diff options
author | tv <tv@krebsco.de> | 2015-06-22 15:24:09 +0200 |
---|---|---|
committer | tv <tv@krebsco.de> | 2015-06-22 15:24:09 +0200 |
commit | d80f9c1f7efa219f45058771d2ae319b6bfaf7a2 (patch) | |
tree | 273daca78a42d1f8d8ef4bd5ef6ea33598bfc618 /modules/mkdir | |
parent | e289825b3c658f5310901a6ef6434c17e0122b47 (diff) |
tv: modularize iptables configuration
Diffstat (limited to 'modules/mkdir')
-rw-r--r-- | modules/mkdir/default.nix | 17 | ||||
-rw-r--r-- | modules/mkdir/iptables.nix | 76 |
2 files changed, 16 insertions, 77 deletions
diff --git a/modules/mkdir/default.nix b/modules/mkdir/default.nix index d525797..9dc426d 100644 --- a/modules/mkdir/default.nix +++ b/modules/mkdir/default.nix @@ -8,7 +8,6 @@ in imports = [ <secrets/hashedPasswords.nix> - ./iptables.nix ./networking.nix ./users.nix ../common/nixpkgs.nix @@ -18,6 +17,22 @@ in ../tv/git/public.nix ../tv/retiolum.nix ../tv/sanitize.nix + { + imports = [ ../tv/iptables ]; + tv.iptables = { + enable = true; + input-internet-accept-new-tcp = [ + "ssh" + "tinc" + "smtp" + "xmpp-client" + "xmpp-server" + ]; + input-retiolum-accept-new-tcp = [ + "http" + ]; + }; + } ]; nix.maxJobs = 1; diff --git a/modules/mkdir/iptables.nix b/modules/mkdir/iptables.nix deleted file mode 100644 index 950aa84..0000000 --- a/modules/mkdir/iptables.nix +++ /dev/null @@ -1,76 +0,0 @@ -{ config, pkgs, ... }: - -{ - # - # iptables - # - networking.firewall.enable = false; - system.activationScripts.iptables = - let - log = false; - when = c: f: if c then f else ""; - in - '' - ip4tables() { ${pkgs.iptables}/sbin/iptables "$@"; } - ip6tables() { ${pkgs.iptables}/sbin/ip6tables "$@"; } - ipXtables() { ip4tables "$@" && ip6tables "$@"; } - - # XXX This fails with the original CAC CentOS 7 kernel. - if ipXtables -vL >/dev/null; then - - # - # nat - # - - # reset tables - ipXtables -t nat -F - ipXtables -t nat -X - - # - ipXtables -t nat -A PREROUTING -j REDIRECT ! -i retiolum -p tcp --dport ssh --to-ports 0 - ipXtables -t nat -A PREROUTING -j REDIRECT -p tcp --dport 11423 --to-ports ssh - - # - # filter - # - - # reset tables - ipXtables -P INPUT DROP - ipXtables -P FORWARD DROP - ipXtables -F - ipXtables -X - - # create custom chains - ipXtables -N Retiolum - - # INPUT - ipXtables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED - ipXtables -A INPUT -j ACCEPT -i lo - ipXtables -A INPUT -j ACCEPT -p tcp --dport ssh -m conntrack --ctstate NEW - #ipXtables -A INPUT -j ACCEPT -p tcp --dport http -m conntrack --ctstate NEW - ipXtables -A INPUT -j ACCEPT -p tcp --dport tinc -m conntrack --ctstate NEW - ipXtables -A INPUT -j ACCEPT -p tcp --dport smtp -m conntrack --ctstate NEW - ipXtables -A INPUT -j ACCEPT -p tcp --dport xmpp-client -m conntrack --ctstate NEW - ipXtables -A INPUT -j ACCEPT -p tcp --dport xmpp-server -m conntrack --ctstate NEW - - ipXtables -A INPUT -j Retiolum -i retiolum - ${when log "ipXtables -A INPUT -j LOG --log-level info --log-prefix 'INPUT DROP '"} - - # FORWARD - ${when log "ipXtables -A FORWARD -j LOG --log-level info --log-prefix 'FORWARD DROP '"} - - # Retiolum - ip4tables -A Retiolum -j ACCEPT -p icmp --icmp-type echo-request - ip6tables -A Retiolum -j ACCEPT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request - - ipXtables -A Retiolum -j ACCEPT -p tcp --dport http -m conntrack --ctstate NEW - - ${when log "ipXtables -A Retiolum -j LOG --log-level info --log-prefix 'REJECT '"} - ipXtables -A Retiolum -j REJECT -p tcp --reject-with tcp-reset - ip4tables -A Retiolum -j REJECT -p udp --reject-with icmp-port-unreachable - ip4tables -A Retiolum -j REJECT --reject-with icmp-proto-unreachable - ip6tables -A Retiolum -j REJECT -p udp --reject-with icmp6-port-unreachable - ip6tables -A Retiolum -j REJECT - fi - ''; -} |