firewall module
This commit is contained in:
parent
9ee0b504b1
commit
0b8e88f09d
@ -6,38 +6,6 @@
|
|||||||
options = [ "nofail" ];
|
options = [ "nofail" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
networking = {
|
|
||||||
firewall = pkgs.lib.mkForce {
|
|
||||||
enable = true;
|
|
||||||
allowedTCPPorts = [
|
|
||||||
25 # smtp
|
|
||||||
465 # smtps
|
|
||||||
80 # http
|
|
||||||
443 # https
|
|
||||||
];
|
|
||||||
allowedUDPPorts = [
|
|
||||||
25
|
|
||||||
465
|
|
||||||
80
|
|
||||||
443
|
|
||||||
51820 # wireguard
|
|
||||||
];
|
|
||||||
extraCommands = ''
|
|
||||||
iptables -N vpn # create a new chain named vpn
|
|
||||||
iptables -A vpn --src 10.0.0.2 -j ACCEPT # allow
|
|
||||||
iptables -A vpn --src 10.0.0.3 -j ACCEPT # allow
|
|
||||||
iptables -A vpn --src 10.0.0.4 -j ACCEPT # allow
|
|
||||||
iptables -A vpn -j DROP # drop everyone else
|
|
||||||
iptables -I INPUT -m tcp -p tcp --dport 22 -j vpn
|
|
||||||
'';
|
|
||||||
extraStopCommands = ''
|
|
||||||
iptables -F vpn
|
|
||||||
iptables -D INPUT -m tcp -p tcp --dport 22 -j vpn
|
|
||||||
iptables -X vpn
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
users = {
|
users = {
|
||||||
users.ivand = {
|
users.ivand = {
|
||||||
isNormalUser = true;
|
isNormalUser = true;
|
||||||
|
@ -22,7 +22,7 @@ in
|
|||||||
nova-nonya = novaConfig (with mods; [ ivand anon cryptocurrency ]);
|
nova-nonya = novaConfig (with mods; [ ivand anon cryptocurrency ]);
|
||||||
nova-ai = novaConfig (with mods; [ ivand ai ]);
|
nova-ai = novaConfig (with mods; [ ivand ai ]);
|
||||||
install-iso = configWithModules { modules = (with mods; [ grub base shell wireless ]); };
|
install-iso = configWithModules { modules = (with mods; [ grub base shell wireless ]); };
|
||||||
vps = configWithModules { modules = (with mods; [ base shell security vps mailserver nginx wireguard-output anonymous-dns ]); };
|
vps = configWithModules { modules = (with mods; [ base shell security vps mailserver nginx wireguard-output anonymous-dns firewall ]); };
|
||||||
stara-miner = configWithModules { modules = (essential ++ [ mods.monero-miner ]); };
|
stara-miner = configWithModules { modules = (essential ++ [ mods.monero-miner ]); };
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
@ -484,5 +484,38 @@ top@{ inputs, moduleWithSystem, ... }: {
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
});
|
});
|
||||||
|
firewall = moduleWithSystem (toplevel@{ ... }: perSystem@{ lib, ... }: {
|
||||||
|
networking = {
|
||||||
|
firewall = lib.mkForce {
|
||||||
|
enable = true;
|
||||||
|
allowedTCPPorts = [
|
||||||
|
25 # smtp
|
||||||
|
465 # smtps
|
||||||
|
80 # http
|
||||||
|
443 # https
|
||||||
|
];
|
||||||
|
allowedUDPPorts = [
|
||||||
|
25
|
||||||
|
465
|
||||||
|
80
|
||||||
|
443
|
||||||
|
51820 # wireguard
|
||||||
|
];
|
||||||
|
extraCommands = ''
|
||||||
|
iptables -N vpn # create a new chain named vpn
|
||||||
|
iptables -A vpn --src 10.0.0.2 -j ACCEPT # allow
|
||||||
|
iptables -A vpn --src 10.0.0.3 -j ACCEPT # allow
|
||||||
|
iptables -A vpn --src 10.0.0.4 -j ACCEPT # allow
|
||||||
|
iptables -A vpn -j DROP # drop everyone else
|
||||||
|
iptables -I INPUT -m tcp -p tcp --dport 22 -j vpn
|
||||||
|
'';
|
||||||
|
extraStopCommands = ''
|
||||||
|
iptables -F vpn
|
||||||
|
iptables -D INPUT -m tcp -p tcp --dport 22 -j vpn
|
||||||
|
iptables -X vpn
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
});
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user