From 860f69adb6ef4b277c750b6d57c7693870f57592 Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Mon, 13 Dec 2021 11:30:41 +0100 Subject: Configure firewall --- configuration.nix | 50 ++++++++++++++++++++++++++++++++++++++------------ node/carcajou.nix | 6 ++++++ node/cariacou.nix | 6 ++++++ node/caribou.nix | 6 ++++++ 4 files changed, 56 insertions(+), 12 deletions(-) diff --git a/configuration.nix b/configuration.nix index e2fbe3b..124af9a 100644 --- a/configuration.nix +++ b/configuration.nix @@ -263,18 +263,44 @@ in }; # Open ports in the firewall. - networking.firewall.allowedTCPPorts = [ - (builtins.head ({ openssh.ports = [22]; } // node_config.services).openssh.ports) - 3990 3991 3992 # Garage - 4646 4647 4648 # Nomad - 8500 8300 8301 8302 # Consul - 19999 # Netdata - ]; - networking.firewall.allowedUDPPorts = [ - 4648 # Nomad - 8301 8302 # Consul - node_config.networking.wireguard.interfaces.wg0.listenPort - ]; + networking.firewall = { + allowedTCPPorts = [ + (builtins.head ({ openssh.ports = [22]; } // node_config.services).openssh.ports) + #3990 3991 3992 # Garage + #4646 4647 4648 # Nomad + #8500 8300 8301 8302 # Consul + #19999 # Netdata + ]; + allowedUDPPorts = [ + #4648 # Nomad + #8301 8302 # Consul + node_config.networking.wireguard.interfaces.wg0.listenPort + ]; + extraCommands = '' + iptables -N VPN + iptables -A INPUT -s 10.42.0.0/16 -j VPN + iptables -A VPN -p tcp --dport 3990 -j ACCEPT + iptables -A VPN -p tcp --dport 3991 -j ACCEPT + iptables -A VPN -p tcp --dport 3992 -j ACCEPT + iptables -A VPN -p tcp --dport 4646 -j ACCEPT + iptables -A VPN -p tcp --dport 4647 -j ACCEPT + iptables -A VPN -p tcp --dport 4648 -j ACCEPT + iptables -A VPN -p udp --dport 4648 -j ACCEPT + iptables -A VPN -p tcp --dport 8500 -j ACCEPT + iptables -A VPN -p tcp --dport 8300 -j ACCEPT + iptables -A VPN -p tcp --dport 8301 -j ACCEPT + iptables -A VPN -p tcp --dport 8302 -j ACCEPT + iptables -A VPN -p udp --dport 8301 -j ACCEPT + iptables -A VPN -p udp --dport 8302 -j ACCEPT + iptables -A VPN -p tcp --dport 19999 -j ACCEPT + ''; + #flush the chain then remove it + extraStopCommands = '' + iptables -D INPUT -s 10.42.0.0/16 -j VPN + iptables -F VPN + iptables -X VPN + ''; + }; # Or disable the firewall altogether. # networking.firewall.enable = false; diff --git a/node/carcajou.nix b/node/carcajou.nix index 74109bd..0698663 100644 --- a/node/carcajou.nix +++ b/node/carcajou.nix @@ -17,6 +17,12 @@ prefixLength = 24; } ]; + networking.interfaces.eno1.ipv6.addresses = [ + { + address = "2a01:e0a:c:a720::22"; + prefixLength = 64; + } + ]; networking.wireguard.interfaces.wg0 = { ips = [ "10.42.0.22/16" ]; diff --git a/node/cariacou.nix b/node/cariacou.nix index bb43c22..7b57fe2 100644 --- a/node/cariacou.nix +++ b/node/cariacou.nix @@ -17,6 +17,12 @@ prefixLength = 24; } ]; + networking.interfaces.eno1.ipv6.addresses = [ + { + address = "2a01:e0a:c:a720::21"; + prefixLength = 64; + } + ]; networking.wireguard.interfaces.wg0 = { ips = [ "10.42.0.21/16" ]; diff --git a/node/caribou.nix b/node/caribou.nix index 366251a..77fc35b 100644 --- a/node/caribou.nix +++ b/node/caribou.nix @@ -17,6 +17,12 @@ prefixLength = 24; } ]; + networking.interfaces.eno1.ipv6.addresses = [ + { + address = "2a01:e0a:c:a720::23"; + prefixLength = 64; + } + ]; networking.wireguard.interfaces.wg0 = { ips = [ "10.42.0.23/16" ]; -- cgit v1.2.3