1 files changed, 38 insertions, 12 deletions

diff --git a/configuration.nix b/configuration.nix
index e2fbe3b..124af9a 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -263,18 +263,44 @@ in
   };
 
   # Open ports in the firewall.
-  networking.firewall.allowedTCPPorts = [
-    (builtins.head ({ openssh.ports = [22]; } // node_config.services).openssh.ports)
-    3990 3991 3992          # Garage
-    4646 4647 4648          # Nomad
-    8500 8300 8301 8302     # Consul
-    19999                   # Netdata
-  ];
-  networking.firewall.allowedUDPPorts = [
-    4648                    # Nomad
-    8301 8302               # Consul
-    node_config.networking.wireguard.interfaces.wg0.listenPort
-  ];
+  networking.firewall = {
+    allowedTCPPorts = [
+      (builtins.head ({ openssh.ports = [22]; } // node_config.services).openssh.ports)
+      #3990 3991 3992          # Garage
+      #4646 4647 4648          # Nomad
+      #8500 8300 8301 8302     # Consul
+      #19999                   # Netdata
+    ];
+    allowedUDPPorts = [
+      #4648                    # Nomad
+      #8301 8302               # Consul
+      node_config.networking.wireguard.interfaces.wg0.listenPort
+    ];
+    extraCommands = ''
+      iptables -N VPN
+      iptables -A INPUT -s 10.42.0.0/16 -j VPN
+      iptables -A VPN -p tcp --dport 3990 -j ACCEPT
+      iptables -A VPN -p tcp --dport 3991 -j ACCEPT
+      iptables -A VPN -p tcp --dport 3992 -j ACCEPT
+      iptables -A VPN -p tcp --dport 4646 -j ACCEPT
+      iptables -A VPN -p tcp --dport 4647 -j ACCEPT
+      iptables -A VPN -p tcp --dport 4648 -j ACCEPT
+      iptables -A VPN -p udp --dport 4648 -j ACCEPT
+      iptables -A VPN -p tcp --dport 8500 -j ACCEPT
+      iptables -A VPN -p tcp --dport 8300 -j ACCEPT
+      iptables -A VPN -p tcp --dport 8301 -j ACCEPT
+      iptables -A VPN -p tcp --dport 8302 -j ACCEPT
+      iptables -A VPN -p udp --dport 8301 -j ACCEPT
+      iptables -A VPN -p udp --dport 8302 -j ACCEPT
+      iptables -A VPN -p tcp --dport 19999 -j ACCEPT
+    '';
+    #flush the chain then remove it
+    extraStopCommands = ''
+      iptables -D INPUT -s 10.42.0.0/16 -j VPN
+      iptables -F VPN
+      iptables -X VPN
+    '';
+  };
   # Or disable the firewall altogether.
   # networking.firewall.enable = false;