750b6d57c7693870f57592.zip
Configure firewall
-rw-r--r--configuration.nix50
-rw-r--r--node/carcajou.nix6
-rw-r--r--node/cariacou.nix6
-rw-r--r--node/caribou.nix6
4 files changed, 56 insertions, 12 deletions
diff --git a/configuration.nix b/configuration.nix
index e2fbe3b..124af9a 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -263,18 +263,44 @@ in
};
# Open ports in the firewall.
- networking.firewall.allowedTCPPorts = [
- (builtins.head ({ openssh.ports = [22]; } // node_config.services).openssh.ports)
- 3990 3991 3992 # Garage
- 4646 4647 4648 # Nomad
- 8500 8300 8301 8302 # Consul
- 19999 # Netdata
- ];
- networking.firewall.allowedUDPPorts = [
- 4648 # Nomad
- 8301 8302 # Consul
- node_config.networking.wireguard.interfaces.wg0.listenPort
- ];
+ networking.firewall = {
+ allowedTCPPorts = [
+ (builtins.head ({ openssh.ports = [22]; } // node_config.services).openssh.ports)
+ #3990 3991 3992 # Garage
+ #4646 4647 4648 # Nomad
+ #8500 8300 8301 8302 # Consul
+ #19999 # Netdata
+ ];
+ allowedUDPPorts = [
+ #4648 # Nomad
+ #8301 8302 # Consul
+ node_config.networking.wireguard.interfaces.wg0.listenPort
+ ];
+ extraCommands = ''
+ iptables -N VPN
+ iptables -A INPUT -s 10.42.0.0/16 -j VPN
+ iptables -A VPN -p tcp --dport 3990 -j ACCEPT
+ iptables -A VPN -p tcp --dport 3991 -j ACCEPT
+ iptables -A VPN -p tcp --dport 3992 -j ACCEPT
+ iptables -A VPN -p tcp --dport 4646 -j ACCEPT
+ iptables -A VPN -p tcp --dport 4647 -j ACCEPT
+ iptables -A VPN -p tcp --dport 4648 -j ACCEPT
+ iptables -A VPN -p udp --dport 4648 -j ACCEPT
+ iptables -A VPN -p tcp --dport 8500 -j ACCEPT
+ iptables -A VPN -p tcp --dport 8300 -j ACCEPT
+ iptables -A VPN -p tcp --dport 8301 -j ACCEPT
+ iptables -A VPN -p tcp --dport 8302 -j ACCEPT
+ iptables -A VPN -p udp --dport 8301 -j ACCEPT
+ iptables -A VPN -p udp --dport 8302 -j ACCEPT
+ iptables -A VPN -p tcp --dport 19999 -j ACCEPT
+ '';
+ #flush the chain then remove it
+ extraStopCommands = ''
+ iptables -D INPUT -s 10.42.0.0/16 -j VPN
+ iptables -F VPN
+ iptables -X VPN
+ '';
+ };
# Or disable the firewall altogether.
# networking.firewall.enable = false;
diff --git a/node/carcajou.nix b/node/carcajou.nix
index 74109bd..0698663 100644
--- a/node/carcajou.nix
+++ b/node/carcajou.nix
@@ -17,6 +17,12 @@
prefixLength = 24;
}
];
+ networking.interfaces.eno1.ipv6.addresses = [
+ {
+ address = "2a01:e0a:c:a720::22";
+ prefixLength = 64;
+ }
+ ];
networking.wireguard.interfaces.wg0 = {
ips = [ "10.42.0.22/16" ];
diff --git a/node/cariacou.nix b/node/cariacou.nix
index bb43c22..7b57fe2 100644
--- a/node/cariacou.nix
+++ b/node/cariacou.nix
@@ -17,6 +17,12 @@
prefixLength = 24;
}
];
+ networking.interfaces.eno1.ipv6.addresses = [
+ {
+ address = "2a01:e0a:c:a720::21";
+ prefixLength = 64;
+ }
+ ];
networking.wireguard.interfaces.wg0 = {
ips = [ "10.42.0.21/16" ];
diff --git a/node/caribou.nix b/node/caribou.nix
index 366251a..77fc35b 100644
--- a/node/caribou.nix
+++ b/node/caribou.nix
@@ -17,6 +17,12 @@
prefixLength = 24;
}
];
+ networking.interfaces.eno1.ipv6.addresses = [
+ {
+ address = "2a01:e0a:c:a720::23";
+ prefixLength = 64;
+ }
+ ];
networking.wireguard.interfaces.wg0 = {
ips = [ "10.42.0.23/16" ];