firewall module

2024-08-05 18:54:30 +02:00 · 2024-08-05 18:54:30 +02:00 · 0b8e88f09d
commit 0b8e88f09d
parent 9ee0b504b1
3 changed files with 34 additions and 33 deletions
--- a/hosts/vps/mailserver/default.nix
+++ b/hosts/vps/mailserver/default.nix
@ -6,38 +6,6 @@
    options = [ "nofail" ];
  };
  networking = {
    firewall = pkgs.lib.mkForce {
      enable = true;
      allowedTCPPorts = [
        25 # smtp
        465 # smtps
        80 # http
        443 # https
      ];
      allowedUDPPorts = [
        25
        465
        80
        443
        51820 # wireguard
      ];
      extraCommands = ''
        iptables -N vpn  # create a new chain named vpn
        iptables -A vpn --src 10.0.0.2 -j ACCEPT  # allow
        iptables -A vpn --src 10.0.0.3 -j ACCEPT  # allow
        iptables -A vpn --src 10.0.0.4 -j ACCEPT  # allow
        iptables -A vpn -j DROP  # drop everyone else
        iptables -I INPUT -m tcp -p tcp --dport 22 -j vpn
      '';
      extraStopCommands = ''
        iptables -F vpn
        iptables -D INPUT -m tcp -p tcp --dport 22 -j vpn
        iptables -X vpn
      '';
    };
  };
  users = {
    users.ivand = {
      isNormalUser = true;
--- a/nixos/configs/default.nix
+++ b/nixos/configs/default.nix
@ -22,7 +22,7 @@ in
    nova-nonya = novaConfig (with mods; [ ivand anon cryptocurrency ]);
    nova-ai = novaConfig (with mods; [ ivand ai ]);
    install-iso = configWithModules { modules = (with mods; [ grub base shell wireless ]); };
-    vps = configWithModules { modules = (with mods; [ base shell security vps mailserver nginx wireguard-output anonymous-dns ]); };
+    vps = configWithModules { modules = (with mods; [ base shell security vps mailserver nginx wireguard-output anonymous-dns firewall ]); };
    stara-miner = configWithModules { modules = (essential ++ [ mods.monero-miner ]); };
  };
 }
--- a/nixos/modules/default.nix
+++ b/nixos/modules/default.nix
@ -484,5 +484,38 @@ top@{ inputs, moduleWithSystem, ... }: {
        };
      };
    });
    firewall = moduleWithSystem (toplevel@{ ... }: perSystem@{ lib, ... }: {
      networking = {
        firewall = lib.mkForce {
          enable = true;
          allowedTCPPorts = [
            25 # smtp
            465 # smtps
            80 # http
            443 # https
          ];
          allowedUDPPorts = [
            25
            465
            80
            443
            51820 # wireguard
          ];
          extraCommands = ''
            iptables -N vpn  # create a new chain named vpn
            iptables -A vpn --src 10.0.0.2 -j ACCEPT  # allow
            iptables -A vpn --src 10.0.0.3 -j ACCEPT  # allow
            iptables -A vpn --src 10.0.0.4 -j ACCEPT  # allow
            iptables -A vpn -j DROP  # drop everyone else
            iptables -I INPUT -m tcp -p tcp --dport 22 -j vpn
          '';
          extraStopCommands = ''
            iptables -F vpn
            iptables -D INPUT -m tcp -p tcp --dport 22 -j vpn
            iptables -X vpn
          '';
        };
      };
    });
  };
 }