summaryrefslogtreecommitdiffstats
path: root/modules/mkdir
diff options
context:
space:
mode:
authortv <tv@krebsco.de>2015-06-22 15:24:09 +0200
committertv <tv@krebsco.de>2015-06-22 15:24:09 +0200
commitd80f9c1f7efa219f45058771d2ae319b6bfaf7a2 (patch)
tree273daca78a42d1f8d8ef4bd5ef6ea33598bfc618 /modules/mkdir
parente289825b3c658f5310901a6ef6434c17e0122b47 (diff)
tv: modularize iptables configuration
Diffstat (limited to 'modules/mkdir')
-rw-r--r--modules/mkdir/default.nix17
-rw-r--r--modules/mkdir/iptables.nix76
2 files changed, 16 insertions, 77 deletions
diff --git a/modules/mkdir/default.nix b/modules/mkdir/default.nix
index d525797..9dc426d 100644
--- a/modules/mkdir/default.nix
+++ b/modules/mkdir/default.nix
@@ -8,7 +8,6 @@ in
imports =
[
<secrets/hashedPasswords.nix>
- ./iptables.nix
./networking.nix
./users.nix
../common/nixpkgs.nix
@@ -18,6 +17,22 @@ in
../tv/git/public.nix
../tv/retiolum.nix
../tv/sanitize.nix
+ {
+ imports = [ ../tv/iptables ];
+ tv.iptables = {
+ enable = true;
+ input-internet-accept-new-tcp = [
+ "ssh"
+ "tinc"
+ "smtp"
+ "xmpp-client"
+ "xmpp-server"
+ ];
+ input-retiolum-accept-new-tcp = [
+ "http"
+ ];
+ };
+ }
];
nix.maxJobs = 1;
diff --git a/modules/mkdir/iptables.nix b/modules/mkdir/iptables.nix
deleted file mode 100644
index 950aa84..0000000
--- a/modules/mkdir/iptables.nix
+++ /dev/null
@@ -1,76 +0,0 @@
-{ config, pkgs, ... }:
-
-{
- #
- # iptables
- #
- networking.firewall.enable = false;
- system.activationScripts.iptables =
- let
- log = false;
- when = c: f: if c then f else "";
- in
- ''
- ip4tables() { ${pkgs.iptables}/sbin/iptables "$@"; }
- ip6tables() { ${pkgs.iptables}/sbin/ip6tables "$@"; }
- ipXtables() { ip4tables "$@" && ip6tables "$@"; }
-
- # XXX This fails with the original CAC CentOS 7 kernel.
- if ipXtables -vL >/dev/null; then
-
- #
- # nat
- #
-
- # reset tables
- ipXtables -t nat -F
- ipXtables -t nat -X
-
- #
- ipXtables -t nat -A PREROUTING -j REDIRECT ! -i retiolum -p tcp --dport ssh --to-ports 0
- ipXtables -t nat -A PREROUTING -j REDIRECT -p tcp --dport 11423 --to-ports ssh
-
- #
- # filter
- #
-
- # reset tables
- ipXtables -P INPUT DROP
- ipXtables -P FORWARD DROP
- ipXtables -F
- ipXtables -X
-
- # create custom chains
- ipXtables -N Retiolum
-
- # INPUT
- ipXtables -A INPUT -j ACCEPT -m conntrack --ctstate RELATED,ESTABLISHED
- ipXtables -A INPUT -j ACCEPT -i lo
- ipXtables -A INPUT -j ACCEPT -p tcp --dport ssh -m conntrack --ctstate NEW
- #ipXtables -A INPUT -j ACCEPT -p tcp --dport http -m conntrack --ctstate NEW
- ipXtables -A INPUT -j ACCEPT -p tcp --dport tinc -m conntrack --ctstate NEW
- ipXtables -A INPUT -j ACCEPT -p tcp --dport smtp -m conntrack --ctstate NEW
- ipXtables -A INPUT -j ACCEPT -p tcp --dport xmpp-client -m conntrack --ctstate NEW
- ipXtables -A INPUT -j ACCEPT -p tcp --dport xmpp-server -m conntrack --ctstate NEW
-
- ipXtables -A INPUT -j Retiolum -i retiolum
- ${when log "ipXtables -A INPUT -j LOG --log-level info --log-prefix 'INPUT DROP '"}
-
- # FORWARD
- ${when log "ipXtables -A FORWARD -j LOG --log-level info --log-prefix 'FORWARD DROP '"}
-
- # Retiolum
- ip4tables -A Retiolum -j ACCEPT -p icmp --icmp-type echo-request
- ip6tables -A Retiolum -j ACCEPT -p ipv6-icmp -m icmp6 --icmpv6-type echo-request
-
- ipXtables -A Retiolum -j ACCEPT -p tcp --dport http -m conntrack --ctstate NEW
-
- ${when log "ipXtables -A Retiolum -j LOG --log-level info --log-prefix 'REJECT '"}
- ipXtables -A Retiolum -j REJECT -p tcp --reject-with tcp-reset
- ip4tables -A Retiolum -j REJECT -p udp --reject-with icmp-port-unreachable
- ip4tables -A Retiolum -j REJECT --reject-with icmp-proto-unreachable
- ip6tables -A Retiolum -j REJECT -p udp --reject-with icmp6-port-unreachable
- ip6tables -A Retiolum -j REJECT
- fi
- '';
-}