firewall module
This commit is contained in:
parent
9ee0b504b1
commit
0b8e88f09d
@ -6,38 +6,6 @@
|
||||
options = [ "nofail" ];
|
||||
};
|
||||
|
||||
networking = {
|
||||
firewall = pkgs.lib.mkForce {
|
||||
enable = true;
|
||||
allowedTCPPorts = [
|
||||
25 # smtp
|
||||
465 # smtps
|
||||
80 # http
|
||||
443 # https
|
||||
];
|
||||
allowedUDPPorts = [
|
||||
25
|
||||
465
|
||||
80
|
||||
443
|
||||
51820 # wireguard
|
||||
];
|
||||
extraCommands = ''
|
||||
iptables -N vpn # create a new chain named vpn
|
||||
iptables -A vpn --src 10.0.0.2 -j ACCEPT # allow
|
||||
iptables -A vpn --src 10.0.0.3 -j ACCEPT # allow
|
||||
iptables -A vpn --src 10.0.0.4 -j ACCEPT # allow
|
||||
iptables -A vpn -j DROP # drop everyone else
|
||||
iptables -I INPUT -m tcp -p tcp --dport 22 -j vpn
|
||||
'';
|
||||
extraStopCommands = ''
|
||||
iptables -F vpn
|
||||
iptables -D INPUT -m tcp -p tcp --dport 22 -j vpn
|
||||
iptables -X vpn
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
users = {
|
||||
users.ivand = {
|
||||
isNormalUser = true;
|
||||
|
@ -22,7 +22,7 @@ in
|
||||
nova-nonya = novaConfig (with mods; [ ivand anon cryptocurrency ]);
|
||||
nova-ai = novaConfig (with mods; [ ivand ai ]);
|
||||
install-iso = configWithModules { modules = (with mods; [ grub base shell wireless ]); };
|
||||
vps = configWithModules { modules = (with mods; [ base shell security vps mailserver nginx wireguard-output anonymous-dns ]); };
|
||||
vps = configWithModules { modules = (with mods; [ base shell security vps mailserver nginx wireguard-output anonymous-dns firewall ]); };
|
||||
stara-miner = configWithModules { modules = (essential ++ [ mods.monero-miner ]); };
|
||||
};
|
||||
}
|
||||
|
@ -484,5 +484,38 @@ top@{ inputs, moduleWithSystem, ... }: {
|
||||
};
|
||||
};
|
||||
});
|
||||
firewall = moduleWithSystem (toplevel@{ ... }: perSystem@{ lib, ... }: {
|
||||
networking = {
|
||||
firewall = lib.mkForce {
|
||||
enable = true;
|
||||
allowedTCPPorts = [
|
||||
25 # smtp
|
||||
465 # smtps
|
||||
80 # http
|
||||
443 # https
|
||||
];
|
||||
allowedUDPPorts = [
|
||||
25
|
||||
465
|
||||
80
|
||||
443
|
||||
51820 # wireguard
|
||||
];
|
||||
extraCommands = ''
|
||||
iptables -N vpn # create a new chain named vpn
|
||||
iptables -A vpn --src 10.0.0.2 -j ACCEPT # allow
|
||||
iptables -A vpn --src 10.0.0.3 -j ACCEPT # allow
|
||||
iptables -A vpn --src 10.0.0.4 -j ACCEPT # allow
|
||||
iptables -A vpn -j DROP # drop everyone else
|
||||
iptables -I INPUT -m tcp -p tcp --dport 22 -j vpn
|
||||
'';
|
||||
extraStopCommands = ''
|
||||
iptables -F vpn
|
||||
iptables -D INPUT -m tcp -p tcp --dport 22 -j vpn
|
||||
iptables -X vpn
|
||||
'';
|
||||
};
|
||||
};
|
||||
});
|
||||
};
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user