secure ports

2024-07-21 20:48:00 +02:00 · 2024-07-21 20:48:00 +02:00 · 38d6e23676
commit 38d6e23676
parent 8b2e95e857
2 changed files with 27 additions and 12 deletions
--- a/mailserver/configuration.nix
+++ b/mailserver/configuration.nix
@ -23,10 +23,34 @@
  };

  networking = {
-    firewall = {
+    firewall = pkgs.lib.mkForce {
      enable = true;
-      allowedTCPPorts = [ 53 80 443 18081 ];
-      allowedUDPPorts = [ 53 51820 18081 ];
+      allowedTCPPorts = [
+        25 # smtp
+        465 # smtps
+        80 # http
+        443 # https
+      ];
+      allowedUDPPorts = [
+        25
+        465
+        80
+        443
+        51820 # wireguard
+      ];
+      extraCommands = ''
+        iptables -N vpn  # create a new chain named vpn
+        iptables -A vpn --src 10.0.0.2 -j ACCEPT  # allow
+        iptables -A vpn --src 10.0.0.3 -j ACCEPT  # allow
+        iptables -A vpn --src 10.0.0.4 -j ACCEPT  # allow
+        iptables -A vpn -j DROP  # drop everyone else
+        iptables -I INPUT -m tcp -p tcp --dport 22 -j vpn
+      '';
+      extraStopCommands = ''
+        iptables -F vpn
+        iptables -D INPUT -m tcp -p tcp --dport 22 -j vpn
+        iptables -X vpn
+      '';
    };
    stevenBlackHosts = {
      enable = true;
--- a/mailserver/tor/default.nix
+++ b/mailserver/tor/default.nix
@ -15,15 +15,6 @@
            };
          }];
        };
-        monero = {
-          map = [{
-            port = 18081;
-            target = {
-              addr = "127.0.0.1";
-              port = 18081;
-            };
-          }];
-        };
      };
    };
  };