diff options
author | tv <tv@shackspace.de> | 2015-07-11 19:44:12 +0200 |
---|---|---|
committer | tv <tv@shackspace.de> | 2015-07-11 19:44:12 +0200 |
commit | 2bc5c58d85990e483af8fde57ed5f2442351b69c (patch) | |
tree | 94cd29e6a98f1ce6228104055d0550e318242290 /modules/tv/iptables | |
parent | c5fcda1390afaba71133b2ee6ac1ddd0f559ef8c (diff) |
move old stuff
Diffstat (limited to 'modules/tv/iptables')
-rw-r--r-- | modules/tv/iptables/config.nix | 93 | ||||
-rw-r--r-- | modules/tv/iptables/default.nix | 11 | ||||
-rw-r--r-- | modules/tv/iptables/options.nix | 29 |
3 files changed, 0 insertions, 133 deletions
diff --git a/modules/tv/iptables/config.nix b/modules/tv/iptables/config.nix deleted file mode 100644 index a525cfa5d..000000000 --- a/modules/tv/iptables/config.nix +++ /dev/null @@ -1,93 +0,0 @@ -{ cfg, lib, pkgs, ... }: - -let - inherit (pkgs) writeScript writeText; - inherit (lib) concatMapStringsSep; - - accept-new-tcp = port: - "-p tcp -m tcp --dport ${port} -m conntrack --ctstate NEW -j ACCEPT"; - - rules = iptables-version: - writeText "tv-iptables-rules${toString iptables-version}" '' - *nat - :PREROUTING ACCEPT [0:0] - :INPUT ACCEPT [0:0] - :OUTPUT ACCEPT [0:0] - :POSTROUTING ACCEPT [0:0] - ${concatMapStringsSep "\n" (rule: "-A PREROUTING ${rule}") ([] - ++ [ - "! -i retiolum -p tcp -m tcp --dport 22 -j REDIRECT --to-ports 0" - "-p tcp -m tcp --dport 11423 -j REDIRECT --to-ports 22" - ] - )} - COMMIT - *filter - :INPUT DROP [0:0] - :FORWARD DROP [0:0] - :OUTPUT ACCEPT [0:0] - :Retiolum - [0:0] - ${concatMapStringsSep "\n" (rule: "-A INPUT ${rule}") ([] - ++ [ - "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT" - "-i lo -j ACCEPT" - ] - ++ map accept-new-tcp cfg.input-internet-accept-new-tcp - ++ ["-i retiolum -j Retiolum"] - )} - ${concatMapStringsSep "\n" (rule: "-A Retiolum ${rule}") ([] - ++ { - ip4tables = [ - "-p icmp -m icmp --icmp-type echo-request -j ACCEPT" - ]; - ip6tables = [ - "-p ipv6-icmp -m icmp6 --icmpv6-type echo-request -j ACCEPT" - ]; - }."ip${toString iptables-version}tables" - ++ map accept-new-tcp cfg.input-retiolum-accept-new-tcp - ++ { - ip4tables = [ - "-p tcp -j REJECT --reject-with tcp-reset" - "-p udp -j REJECT --reject-with icmp-port-unreachable" - "-j REJECT --reject-with icmp-proto-unreachable" - ]; - ip6tables = [ - "-p tcp -j REJECT --reject-with tcp-reset" - "-p udp -j REJECT --reject-with icmp6-port-unreachable" - "-j REJECT" - ]; - }."ip${toString iptables-version}tables" - )} - COMMIT - ''; - - startScript = writeScript "tv-iptables_start" '' - #! /bin/sh - set -euf - iptables-restore < ${rules 4} - ip6tables-restore < ${rules 6} - ''; -in - -{ - networking.firewall.enable = false; - - systemd.services.tv-iptables = { - description = "tv-iptables"; - wantedBy = [ "network-pre.target" ]; - before = [ "network-pre.target" ]; - after = [ "systemd-modules-load.service" ]; - - path = with pkgs; [ - iptables - ]; - - restartIfChanged = true; - - serviceConfig = { - Type = "simple"; - RemainAfterExit = true; - Restart = "always"; - ExecStart = "@${startScript} tv-iptables_start"; - }; - }; -} diff --git a/modules/tv/iptables/default.nix b/modules/tv/iptables/default.nix deleted file mode 100644 index cf27a26ac..000000000 --- a/modules/tv/iptables/default.nix +++ /dev/null @@ -1,11 +0,0 @@ -arg@{ config, lib, pkgs, ... }: - -let - cfg = config.tv.iptables; - arg' = arg // { inherit cfg; }; -in - -{ - options.tv.iptables = import ./options.nix arg'; - config = lib.mkIf cfg.enable (import ./config.nix arg'); -} diff --git a/modules/tv/iptables/options.nix b/modules/tv/iptables/options.nix deleted file mode 100644 index 1adffebdb..000000000 --- a/modules/tv/iptables/options.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ lib, ... }: - -let - inherit (lib) mkOption types; -in - -{ - enable = mkOption { - type = types.bool; - default = false; - description = "Enable iptables."; - }; - - input-internet-accept-new-tcp = mkOption { - type = with types; listOf str; - default = []; - description = '' - TCP ports, accepting incoming connections from anywhere. - ''; - }; - - input-retiolum-accept-new-tcp = mkOption { - type = with types; listOf str; - default = []; - description = '' - TCP ports, accepting incoming connections from Retiolum. - ''; - }; -} |