diff options
| author | Alex Auvolat <alex@adnab.me> | 2022-01-19 13:30:18 +0100 |
|---|---|---|
| committer | Alex Auvolat <alex@adnab.me> | 2022-01-19 13:30:18 +0100 |
| commit | b5ec581bc8404ff993910e4ba28df564b0e15c02 (patch) | |
| tree | b3705fc8dcd45fc45dc6eb60203073fca553ba73 | |
| parent | 4bc67c3906bb8872ed28cd8a05bc4417c9d9af8e (diff) | |
| download | nixcfg-b5ec581bc8404ff993910e4ba28df564b0e15c02.tar.gz nixcfg-b5ec581bc8404ff993910e4ba28df564b0e15c02.zip | |
Drastically simplify firewall config
| -rw-r--r-- | configuration.nix | 40 |
1 files changed, 6 insertions, 34 deletions
diff --git a/configuration.nix b/configuration.nix index c493496..ca403ec 100644 --- a/configuration.nix +++ b/configuration.nix @@ -309,46 +309,18 @@ in # Allow everything from router (usefull for UPnP/IGD) iptables -A INPUT -s 192.168.1.254 -j ACCEPT - # Allow Docker containers to access a few things - iptables -N CONTAINERS - iptables -A INPUT -s 172.17.0.0/16 -j CONTAINERS + # Allow docker containers to access all ports + iptables -A INPUT -s 172.17.0.0/16 -j ACCEPT - # Yugabyte YSQL - iptables -A CONTAINERS -p tcp --dport 5433 -j ACCEPT - - # Specific rules for VPN nodes - iptables -N VPN - iptables -A INPUT -s 10.42.0.0/16 -j VPN - - # Allow server nodes to communicate between themselves on all ports - iptables -A VPN -s 10.42.0.2 -j ACCEPT - iptables -A VPN -s 10.42.0.21 -j ACCEPT - iptables -A VPN -s 10.42.0.22 -j ACCEPT - iptables -A VPN -s 10.42.0.23 -j ACCEPT - - # Allow all VPN users to access Nomad API - iptables -A VPN -p tcp --dport 4646 -j ACCEPT - - # Same for Consul API - iptables -A VPN -p tcp --dport 8500 -j ACCEPT - - # Same for YugabyteDB YSQL and Admin ports - iptables -A VPN -p tcp --dport 5433 -j ACCEPT - iptables -A VPN -p tcp --dport 7000 -j ACCEPT - - # Same for Netdata monitoring - iptables -A VPN -p tcp --dport 19999 -j ACCEPT + # Allow other nodes on VPN to access all ports + iptables -A INPUT -s 10.42.0.0/16 -j ACCEPT ''; # When stopping firewall, delete all rules that were configured manually above extraStopCommands = '' iptables -D INPUT -s 192.168.1.254 -j ACCEPT - iptables -D INPUT -s 10.42.0.0/16 -j VPN - iptables -F VPN - iptables -X VPN - iptables -D INPUT -s 172.17.0.0/16 -j CONTAINERS - iptables -F CONTAINERS - iptables -X CONTAINERS + iptables -D INPUT -s 172.17.0.0/16 -j ACCEPT + iptables -D INPUT -s 10.42.0.0/16 -j ACCEPT ''; }; |