diff options
| author | Alex Auvolat <alex@adnab.me> | 2021-12-13 11:30:41 +0100 |
|---|---|---|
| committer | Alex Auvolat <alex@adnab.me> | 2021-12-13 11:30:41 +0100 |
| commit | 860f69adb6ef4b277c750b6d57c7693870f57592 (patch) | |
| tree | b617b2c2174e2a6295f56988ec9bda261ffed6b6 /configuration.nix | |
| parent | 22dc7adc4cf097056dd12c787131b625e6eb94d9 (diff) | |
| download | nixcfg-860f69adb6ef4b277c750b6d57c7693870f57592.tar.gz nixcfg-860f69adb6ef4b277c750b6d57c7693870f57592.zip | |
Configure firewall
Diffstat (limited to 'configuration.nix')
| -rw-r--r-- | configuration.nix | 50 |
1 files changed, 38 insertions, 12 deletions
diff --git a/configuration.nix b/configuration.nix index e2fbe3b..124af9a 100644 --- a/configuration.nix +++ b/configuration.nix @@ -263,18 +263,44 @@ in }; # Open ports in the firewall. - networking.firewall.allowedTCPPorts = [ - (builtins.head ({ openssh.ports = [22]; } // node_config.services).openssh.ports) - 3990 3991 3992 # Garage - 4646 4647 4648 # Nomad - 8500 8300 8301 8302 # Consul - 19999 # Netdata - ]; - networking.firewall.allowedUDPPorts = [ - 4648 # Nomad - 8301 8302 # Consul - node_config.networking.wireguard.interfaces.wg0.listenPort - ]; + networking.firewall = { + allowedTCPPorts = [ + (builtins.head ({ openssh.ports = [22]; } // node_config.services).openssh.ports) + #3990 3991 3992 # Garage + #4646 4647 4648 # Nomad + #8500 8300 8301 8302 # Consul + #19999 # Netdata + ]; + allowedUDPPorts = [ + #4648 # Nomad + #8301 8302 # Consul + node_config.networking.wireguard.interfaces.wg0.listenPort + ]; + extraCommands = '' + iptables -N VPN + iptables -A INPUT -s 10.42.0.0/16 -j VPN + iptables -A VPN -p tcp --dport 3990 -j ACCEPT + iptables -A VPN -p tcp --dport 3991 -j ACCEPT + iptables -A VPN -p tcp --dport 3992 -j ACCEPT + iptables -A VPN -p tcp --dport 4646 -j ACCEPT + iptables -A VPN -p tcp --dport 4647 -j ACCEPT + iptables -A VPN -p tcp --dport 4648 -j ACCEPT + iptables -A VPN -p udp --dport 4648 -j ACCEPT + iptables -A VPN -p tcp --dport 8500 -j ACCEPT + iptables -A VPN -p tcp --dport 8300 -j ACCEPT + iptables -A VPN -p tcp --dport 8301 -j ACCEPT + iptables -A VPN -p tcp --dport 8302 -j ACCEPT + iptables -A VPN -p udp --dport 8301 -j ACCEPT + iptables -A VPN -p udp --dport 8302 -j ACCEPT + iptables -A VPN -p tcp --dport 19999 -j ACCEPT + ''; + #flush the chain then remove it + extraStopCommands = '' + iptables -D INPUT -s 10.42.0.0/16 -j VPN + iptables -F VPN + iptables -X VPN + ''; + }; # Or disable the firewall altogether. # networking.firewall.enable = false; |